Add CDN in front of R2 private bucket with custom domain

I have a semi-private R2 bucket that I create signed urls from. I’d like to 1) have the signed urls use a custom domain instead of one that leaks our bucket name and id and 2) have the global CDN in front of it for cacheing.

I can’t seem to find a way of doing this. If I had a custom domain then the entire bucket becomes public, and if I add a CNAME in DNS to just point to the bucket url ( .com) it shows a cloudflare error on download.

R2 public domains do not support the S3 API (so you can’t do things like presigned URLs).

The closest thing you can do is to use a WAF rule to block all access to the public domain of the bucket, but then utilize the is_timed_hmac_valid_v0() function in your rule expression to allow access based on the hash in the URL. It’s sort of like presigned URLs, but not quite as flexible (it really just lets URLs be accessed based on time, you can’t do other things like IP based access or anything).

…it doesn’t solve your issue of wanting to edge cache content (can’t really expect to edge cache and also allow/deny access on a per request basis… have to pick one or the other).

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.