Getting started
Basics
Domains & Origins
Performance

Configuration
Basics
Conditions
Dictionaries
Domains & Origins
Request settings
Cache settings
Headers
Responses
Performance
Purging
Custom VCL
Image optimization
Video

Security
Access Control Lists
Monitoring and testing
Securing communications
Security measures
TLS
Web Application Firewall

Integrations
Logging endpoints
Non-Fastly services

Diagnostics
Streaming logs
Debugging techniques
Common errors

Account info
Account management
Billing
User access and control

Reference

    Amazon S3

      Last updated July 16, 2019

    Amazon S3 public and private buckets can be used as origins with Fastly.

    Using Amazon S3 as an origin

    To make your S3 data buckets available through Fastly, follow the steps below.

    Creating a new service

    Follow the instructions for creating a new service.

    1. When you create the new domain and the new host:
      • In the Domain Name field on the Create a domain page, enter the hostname you want to use as the URL (e.g., cdn.example.com).
      • In the Hosts field on the Origins page, enter the appropriate address for your host using the format <BUCKET>.<REGION>.amazonaws.com. Use the table in the S3 section of the Amazon S3 regions and endpoints documentation as a guide. For example, if your bucket name is fastlytestbucket and your region is s3, your hostname would be fastlytestbucket.s3.amazonaws.com.
    2. When you edit the host details on the Edit this host page:
      • In the Name field, enter any descriptive name for your service if you haven't already done so.
      • In the Address field, ensure you've entered the appropriate address for your region (e.g., fastlytestbucket.s3.amazonaws.com). You entered this information during host creation.
    3. When you edit the Transport Layer Security (TLS) area information for your host:
      • Leave the Enable TLS? default set to Yes to secure the connection between Fastly and your origin.
      • Under the SNI hostname field, select the checkbox to Match the SNI hostname to the Certificate hostname. The address you entered during host creation appears.
      • In the Certificate hostname field, enter fastlytestbucket.s3.amazonaws.com.
    4. In the Override host field in the Advanced options, enter an appropriate address for your host (e.g., fastlytestbucket.s3.amazonaws.com). You entered this information during host creation.

    Enabling cross-origin resource sharing (CORS)

    We recommend enabling CORS (Cross-Origin Resource Sharing) when using Amazon S3 as your origin. To enable this, follow the instructions in our guide on enabling cross-origin resource sharing (CORS).

    Testing your results

    By default, we create DNS mapping called yourdomain.global.prod.fastly.net. In the example above, it would be cdn.example.com.global.prod.fastly.net. Create a DNS alias for the domain name you specified (e.g., CNAME cdn.example.com to global-nossl.fastly.net).

    Fastly will cache any content without an explicit Cache-Control header for 1 hour. You can verify whether you are sending any cache headers using cURL. For example:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    
    $ curl -I opscode-full-stack.s3.amazonaws.com
    
    HTTP/1.1 200 OK
    x-amz-id-2: ZpzRp7IWc6MJ8NtDEFGH12QBdk2CM1+RzVOngQbhMp2f2ZyalkFsZd4qPaLMkSlh
    x-amz-request-id: ABV5032583242618
    Date: Fri, 18 Mar 2012 17:15:38 GMT
    Content-Type: application/xml
    Transfer-Encoding: chunked
    Server: AmazonS3
    

    In this example, no cache control headers are set so the default TTL will be applied.

    Enhanced cache control

    If you need more control over how different types of assets are cached (e.g., Javascript files, images), check out our Amazon S3 configuration in our Cache Control tutorial.

    Using an Amazon S3 private bucket

    To use an Amazon S3 private bucket with Fastly, you must implement version 4 of Amazon’s header-based authentication. You can do this using custom VCL. Start by obtaining the following information from AWS:

    Item Description
    Bucket name The name of your AWS S3 bucket. When you download items from your bucket, this is the string listed in the URL path or hostname of each object.
    Region The AWS region code of the location where your bucket resides (e.g., us-east-1).
    Access key The AWS access key string for an IAM account that has at least read permission on the bucket.
    Secret key The AWS secret access key paired with the access key above.

    Once you have this information, you can configure your Fastly service to authenticate against your S3 bucket using header authentication by calculating the appropriate header value in VCL.

    Start by creating a regular VCL snippet. Give it a meaningful name, such as AWS protected origin. When you create the snippet, select within subroutine to specify its placement and choose miss as the subroutine type. Then, populate the VCL field with the following code (be sure to change specific values as noted to ones relevant to your own AWS bucket):

