https://github.com/erisa/hetzner-firewall-cfworker
Use Cloudflare Workers Cron Triggers to keep your Hetzner Cloud Firewall allowing the latest list of Cloudflare IPs, or any other lists!
https://github.com/erisa/hetzner-firewall-cfworker
cloudflare-worker cloudflare-workers hetzner-cloud
Last synced: 4 days ago
JSON representation
Use Cloudflare Workers Cron Triggers to keep your Hetzner Cloud Firewall allowing the latest list of Cloudflare IPs, or any other lists!
- Host: GitHub
- URL: https://github.com/erisa/hetzner-firewall-cfworker
- Owner: Erisa
- Created: 2022-04-22T23:53:51.000Z (about 3 years ago)
- Default Branch: main
- Last Pushed: 2025-02-15T03:18:37.000Z (2 months ago)
- Last Synced: 2025-04-01T06:31:55.590Z (23 days ago)
- Topics: cloudflare-worker, cloudflare-workers, hetzner-cloud
- Language: TypeScript
- Homepage:
- Size: 202 KB
- Stars: 20
- Watchers: 1
- Forks: 3
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Hetzner Cloud Firewall automation with Cloudflare Workers
Heavily inspired by [xopez/Hetzner-Cloud-Firewall-API-examples](https://github.com/xopez/Hetzner-Cloud-Firewall-API-examples), this repository holds a Cloudflare Worker which updates a [Hetzner Cloud](https://www.hetzner.com/cloud) Firewall to use the latest list of [Cloudflare IP ranges](https://www.cloudflare.com/en-gb/ips/) on a Cron Trigger.
## Requirements
- Hetzner Cloud account
- Wrangler: `npm i -g wrangler`
- Cloudflare account configured to deploy Workers
## Usage
- Create a Firewall on Hetzner Cloud that you want to set to the Cloudflare IPs.
- Set the ports you want to allow through the Firewall in the `PORTS` variable of `wrangler.toml`
- Enter the ID of the Firewall in `FIREWALL_ID`. You can find this as the nuumber after `/firewalls/` in the console URl when visiting the Firewall.
- Create a Hetzner Cloud API Token and set it with `wrangler secret put API_TOKEN`.
- (Optional) Secure your `workers.dev` domain by adding an extra secret to manual REST calls:
- `wrangler secret put WORKER_SECRET`
- This secret will need to be in the `Authorization` header to trigger the Worker manually over HTTPS, but only if the secret is defined. Cron triggers are automatic and unaffected.
## Creativity
If allowing Cloudflare IPs is not your jam, it should be easy to edit `src/index.ts` and replace the two URLs with any other URLs that produce a newline-seperated list of IP ranges, allowing you to allowlist any service you desire.
Remember to remove the `rules.concat` line if you only end up having one list.