滥用 Cloudflare Workers 作为 pass-through proxies (IP rotation, FireProx-style)

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

Cloudflare Workers 可以部署为透明的 HTTP 透传代理,upstream 目标 URL 由客户端提供。请求从 Cloudflare 的网络外发,因此目标只会看到 Cloudflare 的 IP 而不是客户端的。这与在 AWS API Gateway 上广为人知的 FireProx 技术类似,但使用的是 Cloudflare Workers。

主要功能

  • 支持所有 HTTP 方法 (GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD)
  • 目标可以通过查询参数 (?url=…)、一个 header (X-Target-URL),或甚至编码在路径中(例如 /https://target)提供
  • Headers 和 body 会被透传,按需进行 hop-by-hop/头 过滤
  • 响应被中继回客户端,保留状态码和大部分 header
  • 可选地伪造 X-Forwarded-For(如果 Worker 从受控 header 设置它)
  • 通过部署多个 Worker 端点并扇出请求可以实现非常快速/容易的轮换

工作原理(流程)

  1. 客户端向 Worker URL 发送 HTTP 请求(<name>.<account>.workers.dev 或自定义域路由)。
  2. Worker 从查询参数 (?url=…)、X-Target-URL header,或实现的路径段中提取目标。
  3. Worker 将传入的方法、headers 和 body 转发到指定的 upstream URL(过滤有问题的 header)。
  4. Upstream 响应通过 Cloudflare 流式回传给客户端;原始服务器看到的是 Cloudflare 的外发 IP。

Worker 实现示例

  • 从查询参数、header 或路径读取目标 URL
  • 复制一组安全的 header 并转发原始方法/body
  • 可选地使用用户可控的 header (X-My-X-Forwarded-For) 或随机 IP 设置 X-Forwarded-For
  • 添加宽松的 CORS 并处理 preflight
示例 Worker(JavaScript)用于透传代理 ```javascript /** * Minimal Worker pass-through proxy * - Target URL from ?url=, X-Target-URL, or /https://... * - Proxies method/headers/body to upstream; relays response */ addEventListener('fetch', event => { event.respondWith(handleRequest(event.request)) })

async function handleRequest(request) { try { const url = new URL(request.url) const targetUrl = getTargetUrl(url, request.headers)

if (!targetUrl) { return errorJSON(‘No target URL specified’, 400, { usage: { query_param: ‘?url=https://example.com’, header: ‘X-Target-URL: https://example.com’, path: ‘/https://example.com’ } }) }

let target try { target = new URL(targetUrl) } catch (e) { return errorJSON(‘Invalid target URL’, 400, { provided: targetUrl }) }

// Forward original query params except control ones const passthru = new URLSearchParams() for (const [k, v] of url.searchParams) { if (![‘url’, ‘_cb’, ‘_t’].includes(k)) passthru.append(k, v) } if (passthru.toString()) target.search = passthru.toString()

// Build proxied request const proxyReq = buildProxyRequest(request, target) const upstream = await fetch(proxyReq)

return buildProxyResponse(upstream, request.method) } catch (error) { return errorJSON(‘Proxy request failed’, 500, { message: error.message, timestamp: new Date().toISOString() }) } }

function getTargetUrl(url, headers) { let t = url.searchParams.get(‘url’) || headers.get(‘X-Target-URL’) if (!t && url.pathname !== ‘/’) { const p = url.pathname.slice(1) if (p.startsWith(‘http’)) t = p } return t }

function buildProxyRequest(request, target) { const h = new Headers() const allow = [ ‘accept’,‘accept-language’,‘accept-encoding’,‘authorization’, ‘cache-control’,‘content-type’,‘origin’,‘referer’,‘user-agent’ ] for (const [k, v] of request.headers) { if (allow.includes(k.toLowerCase())) h.set(k, v) } h.set(‘Host’, target.hostname)

// Optional: spoof X-Forwarded-For if provided const spoof = request.headers.get(‘X-My-X-Forwarded-For’) h.set(‘X-Forwarded-For’, spoof || randomIP())

return new Request(target.toString(), { method: request.method, headers: h, body: [‘GET’,‘HEAD’].includes(request.method) ? null : request.body }) }

function buildProxyResponse(resp, method) { const h = new Headers() for (const [k, v] of resp.headers) { if (![‘content-encoding’,‘content-length’,‘transfer-encoding’].includes(k.toLowerCase())) { h.set(k, v) } } // Permissive CORS for tooling convenience h.set(‘Access-Control-Allow-Origin’, ‘’) h.set(‘Access-Control-Allow-Methods’, ‘GET, POST, PUT, DELETE, OPTIONS, PATCH, HEAD’) h.set(‘Access-Control-Allow-Headers’, ‘’)

if (method === ‘OPTIONS’) return new Response(null, { status: 204, headers: h }) return new Response(resp.body, { status: resp.status, statusText: resp.statusText, headers: h }) }

function errorJSON(msg, status=400, extra={}) { return new Response(JSON.stringify({ error: msg, …extra }), { status, headers: { ‘Content-Type’: ‘application/json’ } }) }

function randomIP() { return [1,2,3,4].map(() => Math.floor(Math.random()*255)+1).join(‘.’) }

