Use R2 to serve (fairly) static files with authentication

prasanna1 · December 31, 2022, 12:25am

I currently have a website hosted on AWS that accepts api calls of the form https:///download//filename. The is a short-lived token used to authenticate the user. If the token validates, the filename is downloaded from the website. The website itself is nginx with a django backend and the file is served via a nginx X-ACCEL-REDIRECT.

I am trying to assess whether storing the files in a R2 storage would help with our download speeds across the world. Is it possible to do a redirect to the address of the file on the R2 storage? Or do I need something else like a worker in front of the storage? And how do I prevent the file from being served if the redirect address is visible – clearly I want it only served once my website does the redirect.

Any templates for doing this? I have been looking through the community postings but don’t see anything that gives me a good starting point.

Thanks. And Happy New Year to all

prasanna1 · December 31, 2022, 12:31am

Sorry, the markup is broken in the message above.

The api call is https://<domain>/download/<access-token>/filename where <access-token> is a short-lived token that is validated by the server.

Cyb3r-Jak3 · December 31, 2022, 2:52am

If you want any kind of auth for R2 then you need a worker in front of it. A worker that I know that has something similar is GitHub - Cherry/ShareX-R2-Cloudflare-Workers: Custom ShareX Uploader to Cloudflare R2 via Workers. It uses auth to upload and delete files to R2 which you can adapt to your auth needs.

prasanna1 · January 2, 2023, 3:19pm

Thanks. Will check it out.
If I want to skip auth (which I can do with a pre shared secret key for encryption), then do I need a worker fronting the R2? Is there a template for a worker that would work?

Thanks

Cyb3r-Jak3 · January 2, 2023, 4:23pm

If you want to skip auth, then you can make the bucket public and anyone can access it.