Cloudflare With Wasabi

How do I use Cloudflare with Wasabi?

Wasabi is validated for use with Cloudflare CDN by following the instructions in this article.  More info on the Wasabi - Cloudflare relationship can be found here.

Cloudflare enables you to add CNAME records so that you can have their traffic routed through the Cloudflare system to provide security and network acceleration.

Note:  The following example shows how to configure Wasabi's us-east-1 storage region. To use other Wasabi storage regions, please use the appropriate Wasabi service URL as described in this article.

1. Create an account on Cloudflare and start by Entering the domain name that is owned by you in the Cloudflare screen below and then adding the website.

   Note: "csye6225-fall2018-sahanip.me" is the example website used here

2. It will scan the DNS records for the domain and pop up some results.

3. Next step is to add a CNAME record:

   Step 1: Create a bucket on the wasabi console with the same name as that of your website (in this example we are creating a bucket named "csye6225-fall2018-sahanip.me")

   Step 2. On your Cloudflare account, go to your DNS page and add the CNAME record.

   Select type as CNAME, Name will be your domain name (in this example, our domain name is "csye6225-fall2018-sahanip.me"). The value is set to "s3.wasabisys.com" as this bucket is pointing to the server in East Region (refer to screenshot for reference) 

   Step 3: You can choose the TTL (Time to Live) value as per your requirement and Cloudflare will cache the content until this value time, and then click Add Record.

   

   Note:  The following example shows how to configure Wasabi's us-east-1 storage region. To use other Wasabi storage regions, please use the appropriate Wasabi service URL as described in this article

   Refer to the following for more details: https://support.cloudflare.com/hc/en-us/articles/200168926-How-do-I-use-Cloudflare-with-Amazon-s-S3-Service-

4. To activate s3.wasabisys.com you must point your nameservers (DNS) to Cloudflare. In order to start receiving all the speed and security benefits of Cloudflare, you’ll need to change the nameservers configured.

   Step 1. Copy both the Nameserver records you get on the Cloudflare on the "Change your NameServers" page

   Step 2. Login in to your domain registrar account (e.g Namecheap, GoDaddy, etc wherever you have registered your domain), edit your Nameservers there (shown in the screenshots), and paste the two records you copied from Cloudflare and remove other records.

   

   Refer to the following article for more details on how to change your nameservers: https://support.cloudflare.com/hc/en-us/articles/205195708-Step-3-Change-your-domain-name-servers-to-Cloudflare.

5. Confirm your changes through the Cloudflare dashboard.

   • It may take up to 72 hours for the name server information to propagate (In most general cases, it propagates within hours)

   • Status: Active indicates your domain is properly set up to run through Cloudflare and you will receive email notification:

     

   • And on the Cloudflare account, it will show you Active (shown in the screenshot)

     

   • Status: Pending indicates that your nameserver updates have either not propagated or were not updated correctly

   • If the issue persists, use whois.net to check your nameserver records and make sure they match the Cloudflare provided records.

6. Once activated, you can use URLs such as: 

   domain-name/folder-name/object-name to access the objects from the CDN 

   e.g: http://csye6225-fall2018-sahanip.me/hawaii.jpeg

In order to cache contents initially and after every TTL expiry on Cloudflare, you may attach a bucket policy on your desired bucket(s) whose content you need to cache and allow fetching of objects from Cloudflare's proxy IPs only. This will add a secure layer to your design making sure that no one else can access your data. You may reach out to the Cloudflare team to get the list of their proxy IPs

The instructions to restrict bucket access to specific IP addresses are shown here.

Bucket Policy Example for this case:

{
"Id": "S3PolicyId1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
},
{
"Sid": "IPBasedNarrowFurther",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "11.22.33.44/32"
}
}
}
]
}

Please be sure to replace the IPs in the above document with Cloudflare's proxy IPs.

___________________________________________________________________________________________________________

Note-1: Please refrain from using "docs" as a sub-domain because docs.wasabi.com already exists and in order to keep the docs page in one place, we made it accessible using re-direct from either domain of docs.wasabi.com and docs.wasabisys.com

Note-2: Do not be concerned about the recommendation to omit periods from the name of your bucket. In this case, using your domain as the bucket, including the period (mydomain.com) is acceptable. The CDN service works with your domain upon certificate validation and hence, for this reason, you will not be seeing certificate errors with your requests. 

Note-3:  If you are seeing an SSL warning as shown below in Cloudflare

We encourage you to work with the Cloudflare technical team to add "Custom Page Rules" and ensure that SSL Setting is set to "SSL Full" for Wasabi CNAME. See one example below:

If you have any questions/concerns please reach out to support@wasabi.com