XZ

Xiao Z's blog

Learn, build, share

Hide Backblaze B2 Bucket Paths Using Cloudflare Transformation Rules

cloudflare transformation rulesbackblaze b2hide bucket nameremove response headerscdn security
Published·Modified·

In an earlier article titled Backblaze B2, Low-Cost Object Storage, Supports Cloudflare CDN Integration, we introduced how to connect Backblaze B2 with Cloudflare CDN. However, there was a flaw: the B2 domain exposes the bucket name, allowing anyone to use your Cloudflare accelerated domain to cache Backblaze B2 content or access the origin directly for traffic theft. This is not only unfriendly but also insecure.

For example:

  • The B2 domain format is: https://f002.backblazeb2.com/file/bucket/xxx.txt
  • After using Cloudflare acceleration, the domain becomes: https://b2.domain.com/file/bucket/xxx.txt

If I create a bucket named xiaoz in B2, I can access your Cloudflare domain at https://b2.domain.com/file/xiaoz/xxx.txt, which consumes your Cloudflare traffic.

Or I can directly access your origin: https://f002.backblazeb2.com/file/xiaoz/xxx.txt to steal traffic.

The purpose of this article is to remove the unfriendly URL path from B2 and hide the file/bucket/ segment.

Prerequisites

If your B2 domain has not yet been connected to Cloudflare, please refer to this article: https://blog.xiaoz.org/archives/13256 for integration instructions.

Create Transformation Rules

Go to the Cloudflare dashboard - Rules - Transformation Rules - Create Transformation Rule - Rewrite URL.

Continue filling in:

  • Rule Name: Any name you like
  • Field: Select "Host"
  • Operator: Select "Equals"
  • Value: Enter your accelerated domain for B2 on Cloudflare (your own domain)

Then, for the path, select "Rewrite to - Choose Dynamic" and fill in:

concat("/file/bucket", http.request.uri.path)

Replace bucket with your actual bucket name, then deploy.

After Optimization

Before optimization, our access path was: https://b2.domain.com/file/bucket/xxx.txt

After optimization, the path becomes: https://b2.domain.com/xxx.txt

As you can see, file/bucket/ has been removed.

Remove Unnecessary Response Headers

Backblaze B2 adds the following header parameters in the response:

  • x-bz-content-sha1
  • x-bz-file-id
  • x-bz-file-name
  • x-bz-upload-timestamp

Although the impact is minimal, the presence of these headers reveals that you are using B2, and they are generally not useful. You can also remove them using Cloudflare's rewrite rules.

Go back to Transformation Rules - Create Transformation Rule - Modify Response Headers.

The host settings remain the same as above:

Then select "Remove" for all options, and enter the header names listed above.

Summary

Traffic between Cloudflare and Backblaze B2 is free. By using Cloudflare transformation rules, you can hide the bucket name, make URLs more user-friendly, and reduce the risk of Backblaze B2 being abused for traffic theft.

Some content in this article was referenced from: [Object Storage] Combine CF Bandwidth Alliance for Free Traffic](https://luotianyi.vc/6044.html)