Wasabi Hot Cloud Storage

      Last updated July 17, 2019

    Wasabi Hot Cloud Storage public and private buckets can be used as origins with Fastly.

    Using Wasabi as an origin

    To make your Wasabi Hot Cloud Storage bucket available through Fastly, follow the steps below.

    Creating a new service

    Follow the instructions for creating a new service.

    1. When you create the new domain and the new backend host:
      • In the Domain Name field on the Create a domain page, enter the hostname you want to use as the URL (e.g., cdn.example.com).
      • In the Hosts field on the Origins page, enter the appropriate address for your Wasabi Hot Cloud Storage bucket's region. For the us-east-1 region, type <BUCKET>.s3.wasabisys.com. For all other regions, type <BUCKET>.s3.<REGION>.wasabisys.com, replacing <REGION> as appropriate (e.g., <BUCKET>.s3.eu-central-1.wasabisys.com).
    2. When you edit the host details on the Edit this host page:
      • In the Name field, enter any descriptive name for your service if you haven't already done so.
      • In the Address field, ensure you've entered the appropriate address for your Host (e.g., <BUCKET>.s3.wasabisys.com). You entered this information during Host creation.
    3. When you edit the Transport Layer Security (TLS) area information for your host:
      • Leave the Enable TLS? default set to Yes to secure the connection between Fastly and your origin.
      • In the Certificate hostname field, enter the same address that appears in the Address field (e.g., <BUCKET>.s3.wasabisys.com).
      • Under the SNI hostname field, select the checkbox to Match the SNI hostname to the Certificate hostname. The address you entered during Host creation appears.
    4. In the Override host field in the Advanced options, enter an appropriate address for your Host (e.g., <BUCKET>.s3.wasabisys.com). You entered this information during Host creation.
    5. From the Shielding menu below the TLS area, select an appropriate shielding location. For more information about this setting and which locations to select, see our enabling shielding information.

    Enabling shielding

    We strongly encourage you to enable shielding for your origin server. Wasabi imposes soft caps on free egress. Without shielding enabled, Fastly will request the same objects from all Fastly edge POPs instead of just one, which may not follow Wasabi's free egress guidelines.

    When you select a shielding location from the Shielding menu, choose the location appropriate for your Wasabi Hot Cloud Storage bucket as follows:

    Wasabi bucket region Shielding location
    eu-central-1 Amsterdam, NL
    us-east-1 Ashburn, VA
    us-west-1 Seattle, WA

    Testing your results

    By default, we create a DNS mapping called yourdomain.global.prod.fastly.net. In the example above, it would be cdn.example.com.global.prod.fastly.net. Create a DNS alias for the domain name you specified (e.g., CNAME cdn.example.com to global-nossl.fastly.net).

    Fastly will cache any content without an explicit Cache-Control header for 1 hour. You can verify whether you are sending any cache headers using cURL. For example:

    $ curl -I opscode-full-stack.s3.wasabisys.com
    HTTP/1.1 200 OK
    x-amz-id-2: ZpzRp7IWc6MJ8NtDEFGH12QBdk2CM1+RzVOngQbhMp2f2ZyalkFsZd4qPaLMkSlh
    x-amz-request-id: ABV5032583242618
    Date: Fri, 18 Mar 2012 17:15:38 GMT
    Content-Type: application/xml
    Transfer-Encoding: chunked

    In this example, no Cache-Control headers are set so the default TTL will be applied.

    Enhancing cache control

    If you need more control over how different types of assets are cached (e.g., Javascript files, images), check out our documentation on cache freshness.

    Using private Wasabi Hot Cloud Storage buckets

    To use a Wasabi Hot Cloud Storage private bucket with Fastly, you must implement version 4 of Amazon’s header-based authentication. You can do this using custom VCL and following the instructions below.

    Before you begin

    Make your Wasabi Hot Cloud Storage bucket available to Fastly. Be sure you've set your origin to port 443. This needs to be done before implementing header-based authentication with the instructions below.

    Gathering Wasabi information

    Start by obtaining the following information from Wasabi:

    Item Description
    Bucket Name The unique name of your Wasabi Hot Cloud Storage bucket. When you download items from your bucket, this is the string listed in the URL path or hostname of each object (e.g., widget-project).
    Region The Wasabi region code of the location where your bucket resides (e.g., us-east-1).
    Access Key ID The Wasabi access key ID string for an IAM account that has at least read permission on the bucket.
    Secret Access Key The Wasabi secret access key paired with the access key above.

    You should review the user access separation document to make sure you are not inadvertently exposing files you didn't intend e.g. allowing ListBucket operations etc. Alternatively you can use the VCL snippet from the bottom of the document to block bucket listing.

    Once you have this information, you can configure your Fastly service to authenticate against your Wasabi bucket using header authentication by calculating the appropriate header value in VCL.

    Creating a VCL snippet for authentication

    Create a regular VCL snippet.

    Creating a VCL snippet to remove added response headers

    You may also remove the headers that Wasabi adds to the response. Do this by creating another VCL snippet.

    if ( !req.http.Fastly-Debug ) {
      unset resp.http.x-amz-id-2;
      unset resp.http.x-amz-request-id;
      unset resp.http.server;

    Blocking directory listing

    If you don't set up correct IAM privileges you may allow users to list contents of your bucket folders. If you want to disallow that on Fastly please create following snippet

    if ( req.url.path ~ "/$" ) {
      error 403;
    This article describes an integration with a service provided by a third party. See our note on integrations for details.
    Back to Top