Caching R2 files when using signed urls
I'm having trouble figuring out how to effectively make my cdn (cloudflare) cache properly while maintaining secure access (using s3's getSignedUrl). I cannot make cloudflare ignore the query since it would remove the restricted access, but if the query does matter it keeps request it directly from the storage and not from the cache, is there any solution?
4 Replies
The R2 S3 API is entirely uncached/not possible to cache.
If you have Pro or higher, you can use an R2 Custom Domain and HMAC: https://developers.cloudflare.com/waf/custom-rules/use-cases/configure-token-authentication/#option-2-configure-using-waf-custom-rules to generate signed urls, and then you could just use a cache rule to cache everything ignoring query string (as waf runs first)
Cloudflare Docs
Configure token authentication · Cloudflare Web Application Firewal...
Token authentication allows you to restrict access to documents, files, and media to select users without requiring them to register. This helps protect paid/restricted content from leeching and unauthorized sharing.
Okay, it seems I only found the workers example last time, which seemed kind of pointless since the pricing there is almost the same as R2's own pricing and thus most of the point of cost optimisation would be gone. With this HMAC approach it'd just be R2 costs (but lower since it's caching) and the 20$/month subscription, then, right? no other costs? or am I reading that incorrectly
Pro cost is static. R2 only bills you for cache misses on custom domains, yup
Alright, thanks :)