Hiding spaces behind cloudflare

November 23, 2017 332 views

I'm wondering if it is possible to use spaces behind the cloudflare proxy for cost and security reasons.
As far as I understood, this would involve the following:

  • Set up something to deny all requests to xxx.digitaloceanspaces.com from non-cloudflare IPs
  • Set up a custom subdomain on cloudflare that points to the space

Can spaces be used this way?

  • Judging by the complete lack of responses, I'm assuming this isn't possible right now? Maybe it could be added in the future?

  • Hi there - I'm the product manager for Spaces. There is no way to do the 1st thing (limit Spaces access by IP) today. Some CDNs (not sure about cloudflare) will let you input an access/secret pair so you can limit reads that way. Is that what you're trying to accomplish or is it a hard requirement to block at the network level?

    Re: the 2nd thing, this works with any CDN and Spaces. However, the Cloudflare free plan doesn't allow host header re-writes, which what is required to make this work today. We are working on making it so that customers can do this with the cloudflare free, too. My hope is that we can release this in early Q1.

    Let me know if you have other feedback or can share more about your use case. Thanks so much for leaving the comment/question.

  • My use case is actually fairly simple, I'm looking to run the dynamic part of my site on a droplet, store all the static files in spaces, and hide the whole thing behind cloudflare: https://i.imgur.com/kR22efV.png

    Unfortunately I've not found anything on cloudflare about giving it a special access key. They always recommend you to deny all requests that do not come from these ip addresses, as early as possible: https://www.cloudflare.com/ips/ . Otherwise someone could simply bypass cloudflare by requesting the file from xxx.digitaloceanspaces.com directly and cause an unexpected high invoice using bot downloads.

    It looks like host header re-writes are limited to enterprise customers, not just paid plans, so this would not be useful for most people. But since you've already got custom domain support coming soon, the second part is solved.

Be the first one to answer this question.