I deployed a minio server which use aws s3v4 signature. In the signature process, http method is considered. But when I send HEAD request to my endpoint through Cloudflare, it becomes a GET request on my end and therefore minio throws a 403 forbidden error.
I’ve tried sending HEAD request without Cloudflare and no error.
I suspect that this behaviour is by design. It is common behaviour in CDNs, and caching applications like Varnish.
From my own testing, the URL needs to be known to be non-cacheable at the time the request is received (My testing was not exhaustive). This can be done either by having the file extension be one of the non-cacheable extensions, or by page rule. If the cf-cache-status response is DYNAMIC, I see HEAD requests on my origin.