</details>

### 使用 FlareProx 自动化部署和轮换

FlareProx 是一个 Python 工具,使用 Cloudflare API 部署多个 Worker endpoints 并在它们之间轮换。这在 Cloudflare 的网络上提供了类似 FireProx 的 IP rotation。

设置
1) 使用 “Edit Cloudflare Workers” 模板创建一个 Cloudflare API Token,并从仪表板获取你的 Account ID。
2) 配置 FlareProx:
```bash
git clone https://github.com/MrTurvey/flareprox
cd flareprox
pip install -r requirements.txt

创建配置文件 flareprox.json:

{
"cloudflare": {
"api_token": "your_cloudflare_api_token",
"account_id": "your_cloudflare_account_id"
}
}

CLI 使用

  • 创建 N Worker proxies:
python3 flareprox.py create --count 2
  • 列出端点:
python3 flareprox.py list
  • 健康检查端点:
python3 flareprox.py test
  • 删除所有端点:
python3 flareprox.py cleanup

通过 Worker 路由流量

  • 查询参数形式:
curl "https://your-worker.account.workers.dev?url=https://httpbin.org/ip"
  • 标头格式:
curl -H "X-Target-URL: https://httpbin.org/ip" https://your-worker.account.workers.dev
  • 路径形式 (如果已实现):
curl https://your-worker.account.workers.dev/https://httpbin.org/ip
  • 方法示例:
# GET
curl "https://your-worker.account.workers.dev?url=https://httpbin.org/get"

# POST (form)
curl -X POST -d "username=admin" \
"https://your-worker.account.workers.dev?url=https://httpbin.org/post"

# PUT (JSON)
curl -X PUT -d '{"username":"admin"}' -H "Content-Type: application/json" \
"https://your-worker.account.workers.dev?url=https://httpbin.org/put"

# DELETE
curl -X DELETE \
"https://your-worker.account.workers.dev?url=https://httpbin.org/delete"

X-Forwarded-For 控制

如果 Worker 支持 X-My-X-Forwarded-For,你可以影响上游的 X-Forwarded-For 值:

curl -H "X-My-X-Forwarded-For: 203.0.113.10" \
"https://your-worker.account.workers.dev?url=https://httpbin.org/headers"

以编程方式使用

使用 FlareProx 库来创建/列出/测试 endpoints 并从 Python 路由请求。

Python 示例:通过随机 Worker endpoint 发送 POST 请求 ```python #!/usr/bin/env python3 from flareprox import FlareProx, FlareProxError import json

Initialize

flareprox = FlareProx(config_file=“flareprox.json”) if not flareprox.is_configured: print(“FlareProx not configured. Run: python3 flareprox.py config”) exit(1)

Ensure endpoints exist

endpoints = flareprox.sync_endpoints() if not endpoints: print(“Creating proxy endpoints…”) flareprox.create_proxies(count=2)

Make a POST request through a random endpoint

try: post_data = json.dumps({ “username”: “testuser”, “message”: “Hello from FlareProx!”, “timestamp”: “2025-01-01T12:00:00Z” })

headers = { “Content-Type”: “application/json”, “User-Agent”: “FlareProx-Client/1.0” }

response = flareprox.redirect_request( target_url=“https://httpbin.org/post”, method=“POST”, headers=headers, data=post_data )

if response.status_code == 200: result = response.json() print(“✓ POST successful via FlareProx”) print(f“Origin IP: {result.get(‘origin’, ‘unknown’)}“) print(f“Posted data: {result.get(‘json’, {})}”) else: print(f“Request failed with status: {response.status_code}“)

except FlareProxError as e: print(f“FlareProx error: {e}“) except Exception as e: print(f“Request error: {e}”)

</details>

**Burp/Scanner 集成**
- 将工具(例如 Burp Suite)指向 Worker URL。
- 使用 ?url= 或 X-Target-URL 提供真实 upstream。
- HTTP 语义(methods/headers/body)会被保留,同时将你的源 IP 隐藏在 Cloudflare 之后。

**操作注意事项和限制**
- Cloudflare Workers Free 计划大约允许每个账号每天 100,000 请求;如有需要,可使用多个 endpoints 来分散流量。
- Workers 在 Cloudflare 的网络上运行;许多目标只会看到 Cloudflare 的 IPs/ASN,这可能绕过简单的 IP 允许/拒绝 列表或基于地理位置的启发式判断。
- 请负责任地使用,并且仅在获得授权的情况下使用。遵守 ToS 和 robots.txt。

## 参考资料
- [FlareProx (Cloudflare Workers pass-through/rotation)](https://github.com/MrTurvey/flareprox)
- [Cloudflare Workers fetch() API](https://developers.cloudflare.com/workers/runtime-apis/fetch/)
- [Cloudflare Workers pricing and free tier](https://developers.cloudflare.com/workers/platform/pricing/)
- [FireProx (AWS API Gateway)](https://github.com/ustayready/fireprox)

> [!TIP]
> 学习并练习 AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://hacktricks-training.com/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> 学习并练习 GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://hacktricks-training.com/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> 学习并练习 Az Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://hacktricks-training.com/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>支持 HackTricks</summary>
>
> - 查看 [**subscription plans**](https://github.com/sponsors/carlospolop)!
> - **加入** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) 或者 [**telegram group**](https://t.me/peass) 或 **关注** 我们的 **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github 仓库 提交 PRs 来分享 hacking tricks。
>
> </details>