Do all uploads in Discourse go to the 'original' folder when using a CDN?

I have a question re using a CDN with secure uploads. In Secure Uploads - #118 by Falco it sounds like the CDN isn’t used for uploads but can be used for assets.

At the moment my CDN has GetObject access for my entire bucket. If I want uploads to be secure I need to change the BucketPolicy so that it is scoped just to assets. Can I do this via path? There are currently 3 directories in my uploads folder - assets, optimized and original. I’ve noticed that with secure uploads enabled discourse is fetching stuff from assets and optimized from the CDN.

So I could limit my bucket policy to only allow access to the CDN to /original but wanted to confirm - do all uploads end up in ‘original’ or are they sometimes in ‘optimized’?

Ah think I’ve answered my own question - no bucket policy is needed at all because the ACLs that discourse sets on the static assets make them public, so cloudfront can access them without having any bucket policy set.

1 Like