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    
    declare local var.awsAccessKey STRING;
    declare local var.awsSecretKey STRING;
    declare local var.awsS3Bucket STRING;
    declare local var.awsRegion STRING;
    declare local var.canonicalHeaders STRING;
    declare local var.signedHeaders STRING;
    declare local var.canonicalRequest STRING;
    declare local var.canonicalQuery STRING;
    declare local var.stringToSign STRING;
    declare local var.dateStamp STRING;
    declare local var.signature STRING;
    declare local var.scope STRING;
    
    set var.awsAccessKey = "YOUR_AWS_ACCESS_KEY";   # Change this value to your own data
    set var.awsSecretKey = "YOUR_AWS_SECRET_KEY";   # Change this value to your own data
    set var.awsS3Bucket = "YOUR_AWS_BUCKET_NAME";   # Change this value to your own data
    set var.awsRegion = "YOUR_AWS_BUCKET_REGION";   # Change this value to your own data
    
    if (req.method == "GET" && !req.backend.is_shield) {
    
      set bereq.http.x-amz-content-sha256 = digest.hash_sha256("");
      set bereq.http.x-amz-date = strftime({"%Y%m%dT%H%M%SZ"}, now);
      set bereq.http.host = var.awsS3Bucket ".s3." var.awsRegion ".amazonaws.com";
      set bereq.url = querystring.remove(bereq.url);
      set bereq.url = regsuball(urlencode(urldecode(bereq.url.path)), {"%2F"}, "/");
      set var.dateStamp = strftime({"%Y%m%d"}, now);
      set var.canonicalHeaders = ""
        "host:" bereq.http.host LF
        "x-amz-content-sha256:" bereq.http.x-amz-content-sha256 LF
        "x-amz-date:" bereq.http.x-amz-date LF
      ;
      set var.canonicalQuery = "";
      set var.signedHeaders = "host;x-amz-content-sha256;x-amz-date";
      set var.canonicalRequest = ""
        "GET" LF
        bereq.url.path LF
        var.canonicalQuery LF
        var.canonicalHeaders LF
        var.signedHeaders LF
        digest.hash_sha256("")
      ;
    
      set var.scope = var.dateStamp "/" var.awsRegion "/s3/aws4_request";
    
      set var.stringToSign = ""
        "AWS4-HMAC-SHA256" LF
        bereq.http.x-amz-date LF
        var.scope LF
        regsub(digest.hash_sha256(var.canonicalRequest),"^0x", "")
      ;
    
      set var.signature = digest.awsv4_hmac(
        var.awsSecretKey,
        var.dateStamp,
        var.awsRegion,
        "s3",
        var.stringToSign
      );
    
      set bereq.http.Authorization = "AWS4-HMAC-SHA256 "
        "Credential=" var.awsAccessKey "/" var.scope ", "
        "SignedHeaders=" var.signedHeaders ", "
        "Signature=" + regsub(var.signature,"^0x", "")
      ;
      unset bereq.http.Accept;
      unset bereq.http.Accept-Language;
      unset bereq.http.User-Agent;
      unset bereq.http.Fastly-Client-IP;
    }
    

    You may also remove the headers that AWS adds to the response. Do this by creating another VCL snippet. Give it a meaningful name, such as Strip AWS response headers. When you create the snippet, select within subroutine to specify its placement and choose fetch as the subroutine type. Then, place the following code in the VCL field:

    1
    2
    3
    4
    
    unset beresp.http.x-amz-id-2;
    unset beresp.http.x-amz-request-id;
    unset beresp.http.x-amz-delete-marker;
    unset beresp.http.x-amz-version-id;
    

    Following redirects to S3 objects and caching S3 responses

    Using VCL Snippets, Fastly can follow redirects to S3 objects and cache the response.

    To configure Fastly to follow redirects to S3 objects, follow the steps below:

    1. Log in to the Fastly web interface and click the Configure link.
    2. From the service menu, select the appropriate service.
    3. Click the Edit configuration button and then select Clone active. The Domains page appears.
    4. Click the VCL Snippets link. The VCL Snippets page appears.
    5. Click the Create snippet button. The Create a VCL snippet page appears.

      Redirect to S3 redirect via a receive VCL Snippet

    6. In the Name field, type an appropriate name (e.g., S3 redirect - recv).
    7. From the Type (placement of the snippet) controls, select within subroutine.
    8. From the Select subroutine menu, select recv (vcl_recv).
    9. In the VCL field, add the following condition:

      1
      2
      3
      4
      5
      6
      
       if (req.http.redir != "true") {
         set req.backend = Main_Origin;
       } else {
         set req.backend = s3_backend;
         set req.http.host = "s3.amazonaws.com";
       }
      
    10. Click Create to create the snippet.
    11. Click the Create snippet button again. The Create a VCL snippet page appears.

      Redirect to S3 redirect via a deliver VCL Snippet

    12. In the Name field, type an appropriate name (e.g., S3 redirect - deliver).
    13. From the Type (placement of the snippet) controls, select within subroutine.
    14. From the Select subroutine menu, select deliver (vcl_deliver).
    15. In the VCL field, add the following condition:

      1
      2
      3
      4
      5
      6
      
      if (resp.status == 302 || resp.status == 301) {
        set req.http.redir = "true";
        set req.url = regsub(resp.http.Location, "http://s3.amazonaws.com/(.*)$", "/\1");
        set req.http.Fastly-Force-Shield = "yes";
        restart;
      }
      
    16. Click Create to create the snippet.
    17. Click the Activate button to deploy your configuration changes.

    Be sure to set the Main_Origin and s3_backend to the actual name of your backends in the service to which you're applying these redirects. Find the exact names by clicking the VCL button at the top of the page while viewing the service and reviewing your VCL.

    This article describes an integration with a service provided by a third party. Please see our note on integrations.
    Back to Top