Use R2 to serve (fairly) static files with authentication

I currently have a website hosted on AWS that accepts api calls of the form https:///download//filename. The is a short-lived token used to authenticate the user. If the token validates, the filename is downloaded from the website. The website itself is nginx with a django backend and the file is served via a nginx X-ACCEL-REDIRECT.

I am trying to assess whether storing the files in a R2 storage would help with our download speeds across the world. Is it possible to do a redirect to the address of the file on the R2 storage? Or do I need something else like a worker in front of the storage? And how do I prevent the file from being served if the redirect address is visible – clearly I want it only served once my website does the redirect.

Any templates for doing this? I have been looking through the community postings but don’t see anything that gives me a good starting point.

Thanks. And Happy New Year to all

Sorry, the markup is broken in the message above.

The api call is https://<domain>/download/<access-token>/filename where <access-token> is a short-lived token that is validated by the server.

If you want any kind of auth for R2 then you need a worker in front of it. A worker that I know that has something similar is GitHub - Cherry/ShareX-R2-Cloudflare-Workers: Custom ShareX Uploader to Cloudflare R2 via Workers. It uses auth to upload and delete files to R2 which you can adapt to your auth needs.

Thanks. Will check it out.
If I want to skip auth (which I can do with a pre shared secret key for encryption), then do I need a worker fronting the R2? Is there a template for a worker that would work?


If you want to skip auth, then you can make the bucket public and anyone can access it.