Wasabi Hot Cloud Storage

Last updated 2022-03-01

Wasabi Hot Cloud Storage public and private buckets can be used as origins with Fastly.

Using Wasabi as an origin

To make your Wasabi Hot Cloud Storage bucket available through Fastly, follow the steps below.

Creating a new service

Follow the instructions for creating a new service.

When you create the new domain and the new backend host:
- In the Domain Name field on the Create a domain page, enter the hostname you want to use as the URL (e.g., cdn.example.com).
- In the Hosts field on the Origins page, enter the appropriate address for your Wasabi Hot Cloud Storage bucket's region. For the us-east-1 region, enter <BUCKET>.s3.wasabisys.com. For all other regions, enter <BUCKET>.s3.<REGION>.wasabisys.com, replacing <REGION> as appropriate (e.g., <BUCKET>.s3.eu-central-1.wasabisys.com).
When you edit the host details on the Edit this host page:
- In the Name field, enter any descriptive name for your service if you haven't already done so.
- In the Address field, ensure you've entered the appropriate address for your Host (e.g., <BUCKET>.s3.wasabisys.com). You entered this information during Host creation.
When you edit the Transport Layer Security (TLS) area information for your host:
- Leave the Enable TLS? default set to Yes to secure the connection between Fastly and your origin.
- In the Certificate hostname field, enter the same address that appears in the Address field (e.g., <BUCKET>.s3.wasabisys.com).
- Under the SNI hostname field, select the checkbox to Match the SNI hostname to the Certificate hostname. The address you entered during Host creation appears.
In the Override host field, enter an appropriate address for your Host (e.g., <BUCKET>.s3.wasabisys.com). You entered this information during Host creation.
From the Shielding menu below the TLS area, select an appropriate shielding location. For more information about this setting and which locations to select, see our enabling shielding information.

Enabling shielding

We strongly encourage you to enable shielding for your origin server. Wasabi imposes soft caps on free egress. Without shielding enabled, Fastly will request the same objects from all Fastly edge POPs instead of just one, which may not follow Wasabi's free egress guidelines.

When you select a shielding location from the Shielding menu, choose the location appropriate for your Wasabi Hot Cloud Storage bucket as follows:

Wasabi bucket region	Shielding location
eu-central-1	Amsterdam, NL
us-east-1	Ashburn, VA
us-west-1	Seattle, WA

Read our guidance on choosing a shield location for more information.

Testing your results

By default, we create a DNS mapping called yourdomain.global.prod.fastly.net. In the example above, it would be cdn.example.com.global.prod.fastly.net. Create a DNS alias for the domain name you specified (e.g., CNAME cdn.example.com to global-nossl.fastly.net).

Fastly will cache any content without an explicit Cache-Control header for 1 hour. You can verify whether you are sending any cache headers using curl. For example:

$ curl -I opscode-full-stack.s3.wasabisys.com

HTTP/1.1 200 OK
x-amz-id-2: ZpzRp7IWc6MJ8NtDEFGH12QBdk2CM1+RzVOngQbhMp2f2ZyalkFsZd4qPaLMkSlh
x-amz-request-id: ABV5032583242618
Date: Fri, 18 Mar 2012 17:15:38 GMT
Content-Type: application/xml
Transfer-Encoding: chunked

In this example, no Cache-Control headers are set so the default TTL will be applied.

Enhancing cache control

If you need more control over how different types of assets are cached (e.g., JavaScript files, images), check out our documentation on cache freshness.

Using private Wasabi Hot Cloud Storage buckets

To use a Wasabi Hot Cloud Storage private bucket with Fastly, you must implement version 4 of Amazon’s header-based authentication. You can do this using custom VCL and following the instructions below.

Before you begin

Make your Wasabi Hot Cloud Storage bucket available to Fastly. Be sure you've set your origin to port 443. This needs to be done before implementing header-based authentication with the instructions below.

Gathering Wasabi information

Start by obtaining the following information from Wasabi:

Item	Description
Bucket Name	The unique name of your Wasabi Hot Cloud Storage bucket. When you download items from your bucket, this is the string listed in the URL path or hostname of each object (e.g., `widget-project`).
Region	The Wasabi region code of the location where your bucket resides (e.g., `us-east-1`).
Access Key ID	The Wasabi access key ID string for an IAM account that has at least read permission on the bucket.
Secret Access Key	The Wasabi secret access key paired with the access key above.

You should review the user access separation document to make sure you are not inadvertently exposing files you didn't intend e.g. allowing ListBucket operations etc. Alternatively you can use the VCL snippet from the bottom of the document to block bucket listing.

