xyTom
大佬可不可以加一个后台管理界面
@Anpiluo
https://github.com/xyTom/Url-Shorten-Worker/blob/681d43ec4d6c95a8dddc75bbb1a1ad2e889b09fc/index.js#L129
改這行,改成像是 if(path == "/manage") 之類的,然後把 Cloudflare Access 驗證路徑,設定在 /manage。
@Anpiluo 其實我有嘗試做一個後台管理介面,現在的狀況就是「能用,但是程式碼寫得很亂」(我是弱雞)。你不介意的話,我可以給你用用看。
https://fordemo.short-link.cotpear.workers.dev/manage
@Anpiluo
https://github.com/xyTom/Url-Shorten-Worker/blob/681d43ec4d6c95a8dddc75bbb1a1ad2e889b09fc/index.js#L129
改這行,改成像是
if(path == "/manage")之類的,然後把 Cloudflare Access 驗證路徑,設定在/manage。
我的思路是在 kv 里写一个秘密路径,key为"password",value为秘密路径。 https://github.com/xyTom/Url-Shorten-Worker/pull/38
@Anpiluo
https://github.com/xyTom/Url-Shorten-Worker/blob/681d43ec4d6c95a8dddc75bbb1a1ad2e889b09fc/index.js#L129
改這行,改成像是
if(path == "/manage")之類的,然後把 Cloudflare Access 驗證路徑,設定在/manage。
很抱歉这么晚才回复
我在看到了你的回复后,进行了尝试,但我发现如果引号中的路径如果写为 /manager 就会报404,应写为 manage 之类,不应携带斜线
btw:if(path == "/manage") 后面应该再加一个 { ,我一开始直接替换了,部署不成功,在网上查了半天资料🤣
@Anpiluo 其實我有嘗試做一個後台管理介面,現在的狀況就是「能用,但是程式碼寫得很亂」(我是弱雞)。你不介意的話,我可以給你用用看。
如有需要,請email我。
key为"password",value为秘密路径。 @crazypeace JS有可能被外部讀取嗎?🤔
此JS非彼JS。 写了逻辑的JS运行在worker上,如果cloudflare的服务没有漏洞,这个JS不会被攻击者拿到运行过程。而这个JS的源码是可以让攻击者知道的,写明了要读取KV中的password。而如果攻击者没有cloudflare账户权限是读不到KV的数据内容的,也就是说不知道KV中key为passowrd的entry的value是多少。
还有个main.js是由index.html调用的。里面是一些业务逻辑。 你可以看一下 https://github.com/crazypeace/Url-Shorten-Worker 解释:https://zelikk.blogspot.com/2022/07/url-shorten-worker-hide.html https://zelikk.blogspot.com/2022/07/url-shorten-worker-hide-tutorial.html https://zelikk.blogspot.com/2022/07/url-shorten-worker-api-password.html
key为"password",value为秘密路径。 @crazypeace JS有可能被外部讀取嗎?🤔
此JS非彼JS。 写了逻辑的JS运行在workder上,如果cloudflare的服务没有漏洞,这个JS不会被攻击者拿到运行过程。而这个JS的源码是可以让攻击者知道的,写明了要读取KV中的password。而如果攻击者没有cloudflare账户权限是读不到KV的数据内容的,也就是说不知道KV中key为passowrd的entry的value是多少。
还有个main.js是由index.html调用的。里面是一些业务逻辑。 你可以看一下 https://github.com/crazypeace/Url-Shorten-Worker 解释:https://zelikk.blogspot.com/2022/07/url-shorten-worker-hide.html https://zelikk.blogspot.com/2022/07/url-shorten-worker-hide-tutorial.html https://zelikk.blogspot.com/2022/07/url-shorten-worker-api-password.html
@crazypeace 哇!我沒想到有這樣子的風險!我自己的做法是不設password(純 if(path =="/manage" || path =="/manage/" {),但用 Cloudflare Zero Trust 來擋(如路徑為 /manage/*則需經過),不知道這樣做您怎麼看?其安全性、風險如何呢?
key为"password",value为秘密路径。 @crazypeace JS有可能被外部讀取嗎?🤔
此JS非彼JS。 写了逻辑的JS运行在workder上,如果cloudflare的服务没有漏洞,这个JS不会被攻击者拿到运行过程。而这个JS的源码是可以让攻击者知道的,写明了要读取KV中的password。而如果攻击者没有cloudflare账户权限是读不到KV的数据内容的,也就是说不知道KV中key为passowrd的entry的value是多少。 还有个main.js是由index.html调用的。里面是一些业务逻辑。 你可以看一下 https://github.com/crazypeace/Url-Shorten-Worker 解释:https://zelikk.blogspot.com/2022/07/url-shorten-worker-hide.html https://zelikk.blogspot.com/2022/07/url-shorten-worker-hide-tutorial.html https://zelikk.blogspot.com/2022/07/url-shorten-worker-api-password.html
@crazypeace 哇!我沒想到有這樣子的風險!我自己的做法是不設password(純
if(path =="/manage" || path =="/manage/" {),但用 Cloudflare Zero Trust 來擋(如路徑為/manage/*則需經過),不知道這樣做您怎麼看?其安全性、風險如何呢?
