Cloudflare probably makes tons of money from ppl accidentally going over the limit lol.
Cloudflare probably makes tons of money from ppl accidentally going over the limit lol.
CIf you have Pro Custom Error Responses https://developers.cloudflare.com/rules/custom-error-responses/
Cloudflare Docs
Custom error responses, powered by the Ruleset Engine, allow you to define custom responses for errors returned by an origin server or by a Cloudflare product (including Workers). Custom error responses will apply to responses whose HTTP status code is greater than or equal to 400 that match the expression of the custom error response rule.
DBut loses customers like me, that proceeds to use other alternatives that allows setting spending caps
BI'd prefer having caps too, but I opted to set hard limits on my server and be pretty strict with handling stuff like DDoS my own way
BZero egress fee for me is just too attractive lol
BMaybe CF did their market research or whatever and concluded that they'd rather let ppl go over the spending limit. "In a free service, you're the product" as they say sometimes
ZWith free egress it's much harder to get denial of wallet attacked, anyway. Especially if you have caching on the objects
ZSure, but at 90 cents per million operations, it's much harder for them to rack up significant charges
ZIf egress weren't free, that would be significantly easier
BWAF HMAC is only on pro i think anyways, so CF is already making money from you
ZSorry, read the wrong column 
BYou can use HMAC with a worker and add rate limit rules to it, so even a ddos attacker gets hit by the rate limit
BAlthough I don't think CF charges for cpu use of workers if it goes above the free limit though, unlike with r2
ZExactly
BInstead CF just stops the worker from accepting requests?
ZIf you're worried about DoW at that scale, you should have monitoring and alerting for this kind of stuff
BOh, for that day then. I thought it was a monthly limit
BThat's good to hear actually
BIs CF good at responding for billing support though, for random users at least and not ent customers
AChat how do I disable cors on my r2 bucket?
BOh boy
Mbit stalkerish regardless
Yis this a cloudflare r2 thing or s3 thing in general?
setting ContentType in PutObjectCommand during url presigning, doesn't throw error if the client sends a different content type during the upload process
setting ContentType in PutObjectCommand during url presigning, doesn't throw error if the client sends a different content type during the upload process
Yif i set content type to video/mp4 in putobjectcommand for generating the presigned url
and I upload a file & set content type to plain/text, it gets uploaded
and I upload a file & set content type to plain/text, it gets uploaded
Ymd5, file size validation works fine
MWhy do I use a plugin to connect to r2, I can't upload files larger than 100mb
M@digitalpoint
I am using your cf addon in xenforo, I have set up r2, posts with attachments I can only upload files under 100mb in size, is there any way to download files larger than 100mb with attachments?
I am using your cf addon in xenforo, I have set up r2, posts with attachments I can only upload files under 100mb in size, is there any way to download files larger than 100mb with attachments?
DIt has to do with XenForo not doing multi-part uploads by default (I think there’s a third-party addon that replaces the uploader that does). So you are normally limited to 5GiB uploads per file. However, if you are using Cloudflare’s “normal” reverse proxy service, you are limited to the maximum upload size you have set for your zone (100MB in some cases). Check the setting in Cloudflare Dashboard under Network.
DBasically if your site is limited to 100MB uploads (for whatever reason), using R2 for the backend storage isn’t going to change those limits for you. Turn off R2 and it’s going to be the same 100MB limit.
Mso what is the solution here, where can i turn off CF proxy
DR2 is just the backend storage, so the solution is to get your site to a place where it can accept uploads >100MB. Probably the easiest way to do that will be to disable Cloudflare proxy.
Again, using (or not using) R2 doesn’t change your site’s upload limitation. Disable R2 and you’d still have the same upload limitation you are seeing.
Again, using (or not using) R2 doesn’t change your site’s upload limitation. Disable R2 and you’d still have the same upload limitation you are seeing.
Mok thanks sir
B@yuvraj are you actually sending a plaintext file or video/mp4 in that case?
Ya video/mp4, with content type plaintext in the headers
If i remove the md5 hash/content size inside putobjectcommand, I think I can send a txt file, even though I set contentype to video/mp4 in the putobjectcommand
If i remove the md5 hash/content size inside putobjectcommand, I think I can send a txt file, even though I set contentype to video/mp4 in the putobjectcommand
Ymy current conclusion is ContentType inside PutObjectCommand does nothing for presigned urls
BTry set content type to video/mp4 when generating, and actually send a whole plain text file, ignoring what you set in the headers before using the PutObject. Unless that's what you're already doing and I misunderstood
Yok i'll test with that
YI generated a presigned url with contenttype to "video/mp4" in putobjectcommand
I uploaded a json file using that url in postman & it worked
I uploaded a json file using that url in postman & it worked
Y
BI think md5 + size would usually be enough of a validation to protect you anyways
Yyep I'm using those
but the contenttype does nothing xd
but the contenttype does nothing xd
BAre you executing this file after on your server, or just storing it?
BBecause in that case files can contain malware anyways, even if they're a pdf or video
BEven if they might be the type you expect
Yyeah serverside is the best solution for max security, but bandwidth might be an issue
md5 is done on the client, so can be tampered as you mentioned
md5 is done on the client, so can be tampered as you mentioned
Yjust storing files, i'm not really worried about malwares
i just don't want users to store huge files and abuse my endpoint haha
1st time learning about file storage, just want to make sure I'm doing the best practices
i just don't want users to store huge files and abuse my endpoint haha
1st time learning about file storage, just want to make sure I'm doing the best practices
Ythank you all for you help, I appreciate it
B@yuvraj In that case the md5 + size validation should be good enough. If a user spoofs the type then that'll affect them if you serve it back to them for viewing/download on a client-side, but at that point it would be their fault and not your responsibility, as long as it doesn't breach the security of your server/other users then it's not really an issue you need to worry about.
BAnd yeah presigned urls in that case are likely still your best bet since processing the files on the server itself can be heavy on memory/server storage, even if you stream
BPeople who want their stuff to scale well should
BIt's not just scale either, it's probably faster to upload with a PutObject url as you don't need to send the file to the server and THEN the bucket, instead sending the file straight to the bucket
