Configure a Custom Domain for Storin Buckets with NGINX
Overview
Storin, SaveinCloud's Object Storage service, provides access to objects through S3-compatible endpoints, as in the example below:
https://sp1-s3.saveincloud.io
In many scenarios, however, it is desirable to publish the bucket content using a custom domain, for example:
https://cdn.seudominio.com
This approach is widely used by public cloud providers and is recommended for:
- distribution of static files
- delivery of public content
- URL standardization
- use of own domain (white-label)
- integration with web applications
By using a reverse proxy with NGINX, you can expose the bucket content through your domain, keeping the Storin S3 endpoint as the origin.
The S3 endpoint may vary depending on the region where the bucket was created. In this example, we use the SP1 region.
Always validate the endpoint corresponding to your environment before publishing in production. Endpoint changes can impact the operation of the custom domain.
It is extremely important to stay alert to announcements about changes to the S3 endpoint of the region, as this will directly impact access to Storin.
Reference Architecture
Cliente → Domínio personalizado → NGINX → Bucket no Storin
Prerequisites
Before starting, make sure you have:
- a bucket created in Storin
- objects available for testing
- a server with NGINX installed
- a configured domain or subdomain
- a valid TLS certificate for HTTPS
1. Configure DNS
Create a dedicated subdomain, for example:
cdn.seudominio.com
Configure the DNS records:
- Type A: pointing to the proxy's IPv4
- Type AAAA: pointing to the proxy's IPv6 (optional)
2. Configure NGINX for HTTP Access
Use the configuration below to publish the bucket through your domain:
server {
listen 80;
listen [::]:80;
server_name cdn.seudominio.com;
location / {
proxy_ssl_server_name on;
proxy_pass https://sp1-s3.saveincloud.io;
proxy_set_header Host sp1-s3.saveincloud.io;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
}
3. Enable HTTPS
For production environments, it is recommended to redirect HTTP to HTTPS and use a valid TLS certificate on the reverse proxy.
HTTP to HTTPS Redirection
server {
listen 80;
listen [::]:80;
server_name cdn.seudominio.com;
return 301 https://$host$request_uri;
}
HTTPS Configuration
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name cdn.seudominio.com.br;
ssl_certificate /var/lib/jelastic/SSL/jelastic.chain;
ssl_certificate_key /var/lib/jelastic/SSL/jelastic.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
location / {
proxy_ssl_server_name on;
proxy_pass https://sp1-s3.saveincloud.io;
proxy_set_header Host sp1-s3.saveincloud.io;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
}
4. Access the Objects
After completing the configuration, objects can be accessed using the custom domain:
https://cdn.seudominio.com/arquivo-publico.txt
It is important to be aware of the bucket's CORS configuration so that the bucket does not block access to the object.
Best Practices
- always use HTTPS whenever possible
- use high availability on proxy nodes to ensure no service interruptions
- keep objects public only when necessary
- validate the correct endpoint for the bucket's region
- review bucket permissions and policies before publishing
- consider using cache on the proxy or an external CDN to improve performance and reduce outgoing traffic volume
Troubleshooting
403 Forbidden
This error usually indicates one of the following situations:
- the object is not public
- the bucket policy restricts access
- the path configured in
proxy_passis incorrect
Content Not Found
Check:
- if the bucket name is correct
- if the object really exists
- if the accessed URL corresponds to the expected path
Support
If you have questions or problems with the configuration, contact SaveinCloud support.