Create a CDN Site with an Object Storage Origin

Public access to files hosted on StackPath Object Storage buckets will be disabled for all buckets on Stacks created after March 13, 2023. Files stored in buckets on Stacks created after this date will be private, requiring additional security configuration.

Overview

Placing StackPath's CDN in front of an Object Storage bucket will give your websites even greater improvements in speed, as our global CDN network will aid in serving up your site's content.

This guide will provide you with instructions on how to create and configure a StackPath CDN site using a private StackPath Object Storage bucket as an origin.

This guide assumes you have already created a bucket. If you haven't done so yet, please see Create and Manage Object Storage Buckets.

StackPath does not charge for egress from Object Storage or ingress for CDN, which means all content retrievals from StackPath Object Storage to the CDN are free of charge. Please note that delivery from the CDN to end-users will count toward your CDN bandwidth allocation.

Private bucket with AWS Origin Signing (Recommended)

Step 1: Obtain the bucket URL

1. In the StackPath Control Portal, in the left-side navigation, click Object Storage.
2. Select the desired bucket. 
3. Under Bucket URL, copy the URL. You will need this information later.  
   • Note that bucket URLs are case sensitive. 

Step 2: Create a site

1. In the StackPath Control Portal, in the left-side navigation, click Sites. 
2. Click Create Site. 
3. Select the Full Site or Static Assets Integration method based on your preference. 
4. In the Domain Name field, enter the domain that will deliver the CDN assets. In most cases, simply enter your website's URL. 
5. Mark the CDN box. As an option, you can also select WAF to protect your site. Then click Set Up Your Origin. 
6. In the Origin Hostname / IP Address field, paste the copied bucket URL. The origin address is not password protected.
7. (Optional) Add a custom domain.
8. Click Confirm Origin Address.
9. Select an SSL method, then follow the on-screen instructions. When you are finished, click Confirm SSL Method.
10. Update your DNS using the on-screen instructions. When you are finished, click Complete Setup.
11. In the left-side navigation menu, under Sites, click Settings. 
12. Next to Host Header, click Add New, paste the copied bucket URL, and then click Save. 

Step 3: Enter the bucket's credentials

1. In the left-side navigation menu, under Sites, click Settings. 
2. Click the Site Configuration tab.
3. In the left-side navigation menu of the Site Configuration Editor, click Origin.
4. Click Uncategorized, then click AWS Signed OriginPull V4.
5. Click the Enabled checkbox, then enter the Secret Access Key, AWS Region, and Access Key ID, then click the drop-down menu under Authentication Type and select HEADER.

Assets placed in object storage can now be pulled and cached on the CDN from your bucket via the following: edge-address/path/to/object.

Users can also access these files in the browser using either the Edge Address or domain (if you have completed Full Site Integration).

Private bucket with URL pre-signing 

There might be instances where you want to share these private objects with a select few for a specific duration of time. You can do this by generating pre-signed URLs, providing them with their own security credentials for short-term access.

To create a valid pre-signed URL for your object, you must provide the following:

• Your security credentials
• Bucket name
• Object key
• HTTP method
• Expiration date and time

Anyone who receives the pre-signed URL can then access the object.

Generate a valid pre-signed URL using any of the methods listed below:

1. AWS CLI
2. AWS Tools for Powershell
3. S3 Browser
4. Wasabi Explorer
5. Pre-signed S3 URLs for temporary, automated access in your application code
   1. Python and Boto3
   2. aws-sdk for Nodejs
   3. AWS SDK for PHP (V2)

URL pre-signing is not the method we recommend using, as it's limited to individual files compared to AWS Origin Signing.

Using the AWS CLI

To generate a pre-signed S3 URL with the AWS CLI, use the aws s3 pre-sign command.

On a Windows system, the command is:

"C:\Program Files\Amazon\AWSCLI\aws.exe" s3 presign s3://yourbucket/presentation.ppt --endpoint-url https://s3.us-east.stackpathstorage.com

This will return the URL that you will then provide, for example:

https://yourbucket/presentation.ppt?AWSAccessKeyId=T43W6LLO9TVP12345ABC&Expires=1553550766&Signature=AC7uJ8L9E30PwWtJIHXVWV%2FEuSg%3D

On a Mac or Linux system, the command is:

$ aws s3 presign s3://yourbucket/presentation.ppt --endpoint-url https://s3.us-east.stackpathstorage.com

Generating a pre-signed S3 URL with Wasabi Explorer

Wasabi Explorer is a client that can be used to manage and upload files to your StackPath Object Storage Bucket. Download the appropriate version of this application (Windows or Mac), then follow the steps below to start generating pre-signed URLs.

1. Choose the object for which you want to generate a pre-signed S3 URL, then click the Web URL button.
2. Choose whether you want an HTTP or HTTPS URL. You should prefer an HTTPS URL as the query string parameters, including the Access Key and signature, will be sent over a secure connection.
3. Click the box to Expire URL at certain date, and choose when you want it to expire.
4. Click Generate, then copy the URL that is shown in the box, as shown in the image below.

