S3:HeadObject returns 403 on MinIO instance proxied by Cloudflare

Question

When sending HeadObject request to MinIO instance proxied by Cloudflare, 403 is returned instead of 404 (for non-existent files). GET, PUT and DELETE operations can be performed with no issue.

For example, the following code fails with 403, originating from django-storages when using collectstatic command:

import boto3
s3 = boto3.client(
    "s3",
    region_name="us-east-1",
    endpoint_url="<endpoint>",
    aws_access_key_id="<key>",
    aws_secret_access_key="<key>",
)
s3.head_object(Key="static/css/index.css", Bucket="mybucket")

The provided Key is publicly available and returns 404 for GetObject requests.

Answer 1

The problem is with Cloudflare's cache behavior on HEAD requests. Cloudflare will cache GET requests, and serve them with empty body when a HEAD request is made. Consequently, this breaks the signature mechanisms employed by S3 APIs.

To fix the issue, either remove Cloudflare or bypass the cache by a page rule. By the way, using Cloudflare with MinIO is probably against their TOS since you are just using Cloudflare as CDN.

For future reference, it turns out there are "x-minio-error-desc" and "x-minio-error-code" keys in response headers so that you can debug this better (in this specific CF case these headers might not be available since they only appear in proper HEAD requests).