OCI Object Storage Vanity URL using the Cloudflare CDN - Public Buckets

Hi! In one of my previous blogs, I talked about accessing OCI Object Storage with a custom domain. In that blog, I presented a demo on how to do it using F5 Load Balancers but I also stated it can be done with most Content Delivery Network services on the market. In this blog post, I will do a demo on doing exactly that, accessing OCI Object Storage with a custom domain using the Cloudflare CDN for public buckets.

OCI Object Storage refresh

OCI Object Storage works with buckets and objects inside the buckets. You can access the objects inside public buckets using two domains:
a) The standard URL in the format:
https://objectstorage.[region].oraclecloud.com/n/[namespace/tenancy]/b/[bucket name]/o/[object name]
b) The endpoint dedicated to your tenancy:
https://[namespace/tenancy].objectstorage.[region].oci.customer-oci.com/n/[namespace/tenancy]/b/[bucket name]/o/[object name]

As explained in the previous blog, there are some challenges related to HTTPS because the OCI Object Storage will only respond to SSL connections for those OCI-owned domains. So we need to rewrite the host header. Let’s see how we do that in Cloudflare.

Cloudflare prerequisites

In order to use Cloudflare you need:
a) A DNS Zone onboarded to Cloudflare – Cloudflare is both a registrar and a DNS provider so you can either buy the zone directly from them or simply point your registrar to the Cloudflare DNS servers. The procedure to do this is here.
b) The zone above MUST be under an Enterprise license – Cloudflare supports multiple license types (including a free tier) but you will have access to the relevant menus only if the zone is under an Enterprise license. More details on plans here.

If the two prerequisites are met we can move to the demo part of the blog.

Demo

Building the environment is simple, I will use:
- A public OCI Object Storage bucket, in Frankfurt, named Frankfurt-Bucket, containing one object, a PNG file.
- A DNS Zone, cdn-lab.cloud, which I have onboarded to Cloudflare, under an Enterprise license.

Here is a picture of what we are trying to achieve:

Let’s get started.

1. OCI Public Bucket

Create an OCI Public Bucket and have a file in it. I will use the Object Storage service in the OCI Frankfurt region.

If you click on the object details, OCI will tell you the link to download the file:

If we put the link in the browser (https://objectstorage.eu-frankfurt-1.oraclecloud.com/n/ociateam/b/Frankfurt-Bucket/o/OCI.png) we will get the file:
 

2. Cloudflare setup

2.1. DNS entry

In the Cloudflare console go to the zone management page. As explained above, I am using a zone called cdn-lab.cloud. In the zone management page click DNS and Records and add a new DNS Record:

- Type: CNAME
- Name: I will use “storage” so the FQDN will be storage.cdn-lab.cloud.
- Target: we need to put the actual Object Storage FQDN where the bucket exists so, in this case, it will be: objectstorage.eu-frankfurt-1.oraclecloud.com.
- Proxy status: Proxied.

2.2 Origin rule

Next, we need to have a rule to rewrite the Hostname header. Go to Rules -> Origin Rules and press Create.

Create a rule similar to the screenshots below:

Note that the SNI will also be changed automatically by Cloudflare to match the new Hostname. Do not input anything in the SNI field from the rule.

2.2. Configuration rule

The traffic must be end-to-end encrypted with SSL. While this can be a global setting under the DNS Zone, we can also make a Configuration rule that will enforce it only for this traffic, which will allow the global setting to be anything else you may need. Go to Rules -> Configuration Rules and press Create.

Create a rule that matches your hostname (mine is storage.cdn-lab.cloud).  Scroll to the bottom and ADD “Full SSL”.

After you press deploy you should be able to access the OCI object in the public bucket using your domain.

The initial URL: https://objectstorage.eu-frankfurt-1.oraclecloud.com/n/ociateam/b/Frankfurt-Bucket/o/OCI.png
Will now be: https://storage.cdn-lab.cloud/n/ociateam/b/Frankfurt-Bucket/o/OCI.png

And we’re DONE, everything should be working well. However, the usual request is to have a true Vanity URL which also “hides” the path. Let’s see how we do that.

2.3  Optional - Transform Rule.

We will create a transform rule to rewrite the request as it goes to the Origin. This way we will not expose the Object Storage path to the users.

The Dynamic rule code must be modified according to your OCI namespace and bucket name.

regex_replace(http.request.uri.path,"^/","/n/ociateam/b/Frankfurt-Bucket/o/")

After you press deploy you should be able to access the OCI object in the public bucket using your domain with the path hidden.

The initial URL: https://objectstorage.eu-frankfurt-1.oraclecloud.com/n/ociateam/b/Frankfurt-Bucket/o/OCI.png
Will now be: https://storage.cdn-lab.cloud/OCI.png

And this completes the DEMO. I hope you liked it!

Special thanks to Cloudflare for making this blog possible.