Cloudflare Tunnel to Ceph S3

fabio5 · December 6, 2022, 3:37pm

We’re using CF Tunnel to provide access to a S3 server (ceph rgw).

When we enable the a “Service Auth policy” and we supply the “Service Token” the requests are somehow modified by the CF Tunnel, and so S3 always complains about it:

We get a 403:

<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>SignatureDoesNotMatch</Code>
<RequestId>tx00000332be2bfbfb88349-00638f5d42-1320ea-us1</RequestId>
<HostId>1320ea-us1-america</HostId>
</Error>

We think this happens because CF strips the original headers in the request (CF-Access-Client-Id / CF-Access-Client-Secret)

Topic		Replies	Views
Tips on exposing Ceph RGW in a secure way General CloudflareTunnel	1	1175	December 30, 2022
Expose to CF Workers privately Cloudflare Tunnel CloudflareTunnel	2	3320	September 24, 2023
CF-Access-Client-Id not even recognized Access	8	4351	November 7, 2023
Tunnel modified "accept-encoding" header value from "gzip" to "gzip, br" Zero Trust	2	26	January 17, 2025
Cloudflare Tunnel Service Auth doesn't work with Host header Cloudflare Tunnel	0	616	December 22, 2023

Cloudflare Tunnel to Ceph S3

Related topics