CJW

CJW 个人博客

分享网络知识和知识记录
github
email
Home归档关于相册友链

Hide Backblaze B2 bucket paths through CloudFlare conversion rules

18
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses a tutorial on how to integrate Backblaze B2 with CloudFlare CDN, highlighting a security flaw where B2 domain exposes bucket names, making it vulnerable to unauthorized access and potential abuse. The solution involves creating rewrite rules in CloudFlare to hide the bucket name in the URL and remove unnecessary response headers added by Backblaze B2. This optimization enhances security and user-friendliness while utilizing free data transfer between CloudFlare and Backblaze B2.

In an early article titled "Backblaze B2, low-cost object storage, supports integration with CloudFlare CDN," a tutorial was provided on how to integrate Backblaze B2 with CloudFlare CDN. However, there is a flaw where the B2 domain name exposes the bucket name, allowing anyone to use your CloudFlare accelerated domain to accelerate Backblaze B2 or directly access the source site for fraudulent activities, which is not only unfriendly but also unsafe.

For example:

The format of the domain name provided by B2 is: https://f002.backblazeb2.com/file/bucket/xxx.txt
After using CloudFlare acceleration, the domain name becomes: https://b2.domain.com/file/bucket/xxx.txt
If I create a bucket named "xiaoz" in B2, then I can access your CloudFlare domain name https://b2.domain.com/file/xiaoz/xxx.txt, which will consume your CloudFlare traffic.

Or I can directly access your source site: https://f002.backblazeb2.com/file/xiaoz/xxx.txt to steal traffic.

The purpose of this article is to remove the unfriendly URL path of B2 and hide the content "file/bucket/".

Preparation:
If your B2 domain name has not been integrated with CloudFlare, please refer to this article: https://blog.xiaoz.org/archives/13256 for integration.

Create conversion rules:
CloudFlare dashboard - Rules - Conversion Rules - Create Conversion Rule - Rewrite URL

Continue filling in:

Rule name: Write anything
Field: Select "Hostname"
Operator: Select "Equals"
Value: Fill in the acceleration domain name for B2 on CloudFlare (your own domain name)

Then select "Rewrite to - Select Dynamic" for the path, and fill in:

concat("/file/bucket", http.request.uri.path)
Replace "bucket" with your own storage bucket name, and then select deploy.

Optimization:
Before optimization, our access path is: https://b2.domain.com/file/bucket/xxx.txt

After optimization, the path becomes: https://b2.domain.com/xxx.txt

As you can see, "file/bucket/" has been removed.

Remove unnecessary response headers:
Backblaze B2 adds the following header parameters to the response header of the request:

x-bz-content-sha1
x-bz-file-id
x-bz-file-name
x-bz-upload-timestamp
Although they have little impact, these parameters indicate that you are using B2, and these header parameters are generally not useful. We can also remove them using CloudFlare's rewrite rules.

Still in the conversion rules section - Create Conversion Rule - Modify Response Headers.

The hostname part is the same as above.

Then select "Remove" for all the headers, and finally fill in the above mentioned header parameters.

Summary:
The transfer traffic between CloudFlare and Backblaze B2 is free. By using CloudFlare conversion rules, the bucket name can be hidden, making the URL more user-friendly and to some extent preventing the risk of Backblaze B2 being used for fraudulent activities.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.