Question

Hiding spaces behind cloudflare

I’m wondering if it is possible to use spaces behind the cloudflare proxy for cost and security reasons. As far as I understood, this would involve the following:

  • Set up something to deny all requests to xxx.digitaloceanspaces.com from non-cloudflare IPs
  • Set up a custom subdomain on cloudflare that points to the space

Can spaces be used this way?

Subscribe
Share

@johngannon any news on this?

Hi there - I’m the product manager for Spaces. There is no way to do the 1st thing (limit Spaces access by IP) today. Some CDNs (not sure about cloudflare) will let you input an access/secret pair so you can limit reads that way. Is that what you’re trying to accomplish or is it a hard requirement to block at the network level?

Re: the 2nd thing, this works with any CDN and Spaces. However, the Cloudflare free plan doesn’t allow host header re-writes, which what is required to make this work today. We are working on making it so that customers can do this with the cloudflare free, too. My hope is that we can release this in early Q1.

Let me know if you have other feedback or can share more about your use case. Thanks so much for leaving the comment/question.

Hi there - I’m the product manager for Spaces. There is no way to do the 1st thing (limit Spaces access by IP) today. Some CDNs (not sure about cloudflare) will let you input an access/secret pair so you can limit reads that way. Is that what you’re trying to accomplish or is it a hard requirement to block at the network level?

Re: the 2nd thing, this works with any CDN and Spaces. However, the Cloudflare free plan doesn’t allow host header re-writes, which what is required to make this work today. We are working on making it so that customers can do this with the cloudflare free, too. My hope is that we can release this in early Q1.

Let me know if you have other feedback or can share more about your use case. Thanks so much for leaving the comment/question.

Judging by the complete lack of responses, I’m assuming this isn’t possible right now? Maybe it could be added in the future?

You can now do this with Cloudflare Workers, though you’ll have to consider cost (number of requests, not bandwidth) and code the worker (would be really really simple for this use case).

My use case is actually fairly simple, I’m looking to run the dynamic part of my site on a droplet, store all the static files in spaces, and hide the whole thing behind cloudflare: https://i.imgur.com/kR22efV.png

Unfortunately I’ve not found anything on cloudflare about giving it a special access key. They always recommend you to deny all requests that do not come from these ip addresses, as early as possible: https://www.cloudflare.com/ips/ . Otherwise someone could simply bypass cloudflare by requesting the file from xxx.digitaloceanspaces.com directly and cause an unexpected high invoice using bot downloads.

It looks like host header re-writes are limited to enterprise customers, not just paid plans, so this would not be useful for most people. But since you’ve already got custom domain support coming soon, the second part is solved.


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Not sure if this is still an issue here for folk. We’ve recently done this for 4 separate Spaces

  1. Create Space + CDN
  2. Create a desired CNAME for your DO CDN
  3. use Cloudflare’s tool to create origin server self-signed SSL Cert specifically for the CNAME created in step 2.
  4. Use Spaces CDN option to add new subdomain certificate. Use the certificate details from step 3.
  5. You can then proxy via Cloudflare.

Not sure if this is still an issue here for folk. We’ve recently done this for 4 separate Spaces

  1. Create Space + CDN
  2. Create a desired CNAME for your DO CDN
  3. use Cloudflare’s tool to create origin server self-signed SSL Cert specifically for the CNAME created in step 2.
  4. Use Spaces CDN option to add new subdomain certificate. Use the certificate details from step 3.
  5. You can then proxy via Cloudflare.

I am noticing that DO CDN is still quite slower compared to cloudflare and also for management and security reasons still make sense to keep cloudflare in front of all domains including the spaces domains. With S3 I used this approach mentioned @DavidLevy , but cant make it work with DO Spaces. :/

@tannerchung we just enabled this in Spaces: https://blog.digitalocean.com/custom-subdomains-for-spaces-cdn-endpoints/

Hope it’s what you are looking for. If you have feedback please let us know!

@johngannon just wondering if anyone has figured this out. pointing a subdomain like cdn.website.com to the Digital Ocean space’s domain would be great

We’re working on it (custom domain support delivered via a new endpoint that will talk HTTP) – still targeting early Q1.

is it still necessary because you can enable cdn in spaces?

The issue is that Cloudflare requires the bucket name to be the exact domain you are hosting and DigitalOcean has prevented bucket names with dots.

You can recreate this on s3, create a bucket www-example-com, enable html hosting and get the url for the html files (not the s3 bucket url). Create the cname in Cloudflare for www.example.com, and you will get the same error from s3: NoSuchBucket

Go back to s3 and create a bucket www.example.com, enable html hosting and get the html hosting url, and update the cname, the site will work.

This is the exact same issue with DO Spaces, however because Digital Ocean prevented bucket names with dots, using Cloudflare in front of a Spaces bucket will not work.

It would be as simple as Digital Ocean allowing bucket names with dots to fix this.

What you could do today is setup a reverse proxy using Nginx (or any other frontend server), rewriting the requests from something like assets.example.com to yourspace.region.digitaloceanspaces.com and put cloudflare in front of assets.example.com, so you should never pay for exceding transfer usage (as included one should be more than enough)

I think Zeblote’s comments describes very well the thing that he wants to do, I’m looking myself for the same thing and really haven’t found any real answer.

Basically the thing is:

1.- Store web application on droplet, using a cdn like cloudflare point to the application by the domain ‘stuff.com’ and enjoy benefits from using cdn.

2.- Store all static files (.jpeg, .png, .css, .js, .mp4, etc.) on spaces. However by doing this anyone could access directly the files, consuming bandwith and resources of the spaces bucket, or simply perform malicious actions directly on the bucket itself.

3.- By hiding the bucket behind a cloudflare cdn I think he means (at least from my understanding), is that he wants to create a cname for ‘stuff.com’ alias ‘static.stuff.com’ wich points to the spaces bucket therefore the files stored at the bucket. So instead of accessing the files by ‘stuff.nyc3.digitaloceanspaces.com/img-example.jpeg’ we can access them simply like ‘static.stuff.com/img-example.jpeg’, wich is easy to remember and better brand representing than the first one, and enjoy benefits from using a cdn.

Nevertheless using a cdn brings a lot of benefits to the table, like security, file caching, etc…

In summary:

stuff.com’ in cloudflare points to web application ip in droplet.

static.stuff.com’ in cloudflare points to ‘stuff.nyc3.digitaloceanspaces.com’ in spaces.

Is there an actual way of doing this?

johngannon please give real answers.