refactor(miniflare): move platform proxy API to cdn-cgi

edmundhung · edmundhung · commit e0a0916dc6be · 2026-02-26T17:20:07.000Z
diff --git a/packages/miniflare/src/plugins/core/proxy/client.ts b/packages/miniflare/src/plugins/core/proxy/client.ts
@@ -10,6 +10,7 @@ import { prefixStream, readPrefix } from "../../../shared";
 import {
 	Awaitable,
 	CoreHeaders,
+	CorePaths,
 	createHTTPReducers,
 	createHTTPRevivers,
 	isDurableObjectStub,
@@ -97,7 +98,10 @@ export class ProxyClient {
 	#bridge: ProxyClientBridge;
 
 	constructor(runtimeEntryURL: URL, dispatchFetch: DispatchFetch) {
-		this.#bridge = new ProxyClientBridge(runtimeEntryURL, dispatchFetch);
+		this.#bridge = new ProxyClientBridge(
+			new URL(CorePaths.PLATFORM_PROXY, runtimeEntryURL),
+			dispatchFetch
+		);
 	}
 
 	// Lazily initialise proxies as required
@@ -120,7 +124,7 @@ export class ProxyClient {
 	setRuntimeEntryURL(runtimeEntryURL: URL) {
 		// This function will be called whenever the runtime restarts. The URL may
 		// be different if the port has changed.
-		this.#bridge.url = runtimeEntryURL;
+		this.#bridge.url = new URL(CorePaths.PLATFORM_PROXY, runtimeEntryURL);
 	}
 
 	dispose(): Promise<void> {
@@ -716,9 +720,12 @@ class ProxyStubHandler<T extends object>
 	#fetcherFetchCall(args: unknown[]) {
 		// @ts-expect-error `...args` isn't type-safe here, but `undici` should
 		//  validate types at runtime, and throw appropriate errors
-		const request = new Request(...args);
+		const userRequest = new Request(...args);
+		// Create a new request with the proxy URL, preserving the original request
+		const request = new Request(this.bridge.url, userRequest);
 		// If adding new headers here, remember to `delete()` them in `ProxyServer`
 		// before calling `fetch()`.
+		request.headers.set(CoreHeaders.ORIGINAL_URL, userRequest.url);
 		request.headers.set(CoreHeaders.OP_SECRET, PROXY_SECRET_HEX);
 		request.headers.set(CoreHeaders.OP, ProxyOps.CALL);
 		request.headers.set(CoreHeaders.OP_TARGET, this.#stringifiedTarget);
diff --git a/packages/miniflare/src/workers/core/entry.worker.ts b/packages/miniflare/src/workers/core/entry.worker.ts
@@ -382,9 +382,14 @@ export default <ExportedHandler<Env>>{
 				};
 		request = new Request(request, { cf });
 
-		// The magic proxy client (used by getPlatformProxy) will always specify an operation
-		const isProxy = request.headers.get(CoreHeaders.OP) !== null;
-		if (isProxy) return handleProxy(request, env);
+		// The magic proxy client (used by getPlatformProxy)
+		if (new URL(request.url).pathname === CorePaths.PLATFORM_PROXY) {
+			if (request.headers.get(CoreHeaders.OP) !== null) {
+				return handleProxy(request, env);
+			}
+
+			return new Response("Invalid proxy request", { status: 400 });
+		}
 
 		// `dispatchFetch()` will always inject this header. When
 		// calling this function, we never want to display the pretty-error page.
diff --git a/packages/miniflare/test/plugins/core/proxy/client.spec.ts b/packages/miniflare/test/plugins/core/proxy/client.spec.ts
@@ -5,6 +5,7 @@ import { text } from "node:stream/consumers";
 import { ReadableStream, WritableStream } from "node:stream/web";
 import util from "node:util";
 import {
+	CorePaths,
 	DeferredPromise,
 	fetch,
 	MessageEvent,
@@ -329,32 +330,38 @@ describe("ProxyClient", () => {
 		const mf = new Miniflare({ script: nullScript });
 		useDispose(mf);
 		const url = await mf.ready;
+		const proxyUrl = new URL(CorePaths.PLATFORM_PROXY, url);
 
 		// Check validates `Host` header
 		const statusPromise = new DeferredPromise<number>();
 		const req = http.get(
-			url,
+			proxyUrl,
 			{ setHost: false, headers: { "MF-Op": "GET", Host: "localhost" } },
 			(res) => statusPromise.resolve(res.statusCode ?? 0)
 		);
 		req.on("error", (error) => statusPromise.reject(error));
 		expect(await statusPromise).toBe(401);
 
 		// Check validates `MF-Op-Secret` header
-		let res = await fetch(url, {
+		let res = await fetch(proxyUrl, {
 			headers: { "MF-Op": "GET" }, // (missing)
 		});
 		expect(res.status).toBe(401);
 		await res.arrayBuffer(); // (drain)
-		res = await fetch(url, {
+		res = await fetch(proxyUrl, {
 			headers: { "MF-Op": "GET", "MF-Op-Secret": "aaaa" }, // (too short)
 		});
 		expect(res.status).toBe(401);
 		await res.arrayBuffer(); // (drain)
-		res = await fetch(url, {
+		res = await fetch(proxyUrl, {
 			headers: { "MF-Op": "GET", "MF-Op-Secret": "a".repeat(32) }, // (wrong)
 		});
 		expect(res.status).toBe(401);
 		await res.arrayBuffer(); // (drain)
+
+		// Check requests to proxy path without MF-Op header return 400
+		res = await fetch(proxyUrl);
+		expect(res.status).toBe(400);
+		await res.arrayBuffer(); // (drain)
 	});
 });
