LOG IN SIGN UP
Documentation

Wasabi

  Last updated June 17, 2019

Wasabi public and private buckets can be used as origins with Fastly.

Using Wasabi as an origin

To make your Wasabi bucket available through Fastly, follow the steps below.

Creating a new service

Follow the instructions for creating a new service. You'll add specific details about your origin when you fill out the Create a new service fields:

Setting up shielding

We strongly encourage you to enable shielding for your origin server. Wasabi imposes soft caps on free egress. Without shielding enabled, Fastly will request the same objects from all Fastly edge POPs instead of just one, which may not follow Wasabi's free egress guidelines.

When you select a shielding location from the Shielding menu, choose the location appropriate for your Wasabi bucket as follows:

Wasabi bucket region Shielding location
eu-central-1 Amsterdam, NL
us-east-1 Ashburn, VA
us-west-1 Seattle, WA

Creating a VCL snippet for shielding

Once you've enabled shielding for your origin, create a VCL snippet. When filling out the Create a VCL snippet fields, use the following information:

Testing your results

By default, we create a DNS mapping called yourdomain.global.prod.fastly.net. In the example above, it would be cdn.example.com.global.prod.fastly.net. Create a DNS alias for the domain name you specified (e.g., CNAME cdn.example.com to global-nossl.fastly.net).

Fastly will cache any content without an explicit Cache-Control header for 1 hour. You can verify whether you are sending any cache headers using cURL. For example:

1
2
3
4
5
6
7
8
$ curl -I opscode-full-stack.s3.wasabisys.com

HTTP/1.1 200 OK
x-amz-id-2: ZpzRp7IWc6MJ8NtDEFGH12QBdk2CM1+RzVOngQbhMp2f2ZyalkFsZd4qPaLMkSlh
x-amz-request-id: ABV5032583242618
Date: Fri, 18 Mar 2012 17:15:38 GMT
Content-Type: application/xml
Transfer-Encoding: chunked

In this example, no cache control headers are set so the default TTL will be applied.

Enhancing cache control

If you need more control over how different types of assets are cached (e.g., Javascript files, images), use the Amazon S3 configuration in our Cache Control tutorial as an example.

Using private Wasabi buckets

To use a Wasabi private bucket with Fastly, you must implement version 4 of Amazon’s header-based authentication. You can do this using custom VCL and following the instructions below.

Before you begin

Make your Wasabi bucket available to Fastly. Be sure you've set your origin to port 443. This needs to be done before implementing header-based authentication with the instructions below.

Gathering Wasabi information

Start by obtaining the following information from Wasabi:

Item Description
Bucket Name The unique name of your Wasabi bucket. When you download items from your bucket, this is the string listed in the URL path or hostname of each object (e.g., widget-project).
Region The Wasabi region code of the location where your bucket resides (e.g., us-east-1).
Access Key ID The Wasabi access key ID string for an IAM account that has at least read permission on the bucket.
Secret Access Key The Wasabi secret access key paired with the access key above.

Once you have this information, you can configure your Fastly service to authenticate against your Wasabi bucket using header authentication by calculating the appropriate header value in VCL.

Creating a VCL snippet for authentication

Create a regular VCL snippet. Give it a meaningful name, such as Wasabi protected origin. When you create the snippet, select within subroutine to specify its placement and choose miss as the subroutine type. Then, populate the VCL field with the following code (be sure to change specific values as noted to ones relevant to your own Wasabi bucket):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
if ( req.request == "GET" && req.backend.is_origin) {

  declare local var.wasabiAccessKey STRING;
  declare local var.wasabiSecretKey STRING;
  declare local var.wasabiBucket STRING;
  declare local var.wasabiRegion STRING;
  declare local var.canonicalHeaders STRING;
  declare local var.signedHeaders STRING;
  declare local var.canonicalRequest STRING;
  declare local var.canonicalQuery STRING;
  declare local var.stringToSign STRING;
  declare local var.dateStamp STRING;
  declare local var.signature STRING;
  declare local var.scope STRING;

  # Please supply your own credentials
  set var.wasabiAccessKey = "YOUR_BUCKET_ACCESS_KEY";   # Change this value to your own data
  set var.wasabiSecretKey = "YOUR_BUCKET_SECRET";       # Change this value to your own data
  set var.wasabiBucket = "YOUR_BUCKET_NAME";            # Change this value to your own data
  set var.wasabiRegion = "YOUR_BUCKET_REGION";          # Change this value to your own data

  set bereq.http.x-amz-content-sha256 = digest.hash_sha256("");
  set bereq.http.x-amz-date = strftime({"%Y%m%dT%H%M%SZ"}, now);
  set bereq.http.host = var.wasabiBucket ".s3." var.wasabiRegion ".wasabisys.com";
  set bereq.url = querystring.remove(bereq.url);
  set var.dateStamp = strftime({"%Y%m%d"}, now);
  set var.canonicalHeaders = ""
    "host:" bereq.http.host LF
    "x-amz-content-sha256:" bereq.http.x-amz-content-sha256 LF
    "x-amz-date:" bereq.http.x-amz-date LF
  ;
  set var.canonicalQuery = "";
  set var.signedHeaders = "host;x-amz-content-sha256;x-amz-date";
  set var.canonicalRequest = ""
    "GET" LF
    bereq.url.path LF
    var.canonicalQuery LF
    var.canonicalHeaders LF
    var.signedHeaders LF
    digest.hash_sha256("")
  ;

  set var.scope = var.dateStamp "/" var.wasabiRegion "/s3/aws4_request";

  set var.stringToSign = ""
    "AWS4-HMAC-SHA256" LF
    bereq.http.x-amz-date LF
    var.scope LF
    regsub(digest.hash_sha256(var.canonicalRequest),"^0x", "")
  ;

  set var.signature = digest.awsv4_hmac(
    var.wasabiSecretKey,
    var.dateStamp,
    var.wasabiRegion,
    "s3",
    var.stringToSign
  );

  set bereq.http.Authorization = "AWS4-HMAC-SHA256 "
    "Credential=" var.wasabiAccessKey "/" var.scope ", "
    "SignedHeaders=" var.signedHeaders ", "
    "Signature=" + regsub(var.signature,"^0x", "")
  ;
  unset bereq.http.Accept;
  unset bereq.http.Accept-Language;
  unset bereq.http.User-Agent;
  unset bereq.http.Fastly-Client-IP;
 }

}

Creating a VCL snippet to remove added response headers

You may also remove the headers that Wasabi adds to the response. Do this by creating another VCL snippet. Give it a meaningful name, such as Strip Wasabi response headers. When you create the snippet, select within subroutine to specify its placement and choose deliver as the subroutine type. Then, place the following code in the VCL field:

1
2
3
4
5
if ( !req.http.Fastly-Debug ) {
  unset resp.http.x-amz-id-2;
  unset resp.http.x-amz-request-id;
  unset resp.http.server;
}
This article describes an integration with a service provided by a third party. Please see our note on integrations.

Back to Top