I’m building a small app for myself, with a simple static HTML page generator, the whole project is for me to learn some things and I would need your help with setting up cloud storage.
The app is built with Phoenix LiveView. it allows users to create their own pages and have them on subdomain, user_page.appdomain.com. Users can upload images to the app which are then shown on their page. Pages are static HTML pages. So, there is a small CMS, users can add content, images and then static HTML page is generated and users can access it on their subdomain.
When users upload their images, they are saved to Tigris Cloud storage. In front of the app, there is Cloudflare for caching images.
Should I use public or private bucket for storage? What about CORS? What else should I take into the account? I want to learn how to set it up properly to avoid potential attacks, huge cloud bills everyone is talking these days about etc.
I don’t have much experience with setting up cloud so I would really appreciate your help here.
Traditional wisdom with S3 and co is that you should not serve files directly from the bucket due to cloud egress costs being quite high on major cloud platforms like AWS. If you were using AWS you could use their CDN (Cloudfront) or Cloudflare like you suggest.
However, my understanding is that the whole point of Tigris is they integrated the CDN into the product specifically so that you don’t have to deal with that. I did not look too closely but I see on their docs page that they advertise “zero egress fees” for this reason, so you probably don’t need Cloudflare in front if you’re using them.
For uploads obviously you want to make sure you rate-limit that, per-user and also perhaps globally as a sanity check in case of an attack.
If you need to enforce more complex access controls (some sites only viewable by logged-in users and so on) then maybe you would want to proxy everything through your app.
If everything is meant to be public then you may as well use Tigris as a CDN since that’s what it’s for I guess.
Do you want users to be able to embed content from their page into other websites? This is specific to your use-case, there is no general answer.
As long as you rate-limit your uploads and Tigris honors their free egress promise you should be safe. If you start serving petabytes they’ll probably call you to complain.
One more thing: if you’re hosting user data publicly like this make sure you accept and promptly respond to any takedown notices or your upstream providers are going to be very unhappy when they get them.
Public and enable CORS, so it is easier to embed them directly. And unless you are streaming videos, or have content that attract abusers (eg. porn, warez, …) you should not need to worry about egress fee yet.
