- English
- 日本語
Wasabi Hot Cloud Storage
Last updated 2022-03-01
Wasabi Hot Cloud Storage public and private buckets can be used as origins with Fastly.
Using Wasabi as an origin
To make your Wasabi Hot Cloud Storage bucket available through Fastly, follow the steps below.
Creating a new service
Follow the instructions for creating a new service.
- When you create the new domain and the new backend host:
- In the Domain Name field on the Create a domain page, enter the hostname you want to use as the URL (e.g.,
cdn.example.com
). - In the Hosts field on the Origins page, enter the appropriate address for your Wasabi Hot Cloud Storage bucket's region. For the us-east-1 region, enter
<BUCKET>.s3.wasabisys.com
. For all other regions, enter<BUCKET>.s3.<REGION>.wasabisys.com
, replacing<REGION>
as appropriate (e.g.,<BUCKET>.s3.eu-central-1.wasabisys.com
).
- In the Domain Name field on the Create a domain page, enter the hostname you want to use as the URL (e.g.,
- When you edit the host details on the Edit this host page:
- In the Name field, enter any descriptive name for your service if you haven't already done so.
- In the Address field, ensure you've entered the appropriate address for your Host (e.g.,
<BUCKET>.s3.wasabisys.com
). You entered this information during Host creation.
- When you edit the Transport Layer Security (TLS) area information for your host:
- Leave the Enable TLS? default set to Yes to secure the connection between Fastly and your origin.
- In the Certificate hostname field, enter the same address that appears in the Address field (e.g.,
<BUCKET>.s3.wasabisys.com
). - Under the SNI hostname field, select the checkbox to Match the SNI hostname to the Certificate hostname. The address you entered during Host creation appears.
- In the Override host field, enter an appropriate address for your Host (e.g.,
<BUCKET>.s3.wasabisys.com
). You entered this information during Host creation. - From the Shielding menu below the TLS area, select an appropriate shielding location. For more information about this setting and which locations to select, see our enabling shielding information.
Enabling shielding
We strongly encourage you to enable shielding for your origin server. Wasabi imposes soft caps on free egress. Without shielding enabled, Fastly will request the same objects from all Fastly edge POPs instead of just one, which may not follow Wasabi's free egress guidelines.
When you select a shielding location from the Shielding menu, choose the location appropriate for your Wasabi Hot Cloud Storage bucket as follows:
Wasabi bucket region | Shielding location |
---|---|
eu-central-1 | Amsterdam, NL |
us-east-1 | Ashburn, VA |
us-west-1 | Seattle, WA |
Read our guidance on choosing a shield location for more information.
Testing your results
By default, we create a DNS mapping called yourdomain.global.prod.fastly.net. In the example above, it would be cdn.example.com.global.prod.fastly.net
. Create a DNS alias for the domain name you specified (e.g., CNAME cdn.example.com
to global-nossl.fastly.net
).
Fastly will cache any content without an explicit Cache-Control
header for 1 hour. You can verify whether you are sending any cache headers using curl. For example:
$ curl -I opscode-full-stack.s3.wasabisys.com
HTTP/1.1 200 OKx-amz-id-2: ZpzRp7IWc6MJ8NtDEFGH12QBdk2CM1+RzVOngQbhMp2f2ZyalkFsZd4qPaLMkSlhx-amz-request-id: ABV5032583242618Date: Fri, 18 Mar 2012 17:15:38 GMTContent-Type: application/xmlTransfer-Encoding: chunked
In this example, no Cache-Control headers are set so the default TTL will be applied.
Enhancing cache control
If you need more control over how different types of assets are cached (e.g., JavaScript files, images), check out our documentation on cache freshness.
Using private Wasabi Hot Cloud Storage buckets
To use a Wasabi Hot Cloud Storage private bucket with Fastly, you must implement version 4 of Amazon’s header-based authentication. You can do this using custom VCL and following the instructions below.
Before you begin
Make your Wasabi Hot Cloud Storage bucket available to Fastly. Be sure you've set your origin to port 443. This needs to be done before implementing header-based authentication with the instructions below.
Gathering Wasabi information
Start by obtaining the following information from Wasabi:
Item | Description |
---|---|
Bucket Name | The unique name of your Wasabi Hot Cloud Storage bucket. When you download items from your bucket, this is the string listed in the URL path or hostname of each object (e.g., widget-project ). |
Region | The Wasabi region code of the location where your bucket resides (e.g., us-east-1 ). |
Access Key ID | The Wasabi access key ID string for an IAM account that has at least read permission on the bucket. |
Secret Access Key | The Wasabi secret access key paired with the access key above. |
You should review the user access separation document to make sure you are not inadvertently exposing files you didn't intend e.g. allowing ListBucket operations etc. Alternatively you can use the VCL snippet from the bottom of the document to block bucket listing.
