A Cloudflare Worker that returns a SHA-256 HMAC based on requestor IP address and provided URL path.
In effect this allows a client to make a HTTP GET request and receive a Base64 response which can be used for purposes such as unsealing a local key store.
This worker is deployed at https://ip-bound-hmac.acegi.com.au. This instance
is freely provided on a "best efforts" basis and as such may be removed or stop
working at any time. Nevertheless you are welcome to use it if it assists your
use case and you are only making a small number of requests. It also lets you
quickly test the worker without deploying it yourself (eg use different IP
addresses and/or paths and observe the HMAC changes):
- Sign up for a Cloudflare Account and create a zone
- Add a DNS A record for
ip-bound-hmac.YOUR-DOMAINto192.0.2.1 - Install Wrangler
- Configure with
wrangler login - Clone this repository
- Copy
wrangler.yaml.exampletowrangler.yamland adjust to your domain - Create a secret using
wrangler secret put SECRET - Deploy using
wrangler publish
Simply request https://ip-bound-hmac.YOUR-DOMAIN/any-path and you will receive
back a SHA-256 HMAC specific to that path, IP address and worker SECRET.
See PiTang for a practical example of how to use this worker to unlock LUKS volumes.