NTA with Cloudflare Worker
This document walks you through deploying the Invicti Network Traffic Analysis (NTA) Cloudflare Worker to monitor and forward HTTP traffic for analysis.
Prerequisites
Before deploying, ensure you have:
- Node.js (v16 or later recommended) installed
- Git installed
- A Cloudflare account with Worker admin rights:
- Worker Scripts: Edit
- Zone Settings: Read
- (Optional) DNS: Edit if assigning a route to a custom domain
- A domain registered with Cloudflare
- Cloudflare Wrangler CLI installed:
npm install -g wrangler |
Step 1: Clone the repository and install dependencies
- Run this command to clone the Invicti NTA Cloudflare worker.
git clone https://github.com/Invicti-Security/Invicti-NTA-Cloudflare-Worker.git |
- Running this command will install all required packages listed in package.json.
npm install |
Step 2: Configure environment variables
Update your wrangler.toml file to audit or edit the following configuration variables (you can do it also via Cloudflare UI, see below):
[vars] |
🛠️ | Where NTA_TELEMETRY_ENDPOINT:
|
Step 3. Configure the route
Before deploying, configure the route for your Worker in the wrangler.toml file:
route = { pattern = "https://your-subdomain.yourdomain.com/*", zone_name = "yourdomain.com" } |
Defining routes
Cloudflare Workers operate by being attached to specific routes within a domain. A route defines both a hostname and a URL path pattern. For example:
route = { pattern = "https://api.yourdomain.com/*", zone_name = "yourdomain.com" } |
Serving multiple routes with a single worker
A single Worker can be assigned to multiple routes. You can configure this either in the Cloudflare dashboard or directly in your wrangler.toml file:
routes = [ |
Matching all subdomains
You can also use a wildcard to apply the Worker to all subdomains:
route = { pattern = "https://*.yourdomain.com/*", zone_name = "yourdomain.com" } |
Step 4: Deploy the worker
- Once the route is configured, deploy the Worker by running the following command. This command uploads your Worker script and makes it live on your configured route(s) in your Cloudflare environment.
npx wrangler deploy |
- If prompted, follow the login flow to authenticate with your Cloudflare account. The Cloudflare Dashboard will open in your internet browser.
Step 5: Verify the configuration
After deployment, verify the following:
- The Worker appears in your Cloudflare dashboard under Workers & Pages
- It is bound to a route (e.g., yourdomain.com/) if configured
- The NTA endpoint is receiving HTTP traffic events
Steps to verify the configuration:
- Go to the Worker & Pages page for your domain, and ensure the new Cloudflare worker is installed:
- Click on its name and in the Settings tab, check the settings again.
- Click Edit route to see additional details and verify how worker failures should be handled.
- When configuring the Worker route in the Cloudflare dashboard, you will be asked to select a failure mode:
- Fail open (recommended): If the Worker is unavailable, requests will skip the Worker and proceed to your origin server. This ensures that users are not affected by telemetry failures.
- Fail closed: If the worker fails, requests will return an error page to users. Use this only if your Worker performs critical logic, such as access control.
We recommend setting Failure mode to Fail open for NTA Cloudflare Worker to ensure end-user traffic continues uninterrupted in case of any unexpected worker error. |
Additional notes
|
Step 6: Set up an NTA server
Follow Step 3: Prepare and deploy Invicti Helm chart in our NTA with Tap Plugin document to complete the configuration.
Example of how to expose Reconstructor via https using NGINX
Use the code snippet below for an example of how to expose Reconstructor via HTTPS using NGINX. You then need to save this content to /etc/nginx/sites-enabled/invicti-reconstruct and reload your NGINX.
server { |
The NTA processes all data sent from the Cloudflare Worker, typically consisting of metadata about API traffic. This metadata is used for API discovery and to help reconstruct API specifications.
After the initial sync, the table in Discovery → Configuration → API Sources is updated, and the sync status is marked as completed. Additionally, the Discovery → API Discovery page is refreshed to display any newly discovered APIs. You can then optionally link these APIs to specific targets.