Goal:
A Cloudflare Workers server that is the only entity allowed to query a load balanced Dgraph database in AWS! Please feel free to update the ingredients + recipe, & I’ll update them as I learn from the best + arrive at a working solution!
Create Security Group that only allows Cloudflare Workers to access Load Balancer (I’m confused here b/c I’m unsure what Cloudflares IP address is + how to align Security Groups between Load balancer + EC2)
Create Domain + assign to EC2 Load Balancer
Create ACM Certificates + assign to Domain (I’m confused here) (maybe instead I import dgraph’s ca.crt certificate & don’t create any ACM certificates?) (or maybe I add ACM certificates to Dgraph?)
Start Dgraph w/ TLS
sudo su
dgraph zero --my=localhost:5080
dgraph alpha --my=localhost:7080 --lru_mb=1024 --zero=localhost:5080 --tls_dir tls --tls_client_auth VERIFYIFGIVEN
I’m pretty familiar with cloudflare workers. I had a few thoughts here:
Cloudflare publishes their IP addresses here IP Ranges | Cloudflare. You can put this into a security group
Are you hoping to use the GRPC APIs or the GraphQL / JSON APIs? This is relevant because GRPC endpoints are not supported by AWS layer 7 load balancers (as they do not support H/2 to the backing instance). If you are ok with GraphQL endpoints, then you can set up a layer 7 ALB, set up an ACM certificate, then don’t need to put anything related to SSL in dgraph. Do note that layer 7ALBs still support H/2 outwards, just not to the backing service.
Your exact model should work, but be reduced to much fewer steps ideally.
If you do need GRPC, then the answer is a bit more complex, but basically you’ll need to use classic network load balancers, then set up everything as mentioned.
(though you may not get the benefits of GRPC because workers go into ‘sleep’ between requests, so models that maintain connections between requests might not work correctly)
From the screenshot, you are getting the response for /health. So, I presume your question is only about the Warning for the certificate presented and what is missing in the recipe.
I believe that warning is because the Dgraph Root CA is not trusted on the client (Cloudflare worker in your case)
In step (3),
When you create the tls directory using the dgraph cert command, the directory should have a ca.crt file. This is the Dgraph Root CA certificate. You will need to manually copy this certificate onto the Client (cloudflare worker) in its Trusted Root CA authorities section.
Here are some instructions for how to do this for Windows and Mac:
Oh, and I totally forgot. We are launching a managed GraphQL solution very soon (in weeks). That should solve a lot of your issues, and you’ll just have a /graphql endpoint to hit.
Thank you Tejas! I’m happy to hear you’re familiar with workers! The link of the Cloudflare ips is very enlightening thank you!
My goal is to only allow a specific Cloudflare worker to access our AWS database, would adding all these ip’s allow any Cloudflare worker to access our database?!
GRPC is not a requirement thank you for explaining how they interact with load balancers!
My model isn’t working yet but I feel like we’re close, which steps do you believe we may reduce please?!
The windows + mac installation links are very helpful, thank you!
I’m searching for what you’ve instructed “Cloudflare Worker Trusted Root CA Authorities Section” and searching the Cloudflare Docs for information on SSL, TLS, or Trusted Root CA Authorities Section without any results yet.
Is this possible for Cloudflare Workers please?
Or maybe is there a way to make the generated ca.crt certificate valid for all clients?
And once the ca.crt certificate is generated how may I add it to the load balancer please?
What I meant is that your model will get significantly easier if you switch to Layer 7 load balancers (ALBs). Specifically you will no longer need to do step 3-9. Instead, you can create an ALB attach an ACM certificate, and set dgraph as the backend. The ALB can handle SSL termination, and forwards valid http requests in plaintext to dgraph.
You can get this to work with advanced routing. You can have all queries from your worker add a request header (say X-MyappSecurity: foobar), then Advanced Routing can reject all requests which are missing this header before it hits your dgraph instance.
Hi Tejas! You are a wizard! Your explanation has really helped me understand Layer 7 ALB thank you so much! I’ve implemented ALB like you’ve requested, we now have a working certificate and I believe we’re super close now!
I got Dgraph + AWS + SSL working! Thank you @Paras & @gja! I couldn’t have gotten here w/o your genius! For our community, here’s my steps to get this working! Please feel free to suggest enhancements!
Now I’m going to work on getting this working in Cloudflare Workers with @gja’s suggestions!
