-
Notifications
You must be signed in to change notification settings - Fork 41
[Blocked by release] docs(cloudflare): skew protection #164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 4 commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
262cd9c
docs(cloudflare): skew protection
vicb 8719e57
fixup! sync skew protection, add assets
vicb 9451915
Update pages/cloudflare/howtos/skew.mdx
vicb f0ce136
Update pages/cloudflare/howtos/skew.mdx
vicb 9544478
Update pages/cloudflare/howtos/skew.mdx
vicb File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| ## Static assets (public folder) | ||
|
|
||
| The [static assets of Next located in the public folder](https://nextjs.org/docs/app/api-reference/file-conventions/public-folder) are served using [Workers Static Assets](https://developers.cloudflare.com/workers/static-assets/). | ||
|
|
||
| Workers Static Assets can intercept requests to the application ([`run_worker_first=false`](https://developers.cloudflare.com/workers/static-assets/) which is the default). This is the most cost efficient option as asset requests will not be billed in that case. | ||
|
|
||
| Another option is to run the Worker first (`run_worker_first=true`) to offer more flexibility at the expense of a higher cost. | ||
|
|
||
| Note that `run_worker_first` could also be set to a list of patterns - this is a great option if you need more flexibility for only a subset of the statids assets. | ||
|
|
||
| ### run_worker_first=false | ||
|
|
||
| When `run_worker_first` is set to `false`, requests are intercepted before reaching the worker and are not billed: | ||
|
|
||
| ```jsonc | ||
| // wrangler.jsonc | ||
| { | ||
| "name": "my-app", | ||
| // ... | ||
| "assets": { | ||
| "directory": ".open-next/assets", | ||
| "binding": "ASSETS", | ||
| // Optional as false is the default value | ||
| "run_worker_first": false, | ||
| }, | ||
| // ... | ||
| } | ||
| ``` | ||
|
|
||
| This is the most cost efficient option to use when you do not need to serve assets behind the middleware or Next rewrites and headers from [the Next config](https://nextjs.org/docs/app/api-reference/config/next-config-js). | ||
|
|
||
| When `run_worker_first=false` you can still configure [headers](https://developers.cloudflare.com/workers/static-assets/headers/) and [redirects](https://developers.cloudflare.com/workers/static-assets/redirects/) via Worker Static Assets. | ||
|
|
||
| ### run_worker_first=true | ||
|
|
||
| When `run_worker_first` is set to `true`, all the requests will reach the Worker and be billed: | ||
|
|
||
| ```jsonc | ||
| // wrangler.jsonc | ||
| { | ||
| "name": "my-app", | ||
| // ... | ||
| "assets": { | ||
| "directory": ".open-next/assets", | ||
| "binding": "ASSETS", | ||
| "run_worker_first": true, | ||
| }, | ||
| // ... | ||
| } | ||
| ``` | ||
|
|
||
| The Open Next asset resolver will be used to retrieve the assets from the Worker. | ||
|
|
||
| When `run_worker_first=true`, assets are served behind the middleware and Next rewrites and headers from [the Next config](https://nextjs.org/docs/app/api-reference/config/next-config-js). The [headers](https://developers.cloudflare.com/workers/static-assets/headers/) and [redirects](https://developers.cloudflare.com/workers/static-assets/redirects/) configured for the Worker Static Assets do not apply in this case. | ||
|
|
||
| `run_worker_first=true` should be used if you plan to use skew protection. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,88 @@ | ||
| import { Callout } from "nextra/components"; | ||
|
|
||
| ## Skew protection | ||
|
|
||
| The Cloudflare adapter has _experimental support_ for skew protection based on [the preview URLs](https://developers.cloudflare.com/workers/configuration/previews/). | ||
|
|
||
| <Callout type="info"> | ||
| Preview URLs are disabled for [Workers that implement a Durable | ||
| Object](https://developers.cloudflare.com/workers/configuration/previews/#limitations). If your app uses | ||
| Durable Objects, they will need to be implemented in a separate Worker. | ||
| </Callout> | ||
|
|
||
| ### How to enable the skew protection | ||
|
|
||
| **OpenNext config** | ||
|
|
||
| Set `cloudflare.skewProtection.enabled` to `true` to enable skew protection: | ||
|
|
||
| ```ts | ||
| // open-next.config.ts | ||
| export default { | ||
| // ... | ||
| cloudflare: { | ||
| skewProtection: { | ||
| enabled: true, | ||
| // Maximum number of previous versions to use. | ||
| // Optional, default to 20. | ||
| maxNumberOfVersions: 20, | ||
| // Age of the oldest version to use (from the last deplyment date) | ||
| // Optional, default to 7 days. | ||
| maxVersionAgeDays: 7, | ||
| }, | ||
| }, | ||
| } satisfies OpenNextConfig; | ||
| ``` | ||
|
|
||
| **Wrangler configuration** | ||
|
|
||
| The Worker needs to serve the correct version of the app assets. For that it need be be executed before incoming requests are matched against the assets. Set [`run_worker_first`](https://developers.cloudflare.com/workers/static-assets/binding/#run_worker_first) to `tue` in your wrangler configuration to enable this behavior: | ||
vicb marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| ```jsonc | ||
| // wrangler.jsonc | ||
| { | ||
| "name": "my-app", | ||
| // ... | ||
| "assets": { | ||
| "directory": ".open-next/assets", | ||
| "binding": "ASSETS", | ||
| "run_worker_first": true, | ||
| }, | ||
| // ... | ||
| } | ||
| ``` | ||
|
|
||
| **Environment variables** | ||
|
|
||
| The following environment variables should be set when the skew protection is used: | ||
|
|
||
| - `CF_WORKER_NAME` should be set to the name of the worker, i.e. `my-app` given the config above. If you're using environment, the name of the app should contain your env, i.e. `my-app-<env>` | ||
| - `CF_PREVIEW_DOMAIN` is the the subdomain of `workers.dev` where the previews are deployed, i.e. `<version-name>.<domain>.workers.dev` | ||
| - `CF_WORKERS_SCRIPTS_API_TOKEN` is an API token with the `Workers Scripts:Read` permission | ||
| - `CF_ACCOUNT_ID` is the Cloudflare account id where the app is deployed. | ||
|
|
||
| Those variables are used to retrieve the past deployments of your application. | ||
|
|
||
| **Next config** | ||
|
|
||
| You must set a different `deploymentId` in your next config each time your app is deployed. You will get an error if the `deployementId` has already been used by a previous deployment. | ||
|
|
||
| The cloudflare adapter exports a `getDeploymentId()` function that can be used to generate a unique deployment id. | ||
|
|
||
| ```ts | ||
| // next.config.ts | ||
| import { getDeploymentId } from "@opennextjs/cloudflare"; | ||
|
|
||
| const nextConfig = { | ||
| // ... | ||
| deploymentId: getDeploymentId(), | ||
| }; | ||
| ``` | ||
|
|
||
| ### What you should know | ||
|
|
||
| - Because the Worker is configured to run in front of the assets Worker (`run_worker_first`), requesting an asset will count as a request to your Worker | ||
| - Requesting an older deployment will generate 2 requests: the request to the latest version and the request to the older version | ||
| - It is not currently possible to delete a deployment | ||
| - Requests to an older deployment will be a few milli-seconds slower than requests to the latest version of the app | ||
| - Request to a deployment older than the `maxNumberOfVersions` or older than `maxVersionAgeDays` will fallback to the current deployment | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should probably add an example for this at one point.