Easily deploy a Cloudflare Worker with Monocle that will automatically protect your site from residential proxies, malware proxies, or other commercial anonymity services.
Monocle can detect a user session coming from a residential proxy, malware proxy, or other endpoint based proxy network. By detecting this at the session level, you can take action on abusive users without impacting legitimate ones.
This Cloudflare Worker will automatically force a Monocle assessment on new users before allowing them access to your site. Authentic users will not be negatively impacted. The cookie this plugin sets is valid for one hour or until the user changes IP address.
Use our official Terraform module to quickly integrate the Monocle Cloudflare worker into your Terraform-enabled project.
Install Wrangler CLI
Wrangler is the Cloudflare CLI tool that allows you to manage your Cloudflare Workers.
In order to install the Monocle worker make sure you have wrangler installed globally.
npm install -g wranglerMake sure you are logged in to your Cloudflare account with Wrangler.
wrangler loginFork this repository
In order to deploy this worker, you will need to fork this repository to your own GitHub account. This will allow you to make changes to the worker and deploy it to your own Cloudflare account.
- Navigate to the GitHub repository for this worker.
- In the top-right corner of the page, click the Fork button.
- You will now have a copy of this repository in your own GitHub account.
- You can clone this repository to your local machine by running the following command:
git clone git@github.com:${YOUR_USERNAME_HERE}/monocle-plugin-cloudflare.git
cd monocle-plugin-cloudflare
npm install # Install dependenciesConfigure the worker
You will need to create a wrangler.toml file and set your account_id and route.
- Open the
wrangler.tomlfile in your text editor. - Copy the example below and paste it into the
wrangler.tomlfile. - Update the
compatibility_datefield with the current date. This value must be greater than2024-11-11. - Add
nodejs_compattocompatibility_flags. - Update the
account_idfield with your Cloudflare account ID. - Update the
routefield with the route you want to deploy the worker to. - Update the
zone_idfield with the zone you want to deploy the worker to. - Save the file.
name = "monocle"
main = "src/index.ts"
compatibility_date = "${TODAYS_DATE}"
compatibility_flags = [ "nodejs_compat" ]
account_id = "${YOUR_ACCOUNT_ID}"
workers_dev = false # Set to false to deploy to custom domain
route = { pattern = "${YOUR_ROUTE}", zone_id = "${YOUR_ZONE}" }Set up your secrets
wrangler secret put PUBLISHABLE_KEY
wrangler secret put SECRET_KEY
# The cookie secret must be 32 bytes "openssl rand -hex 32"
wrangler secret put COOKIE_SECRET_VALUETo use manual decryption set the PRIVATE_KEY secret. This is feature is only available to customers with Enterprise plans.
wrangler secret put PRIVATE_KEYOpt in to the Policy API
If you want to use Spur's Policy API for assessment decisions instead of the default local decryption path, set the following secret:
# Set to true to use the Monocle policy API instead of local assessment decryption.
wrangler secret put USE_POLICY_API # set value to: trueWhen USE_POLICY_API=true:
- The worker calls Spur's Policy API to evaluate each session
- If you have the relevant Policy blocking entitlements and a policy is configured, traffic that fails the policy check will be blocked
- If no policy is configured or the account does not have blocking entitlements, traffic is allowed through automatically
Optionally configure a custom response for blocked requests:
wrangler secret put BLOCK_RESPONSE_TYPE # html or redirectFor html — customise the block page:
wrangler secret put BLOCK_STATUS_CODE # e.g. 403
wrangler secret put BLOCK_PAGE_TITLE # browser tab title
wrangler secret put BLOCK_RESPONSE_BODY # message text shown on the block pageFor redirect — send blocked users elsewhere:
wrangler secret put BLOCK_REDIRECT_URL # URL to redirect toIf BLOCK_RESPONSE_TYPE is not set, blocked requests receive a plain 403 response.
Deploy the worker
wrangler deploy| Variable | Required | Description |
|---|---|---|
PUBLISHABLE_KEY |
Yes | Your Monocle publishable key |
SECRET_KEY |
Yes | Your Monocle secret key |
COOKIE_SECRET_VALUE |
Yes | 32-byte hex string for cookie signing |
PRIVATE_KEY |
No | PEM private key for local decryption (Enterprise only) |
USE_POLICY_API |
No | Set to true to use the Policy API instead of local decryption |
EXEMPTED_SERVICES |
No | JSON array of service names to exempt from blocking (default: ["WARP_VPN","ICLOUD_RELAY_PROXY"]) |
BLOCK_RESPONSE_TYPE |
No | html or redirect — customises the response for blocked requests |
BLOCK_STATUS_CODE |
No | HTTP status code for HTML block responses (default: 403) |
BLOCK_PAGE_TITLE |
No | Browser tab title for HTML block responses |
BLOCK_RESPONSE_BODY |
No | Message text shown on the block page |
BLOCK_REDIRECT_URL |
No | URL to redirect blocked users to (required when BLOCK_RESPONSE_TYPE=redirect) |