Once you have this information, you can configure your Fastly service to authenticate against your Wasabi bucket using header authentication by calculating the appropriate header value in VCL.
Creating a VCL snippet for authentication
Create a regular VCL snippet.
- In the Name field, enter
Wasabi protected origin
. - In the Type (placement of the snippet) field, select within subroutine then choose
miss (vcl_miss)
. - In the VCL field, place the following code (be sure to change specific values as noted to ones relevant to your own Wasabi bucket):
1if ( req.request == "GET" && req.backend.is_origin) {2
3 declare local var.wasabiAccessKey STRING;4 declare local var.wasabiSecretKey STRING;5 declare local var.wasabiBucket STRING;6 declare local var.wasabiRegion STRING;7 declare local var.canonicalHeaders STRING;8 declare local var.signedHeaders STRING;9 declare local var.canonicalRequest STRING;10 declare local var.canonicalQuery STRING;11 declare local var.stringToSign STRING;12 declare local var.dateStamp STRING;13 declare local var.signature STRING;14 declare local var.scope STRING;15
16 # Supply your own credentials17 set var.wasabiAccessKey = "YOUR_BUCKET_ACCESS_KEY"; # Change this value to your own data18 set var.wasabiSecretKey = "YOUR_BUCKET_SECRET"; # Change this value to your own data19 set var.wasabiBucket = "YOUR_BUCKET_NAME"; # Change this value to your own data20 set var.wasabiRegion = "YOUR_BUCKET_REGION"; # Change this value to your own data21
22 set bereq.http.x-amz-content-sha256 = digest.hash_sha256("");23 set bereq.http.x-amz-date = strftime({"%Y%m%dT%H%M%SZ"}, now);24 set bereq.http.host = var.wasabiBucket ".s3." var.wasabiRegion ".wasabisys.com";25 set bereq.url = querystring.remove(bereq.url);26 set var.dateStamp = strftime({"%Y%m%d"}, now);27 set var.canonicalHeaders = ""28 "host:" bereq.http.host LF29 "x-amz-content-sha256:" bereq.http.x-amz-content-sha256 LF30 "x-amz-date:" bereq.http.x-amz-date LF31 ;32 set var.canonicalQuery = "";33 set var.signedHeaders = "host;x-amz-content-sha256;x-amz-date";34 set var.canonicalRequest = ""35 "GET" LF36 bereq.url.path LF37 var.canonicalQuery LF38 var.canonicalHeaders LF39 var.signedHeaders LF40 digest.hash_sha256("")41 ;42
43 set var.scope = var.dateStamp "/" var.wasabiRegion "/s3/aws4_request";44
45 set var.stringToSign = ""46 "AWS4-HMAC-SHA256" LF47 bereq.http.x-amz-date LF48 var.scope LF49 regsub(digest.hash_sha256(var.canonicalRequest),"^0x", "")50 ;51
52 set var.signature = digest.awsv4_hmac(53 var.wasabiSecretKey,54 var.dateStamp,55 var.wasabiRegion,56 "s3",57 var.stringToSign58 );59
60 set bereq.http.Authorization = "AWS4-HMAC-SHA256 "61 "Credential=" var.wasabiAccessKey "/" var.scope ", "62 "SignedHeaders=" var.signedHeaders ", "63 "Signature=" + regsub(var.signature,"^0x", "")64 ;65 unset bereq.http.Accept;66 unset bereq.http.Accept-Language;67 unset bereq.http.User-Agent;68 unset bereq.http.Fastly-Client-IP;69 }
Creating a VCL snippet to remove added response headers
You may also remove the headers that Wasabi adds to the response. Do this by creating another VCL snippet.
- In the Name field, enter
Strip Wasabi response headers
. - In the Type (placement of the snippet) field, select within subroutine then select
deliver (vcl_deliver)
. - In the VCL field, place the following code:
1if ( !req.http.Fastly-Debug ) {2 unset resp.http.x-amz-id-2;3 unset resp.http.x-amz-request-id;4 unset resp.http.server;5}
Blocking directory listing
If you don't set up correct IAM privileges you may allow users to list contents of your bucket folders. If you want to disallow that on Fastly please create following snippet
- In the Name field, enter
Disallow bucket listing
. - In the Type (placement of the snippet) field, select within subroutine then select
recv (vcl_recv)
. - In the VCL field, place the following code:
1if ( req.url.path ~ "/$" ) {2 error 403;3}
NOTE
This article describes an integration with a service provided by a third party. Read our note on integrations for details.
Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.