How do I use Cloudflare with Wasabi?

 

Wasabi is validated for use with Cloudflare CDN by following the instructions in this article.

Cloudflare enables you to add CNAME records so that you can have their traffic routed through the Cloudflare system to provide security and network acceleration.

Note:  The following example shows how to configure to Wasabi's us-east-1 storage region. To use other Wasabi storage regions, please use the appropriate Wasabi service URL as described in this article

1. Create an account on Cloudflare and start by Entering your domain name that is owned by you in the Cloudflare screen below and then add the website.

Note: "csye6225-fall2018-sahanip.me" is the example website used here

Screen_Shot_2019-07-25_at_10.12.15_PM.png

 

2. It will scan the DNS records for the domain and pop up some results.

 

Screen_Shot_2019-07-25_at_10.13.05_PM.png 

3. Next step is to Add a CNAME record:

Step 1: Create a bucket on the wasabi console with the same name as that of your website (in this example we are creating a bucket named "csye6225-fall2018-sahanip.me")

Step 2. On your Cloudflare account, go to your DNS page and add CNAME record.

Select  type as CNAME, Name will be your domain name (in this example, our domain name is "csye6225-fall2018-sahanip.me"). The Value is set to "s3.wasabisys.com" as this bucket is pointing to the server in East Region (refer screenshot for reference) 

Step 3: You can choose the TTL (Time to live) value as per your requirement and Cloudflare will cache the content until this value time, and then click Add Record.

Screen_Shot_2019-07-25_at_10.26.43_PM.png

Note:  The following example shows how to configure to Wasabi's us-east-1 storage region. To use other Wasabi storage regions, please use the appropriate Wasabi service URL as described in this article

Refer the following for more details : https://support.cloudflare.com/hc/en-us/articles/200168926-How-do-I-use-Cloudflare-with-Amazon-s-S3-Service-

4. To activate s3.wasabisys.com you must point your nameservers (DNS) to Cloudflare. In order to start receiving all the speed and security benefits of Cloudflare, you’ll need to change the nameservers configured.

Step 1. Copy both the Nameserver records you get on the Cloudflare on the "Change your NameServers" page

Step 2. Login into to your domain registrar account (e.g Namecheap, GoDaddy etc wherever you have registered your domain), edit your Nameservers there (shown in the screenshots) and paste the two records you copied from Cloudflare and remove other records.

Screen_Shot_2019-07-25_at_10.31.04_PM.png

Refer the following article for more details on how to change your nameservers: https://support.cloudflare.com/hc/en-us/articles/205195708-Step-3-Change-your-domain-name-servers-to-Cloudflare.

 

5. Confirm your changes through the Cloudflare dashboard.

    • It may take up to 72 hours for the name server information to propagate (In most general cases, it propagates within hours)
    • Status: Active indicates your domain is properly setup to run through Cloudflare and you will receive email notification:Screen_Shot_2019-07-25_at_2.25.09_PM.pngAnd on the Cloudflare account, it will show you Active (shown in the screenshot)Screen_Shot_2019-07-25_at_10.34.07_PM.png
    • Status: Pending indicates that your nameserver updates have either not propagated or were not updated correctly
    • If the issue persists, use whois.net to check your nameserver records and make sure they match the Cloudflare provided records.

6. Once activated, you can use use URL such as:

domain-name/folder-name/object-name to access the objects from the CDN 

e.g: http://csye6225-fall2018-sahanip.me/hawaii.jpeg

 

In order to cache contents initially and after every TTL expiry on Cloudflare, you may attach a bucket policy on your desired bucket(s) whose content you need to cache and allow fetching of objects from Cloudflare's proxy IPs only. This will add a secure layer to your design making sure that no one else can access your data. You may reach out to Cloudflare team to get the list of their proxy IPs

The instructions to restrict bucket access to specific IP addresses is shown here

Bucket Policy Example for this case:

{
"Id": "S3PolicyId1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
},
{
"Sid": "IPBasedNarrowFurther",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "11.22.33.44/32"
}
}
}
]
}

Please be sure to replace the IPs in the above document with Cloudflare's proxy IPs.

 

____________________________________________________________________________________________________________

 

Note-1: Please refrain from using "docs" as sub-domain because docs.wasabi.com already exists and in order to keep the docs page in one place, we made it accessible using re-direct from either domain of docs.wasabi.com and docs.wasabisys.com

 

Note-2: Do not be concerned about the recommendation to omit periods from the name of your bucket. In this case, using your domain as the bucket, including the period (mydomain.com) is acceptable. The CDN service works with your domain upon certificate validation and hence for this reason, you will not be seeing certificate error with your requests.

If you have any questions/concerns please reach out to support@wasabi.com 

 
Have more questions? Submit a request