API Shield API 参考

# API 参考 基准路径: `/zones/{zone_id}/api_gateway` ## 端点 bash GET /operations # 列表 GET /operations/{op_id} # 获取单个 POST /operations/item # 创建: {endpoint,host,method} POST /operations # 批量创建: {operations:[{endpoint,host,method}]} DELETE /operations/{op_id} # 删除 DELETE /operations # 批量删除: {operation_ids:[...]} ## 发现 bash GET /discovery/operations # 列出已发现的 PATCH /discovery/operations/{op_id} # 更新: {state:"saved"|"ignored"} PATCH /discovery/operations # 批量更新: {operation_ids:{id:{state}}} GET /discovery # OpenAPI 导出 ## 配置 bash GET /configuration # 获取会话 ID 配置 PUT /configuration # 更新: {auth_id_characteristics:[{name,type:"header"|"cookie"}]} ## 令牌验证 bash GET /token_validation # 列表 POST /token_validation # 创建: {name,location:{header:"..."},jwks:"..."} POST /jwt_validation_rules # 规则: {name,hostname,token_validation_id,action:"block"} ## Workers 集成 ### 访问 JWT 声明 js export default { async fetch(req, env) { // 访问已验证的 JWT 有效载荷 const jwt = req.cf?.jwt?.payload?.[env.JWT_CONFIG_ID]?.[0]; if (jwt) { const userId = jwt.sub; const role = jwt.role; } } } ### 访问 mTLS 信息 js export default { async fetch(req, env) { const tls = req.cf?.tlsClientAuth; if (tls?.certVerified === 'SUCCESS') { const fingerprint = tls.certFingerprintSHA256; // 已认证客户端 } } } ### 动态 JWKS 更新 js export default { async scheduled(event, env) { const jwks = await (await fetch('https://auth.example.com/.well-known/jwks.json')).json(); await fetch(`https://api.cloudflare.com/client/v4/zones/${env.ZONE_ID}/api_gateway/token_validation/${env.CONFIG_ID}`, { method: 'PATCH', headers: {'Authorization': `Bearer ${env.CF_API_TOKEN}`, 'Content-Type': 'application/json'}, body: JSON.stringify({jwks: JSON.stringify(jwks)}) }); } } ## 防火墙字段 ### 核心字段 js cf.api_gateway.auth_id_present // 会话 ID 存在 cf.api_gateway.request_violates_schema // 模式违规 cf.api_gateway.fallthrough_triggered // 无端点匹配 cf.tls_client_auth.cert_verified // mTLS 验证成功