> When you use a custom domain, and get default caching of assets implicitly, are you charged for the egress from the cache? It's unclear from the documentation in [1][2] if that's the case. No

> Also related, does Cache-control metadata on the R2 objects affect said cache hit rate? (I'm assuming yes) It'll affect the maximum time it will be kept in cache but all assets are eligible to be evicted earlier due to - not being requested, load at that PoP, plan, etc

> And finally, when the cache is warm and there's a hit, do read operations served from the cache, account as class B operations over R2? No

Cache-Control TTL is basically "don't keep it longer" rather than "we will keep it for this long"

Cache is also a per-colo thing, so cached for someone in London doesn't mean cached for someone in Tokyo

Thank you kian, for the quick and precise answers. 🙇‍♂️

It’s probably worth noting that all of the free egress may not apply to Enterprise plans which have contracted amounts of bandwidth which is apart of the price

but free/pro/business, always $0

Also if you have argo smart routing turned on you do get charged bandwidth so I'd keep that off because its $0.10/GB which is more than S3.

still less than vercel

It is indeed

Just curious, but the signed URL validation, given how the

X-Amz-Signature

is created, wouldn't the validation also require the secret key to build up the same signature? https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html

The validation is done by R2 which knows your API tokens, yes.

You sign it (with the token), give it to someone (who can only use it for what it was signed for) and then R2 validates that it was signed with a valid token.

Thanks, just wanted to confirm that I wasn't missing anything in my understanding, which is that the server-side validation requires access to the same secret key and the validation is basically building out the signature and comparing it.

Yep

It'll build it the same as the presigner would based off the actual request and see if it matches the signature

If the signature says GET but the real request has PUT, it won't match and it's 403'd

Starting about 5 minutes ago I started getting this error in all environments that write to R2:

operation error S3: GetObject, https response error StatusCode: 403, RequestID: , HostID: , api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your secret access key and signing method.

Is there some kind of issue happening in R2? This doesn't coincide with any code change on our side

This is happening for multiple buckets in at least two accounts, started happening at the same time

No issues personally - what colo are you hitting on https://r2.cloudflarestorage.com/cdn-cgi/trace

Hello, would R2 and a Worker sitting in front be able to support progressive download for an mp3 to start immediate playback?

You shouldn't need a worker - most progressive downloads will use range requests, which are supported out of the box

Well it needs to be protected based on current user's purchased skus

So i cant publicly expose R2,

Ah, you'd still need it for that

You might want to look at https://github.com/kotx/render - it has range request parsing in it

So the worker could sit in front and a transform stream?

You can import render as a library, do your own auth and then pass it off to R2 as

render.fetch(req, env, ctx);