Using the AWS Tools for Powershell

If you use the AWS Tools for Powershell, you can use the Get-S3PreSignedURLcmdlet to generate a pre-signed S3 URL in your Powershell.

The syntax is:

Get-S3PreSignedURL -Bucket yourbucket -Key presentation.ppt -Expire 2019-03-26 -EndpointUrl "https://s3.us-east.stackpathstorage.com"

Using pre-signed S3 URLs for temporary, automated access in your application code

The examples shown above are useful for generating a single pre-signed S3 URL that you need for a specific use case. More commonly, you may have an application that needs to programmatically generate short-term access to an S3 bucket.

Some examples of this programmatic usage include:

• Your application generates invoice PDFs at the end of a billing cycle and stores the PDFs on S3. You need to provide a link for your users to download the PDF of their invoice.
• Your application allows users to upload videos to your S3 bucket. You would like users to upload directly from their browser, rather than sending the video to your servers, without leaking credentials to the browser.

You can perform both of these operations with the AWS SDKs for any language. Below are examples of how to use Boto 3, the AWS SDK for Python, to generate pre-signed S3 URLs in your application code.

Generating a pre-signed S3 URL for reading an object in your application code with Python and Boto3

As mentioned above, you may want to provide temporary read access to an S3 object to a user of your application, such as downloading a PDF of an invoice. The code snippet below shows how you would do it in your application code.

First, we import the boto3 library and construct a client to interact with S3. Then, we generate a pre-signed S3 URL that will allow the GetObject API call on the object we specify:

import boto3

s3 = boto3.client('s3',
endpoint_url = 'https://s3.us-east.stackpathstorage.com',
aws_access_key_id = '<SP-ACCESS-KEY>',
aws_secret_access_key = '<SP-SECRET-KEY>')

url = s3.generate_presigned_url(
    ClientMethod='get_object',
    Params={
        'Bucket': 'your-bucket-name',
        'Key': 'invoice.pdf'
    }
)
print(url)

# https://your-bucket-name.s3.us-east.stackpathstorage.com/invoice.pdf?AWSAccessKeyId=AKIALGKOKBY37F5FZF4I&Signature=bPSs8Kcak%2FgjEqqjOO5cFS022x0%3D&Expires=1531446995

The resulting URL could be sent to our user to view in their browser and receive temporary access to the invoice.

Generating a pre-signed S3 URL for uploading an object in your application code with Python and Boto3

You can generate a pre-signed S3 URL that can be used for POST requests. This can be useful for allowing clients to upload large files. Rather than sending the large file through your application's servers, the client can upload the file directly from the browser via strict permissions.

For example, you want to allow a user to upload a file to your cloudberry-examples bucket with the key name of uploads/image.jpg.

In the snippet below, you would use the generate_presigned_post method to construct the URL and return it to the client. You can even add conditions onto the request, such as ensuring the file size is no larger than 1 MB:

import boto3

s3 = boto3.client('s3',
endpoint_url = 'https://s3.us-east.stackpathstorage.com',
aws_access_key_id = '<SP-ACCESS-KEY>',
aws_secret_access_key = '<SP-SECRET-KEY>')

response = s3.generate_presigned_post(
    Bucket='your-bucket-name',
    Key='uploads/image.jpg',
    Conditions=[
        ['content-length-range', 1, 1048579]
    ]
)
 
print(response)
{'url': 'https://your-bucket-name.s3.us-east.stackpathstorage.com/', 'fields': {'key': 'uploads/image.jpg', 'AWSAccessKeyId': 'AKIALGKOKBY37F5FZF4I', 'policy': 'eyJleHBpcmF0aW9uIjogIjIwMTgtMDctMTNUMDI6Mzg6MTBaIiwgImNvbmRpdGlvbnMiOiBbWyJjb250ZW50LWxlbmd0aC1yYW5nZSIsIDEsIDEwNDg1NzldLCB7ImJ1Y2tldCI6ICJjbG91ZGJlcnJ5LWV4YW1wbGVzIn0sIHsia2V5IjogInVwbG9hZHMvaW1hZ2UuanBnIn1dfQ==', 'signature': 'ZY7Orehfdzg+ToJJXhYuV/XyK5o='}}

The response will include a URL property, as well as a fields property with a set of key-value pairs. The fields key-value pairs must be sent with the file as part of a multipart/form-data request.

Generating a pre-signed S3 URL for uploading an object in your application code with aws-sdk for Nodejs

const ep = new AWS.Endpoint('s3.us-east.stackpathstorage.com');
const s3 = new AWS.S3({endpoint: ep});
var uuid = require('uuid');

const presignedUpload = () =>{
    let url = s3.getSignedUrl('putObject', {
        Bucket: 'izotope-test',
        Key: 'invoice.pdf',
        ContentType:'application/pdf',
        ACL: 'bucket-owner-full-control',//filename
        Expires: '100' //time to expire in seconds
    });
    console.log(url);
};