构建 Cloudflare Worker API 代理的提示
复制粘贴 AI 提示,构建一个 Cloudflare Worker,用于代理外部 API 调用并限速、添加认证头以及缓存响应。
CursorClaude CodeCodexWindsurf CloudflareTypeScript
使用此提示构建一个 Cloudflare Worker,它位于外部 API 之前,注入认证标头,通过 Workers KV 按 IP 进行速率限制,并缓存响应——这样客户端就永远看不到你的上游 API 密钥。
主要提示
You are building a Cloudflare Worker using TypeScript and the Workers runtime (not Node.js).The Worker will proxy requests to an upstream API (e.g., OpenAI at https://api.openai.com).
Task: create a production-ready API proxy Worker.
Requirements:- Use `wrangler` v3 for local dev. Scaffold with `bun create cloudflare@latest` and choose "Hello World" Worker with TypeScript.- Upstream URL: read from a Wrangler secret `UPSTREAM_URL` (string).- Auth: inject `Authorization: Bearer ${env.UPSTREAM_API_KEY}` on every proxied request, where `UPSTREAM_API_KEY` is a Wrangler secret. Never expose this header to the client.- CORS: allow only origins in `env.ALLOWED_ORIGINS` (comma-separated string secret). Return a `403` for disallowed origins. Handle preflight OPTIONS requests.- Rate limiting: use Workers KV binding `RATE_LIMIT_KV`. - Key: `rl:${ip}` where ip is `request.headers.get('CF-Connecting-IP')`. - Value: request count for the current UTC minute (TTL = 60 s). - Limit: 60 requests/minute per IP. Return `429` with `Retry-After: 60` if exceeded.- Caching: for GET requests, check `caches.default` before proxying upstream. Cache successful responses with `Cache-Control: public, max-age=300`.- Strip the following headers from the upstream response before returning to the client: `x-powered-by`, `server`, `cf-ray`.- Wrangler config: declare the KV namespace binding and all secrets in `wrangler.toml`.- Do NOT use Node.js APIs (`fs`, `path`, `Buffer`) — Workers runtime only.
Stop and list all planned files before writing code.实现说明
- Cloudflare Workers 接收
Request并返回Response——避免使用express风格的模式。 caches.default是 Cloudflare 边缘缓存;仅在生产环境中有效。在本地开发测试中使用MINIFLARE_CACHE或模拟缓存。CF-Connecting-IP由 Cloudflare 注入——从公共互联网无法伪造,但在本地测试时使用硬编码的回退 IP。- Wrangler 密钥通过
wrangler secret put UPSTREAM_API_KEY设置——切勿将它们存储在wrangler.toml或已提交的.env文件中。
预期文件变更
wrangler.toml (new)src/index.ts (new — Worker entrypoint)src/cors.ts (new — CORS helper)src/rate-limit.ts (new — KV rate limiter)package.json (new)tsconfig.json (new).dev.vars (new — local dev secrets, gitignored).gitignore (edited — add .dev.vars)验收标准
wrangler dev启动无错误,并将GET /代理到上游 URL。- 一分钟内发送 61 次请求的 IP 在第 61 次请求时收到
429。 - 来自未允许来源的请求收到
403。 Authorization标头不出现在响应或任何客户端可见的标头中。wrangler deploy成功,Worker 在workers.dev上运行。
测试命令
wrangler dev &# test normal proxycurl http://localhost:8787/ -H "Origin: https://myapp.com"# test CORS rejectioncurl http://localhost:8787/ -H "Origin: https://evil.com"# test rate limit (requires 61 rapid requests)for i in $(seq 1 62); do curl -s -o /dev/null -w "%{http_code}\n" http://localhost:8787/; done常见 AI 错误
- 使用
process.env而不是传递给 Workerfetch处理程序的env参数。 - 忘记处理
OPTIONS预检请求,导致 POST/PUT 调用的 CORS 失效。 - 将
UPSTREAM_API_KEY作为普通变量存储在wrangler.toml中,而不是作为密钥。 - 使用
node:buffer或其他 Node.js 内置模块,这些在 Workers 运行时中不可用。
修复提示
The Worker fails with a runtime error or leaks the API key. Fix in order:1. Replace `process.env.X` with `env.X` everywhere — Workers use the `env` handler parameter.2. Add an OPTIONS handler before the proxy logic that returns the CORS headers with a 204 status.3. Move `UPSTREAM_API_KEY` from `wrangler.toml` [vars] to a secret: `wrangler secret put UPSTREAM_API_KEY`.Show only the corrected diff.