我个人认为风险不是很大,不过你的worker的JS源码如果公开在互联网上(比如GitHub),原则上攻击者是有可能获得的。因为你的作法相当于在workder的JS里面写死一个密钥(manage),如果访问者提供了此密钥,则向访问者提供服务。
而我的作法是,worker的JS源码表明要在cloudflare的KV库里读取指定key的value作为密钥。 这样攻击者即使知道我的源码,因为密钥被cloudflare的账户权限保护而无法获得我的密钥。
根据我对Cloudflare Zero Trust的使用经历,@chiyi4488 和我的想法差不多,给界面加路径的目的是为了套cf Access的时候不会把短链接也套上,这种做法基本不依赖“路径”(或者说“密钥”)的隐蔽性(不可知性),我个人认为即使在网络上公开链接也无所谓(除非他能淦破cf(笑))。
如果简单应用,分享给几个朋友使用。 我加上了删除短链的按钮。 源码:https://github.com/crazypeace/Url-Shorten-Worker 示例:https://1ladder.eu.org/tiananmen
@crazypeace @Anpiluo 或許咱可以來整合各自寫的短連結code 😁
感覺不錯
我的範例:https://fordemo.short-link.cotpear.workers.dev/manage
(不過我改動的有點多,我以JSON格式儲存短連結資料)
根据我对Cloudflare Zero Trust的使用经历,@chiyi4488 和我的想法差不多,给界面加路径的目的是为了套cf Access的时候不会把短链接也套上,这种做法基本不依赖“路径”(或者说“密钥”)的隐蔽性(不可知性),我个人认为即使在网络上公开链接也无所谓(除非他能淦破cf(笑))。
请问大佬你这个Cloudflare Zero Trust的是怎么实现的?
在我们启动URL缩短器之前,必须至少有一次认证。否则,该服务可能被垃圾邮件发送者滥用,这将损害域名的声誉。
例如,"admin "和 "password",然后可以访问URL缩短器页面。不需要很多复杂的功能或多个用户。只有这样,至少可以保护域名。
There must be at least one authentication before we start the URL shortener. Otherwise, the service can be abused by spammers, which will harm the domain's reputation.
e.g., "admin" and "password" can access the URL shortener page. No need for many complicated functions or multiple users. Only this will at least protect the domain.
Edit: Just notice someone already added this feature - https://github.com/51sec/Url-Shorten-By-CF-Worker
Edit 2: Deployed this fork, in the main url, if someone can see the source code or cltr + u, then the password to access the site is visible. Not a viable solution either. Requesting @xyTom to do something regarding basic security.
在我们启动URL缩短器之前,必须至少有一次认证。否则,该服务可能被垃圾邮件发送者滥用,这将损害域名的声誉。
例如,"admin "和 "password",然后可以访问URL缩短器页面。不需要很多复杂的功能或多个用户。只有这样,至少可以保护域名。
There must be at least one authentication before we start the URL shortener. Otherwise, the service can be abused by spammers, which will harm the domain's reputation.
e.g., "admin" and "password" can access the URL shortener page. No need for many complicated functions or multiple users. Only this will at least protect the domain.
Edit: Just notice someone already added this feature - https://github.com/51sec/Url-Shorten-By-CF-Worker :D
This is my solution: https://github.com/crazypeace/Url-Shorten-Worker
Demo: https://1ladder.eu.org/6H4wjH
If you don't know the path, just access https://1ladder.eu.org/ , you can not use the service.
You can set a "password" in your KV, it can only be read by cloudflare worker script. So unauthorized user can't know it.
在我们启动URL缩短器之前,必须至少有一次认证。否则,该服务可能被垃圾邮件发送者滥用,这将损害域名的声誉。 例如,"admin "和 "password",然后可以访问URL缩短器页面。不需要很多复杂的功能或多个用户。只有这样,至少可以保护域名。 There must be at least one authentication before we start the URL shortener. Otherwise, the service can be abused by spammers, which will harm the domain's reputation. e.g., "admin" and "password" can access the URL shortener page. No need for many complicated functions or multiple users. Only this will at least protect the domain. Edit: Just notice someone already added this feature - https://github.com/51sec/Url-Shorten-By-CF-Worker :D
This is my solution: https://github.com/crazypeace/Url-Shorten-Worker
Demo: https://1ladder.eu.org/6H4wjH
If you don't know the path, just access https://1ladder.eu.org/ , you can not use the service.
You can set a "password" in your KV, it can only be read by cloudflare worker script. So unauthorized user can't know it.
Thanks. This solved the issue. At least will provide basic protection from spammers.
@xenstar What do you think of cloudflare zero trust service? I personally think this stops spam, done without making any changes to this repo. ✨
@xenstar What do you think of cloudflare zero trust service? I personally think this stops spam, done without making any changes to this repo. ✨
Hi, @chiyi4488 thanks for suggesting this. I have never checked this feature. So I have tried to apply it, and it looks very promising. But one issue I am facing is it is applying policy for the whole subdomain. So even while accessing a redirecting domain, it's asking for authentication. I think this is a policy setting; I will check this more to fix it, but if you know anything or have any tutorial online (Chinese or English), you can share it with me.
@xenstar I would recommend that you add a link to the settings page and set a path. See discussion above.
@Anpiluo
https://github.com/xyTom/Url-Shorten-Worker/blob/681d43ec4d6c95a8dddc75bbb1a1ad2e889b09fc/index.js#L129
改這行,改成像是
if(path == "/manage")之類的,然後把 Cloudflare Access 驗證路徑,設定在/manage。