Once you have this information, you can configure your Fastly service to authenticate against your Wasabi bucket using header authentication by calculating the appropriate header value in VCL.

Creating a VCL snippet for authentication

Create a regular VCL snippet.

In the Name field, enter Wasabi protected origin.
In the Type (placement of the snippet) field, select within subroutine then choose miss (vcl_miss).
In the VCL field, place the following code (be sure to change specific values as noted to ones relevant to your own Wasabi bucket):

1if ( req.request == "GET" && req.backend.is_origin) {
2
3  declare local var.wasabiAccessKey STRING;
4  declare local var.wasabiSecretKey STRING;
5  declare local var.wasabiBucket STRING;
6  declare local var.wasabiRegion STRING;
7  declare local var.canonicalHeaders STRING;
8  declare local var.signedHeaders STRING;
9  declare local var.canonicalRequest STRING;
10  declare local var.canonicalQuery STRING;
11  declare local var.stringToSign STRING;
12  declare local var.dateStamp STRING;
13  declare local var.signature STRING;
14  declare local var.scope STRING;
15
16  # Supply your own credentials
17  set var.wasabiAccessKey = "YOUR_BUCKET_ACCESS_KEY";   # Change this value to your own data
18  set var.wasabiSecretKey = "YOUR_BUCKET_SECRET";       # Change this value to your own data
19  set var.wasabiBucket = "YOUR_BUCKET_NAME";            # Change this value to your own data
20  set var.wasabiRegion = "YOUR_BUCKET_REGION";          # Change this value to your own data
21
22  set bereq.http.x-amz-content-sha256 = digest.hash_sha256("");
23  set bereq.http.x-amz-date = strftime({"%Y%m%dT%H%M%SZ"}, now);
24  set bereq.http.host = var.wasabiBucket ".s3." var.wasabiRegion ".wasabisys.com";
25  set bereq.url = querystring.remove(bereq.url);
26  set var.dateStamp = strftime({"%Y%m%d"}, now);
27  set var.canonicalHeaders = ""
28    "host:" bereq.http.host LF
29    "x-amz-content-sha256:" bereq.http.x-amz-content-sha256 LF
30    "x-amz-date:" bereq.http.x-amz-date LF
31  ;
32  set var.canonicalQuery = "";
33  set var.signedHeaders = "host;x-amz-content-sha256;x-amz-date";
34  set var.canonicalRequest = ""
35    "GET" LF
36    bereq.url.path LF
37    var.canonicalQuery LF
38    var.canonicalHeaders LF
39    var.signedHeaders LF
40    digest.hash_sha256("")
41  ;
42
43  set var.scope = var.dateStamp "/" var.wasabiRegion "/s3/aws4_request";
44
45  set var.stringToSign = ""
46    "AWS4-HMAC-SHA256" LF
47    bereq.http.x-amz-date LF
48    var.scope LF
49    regsub(digest.hash_sha256(var.canonicalRequest),"^0x", "")
50  ;
51
52  set var.signature = digest.awsv4_hmac(
53    var.wasabiSecretKey,
54    var.dateStamp,
55    var.wasabiRegion,
56    "s3",
57    var.stringToSign
58  );
59
60  set bereq.http.Authorization = "AWS4-HMAC-SHA256 "
61    "Credential=" var.wasabiAccessKey "/" var.scope ", "
62  "SignedHeaders=" var.signedHeaders ", "
63    "Signature=" + regsub(var.signature,"^0x", "")
64  ;
65  unset bereq.http.Accept;
66  unset bereq.http.Accept-Language;
67  unset bereq.http.User-Agent;
68  unset bereq.http.Fastly-Client-IP;
69  }

Creating a VCL snippet to remove added response headers

You may also remove the headers that Wasabi adds to the response. Do this by creating another VCL snippet.

In the Name field, enter Strip Wasabi response headers.
In the Type (placement of the snippet) field, select within subroutine then select deliver (vcl_deliver).
In the VCL field, place the following code:

1if ( !req.http.Fastly-Debug ) {
2  unset resp.http.x-amz-id-2;
3  unset resp.http.x-amz-request-id;
4  unset resp.http.server;
5}

Blocking directory listing

If you don't set up correct IAM privileges you may allow users to list contents of your bucket folders. If you want to disallow that on Fastly please create following snippet

In the Name field, enter Disallow bucket listing.
In the Type (placement of the snippet) field, select within subroutine then select recv (vcl_recv).
In the VCL field, place the following code:

1if ( req.url.path ~ "/$" ) {
2  error 403;
3}

This article describes an integration with a service provided by a third party. Read our note on integrations for details.

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Network services

Security

Compute

Quick start

Building blocks