Cloudflare R2 Object Storage Configuration Guide

lutish

Administrator
Staff member
This guide covers the complete setup of Cloudflare R2 Object Storage (zero egress fee, S3-compatible free storage) for website/forum remote media storage, including backend admin configuration, API key setup, CORS rules, custom domain binding, and standard BBCode embedding methods for images & download links.

Part 1: Preparations & R2 Service Activation​

Cloudflare R2 is a zero-egress-fee S3-compatible object storage, permanent free quota: 10GB storage, unlimited public download traffic, no bandwidth charges. It is the best alternative to AWS S3 for forum image beds and file hosting.

1. Preconditions​

  • Valid Cloudflare account (free plan is fully available)
  • Bound payment method (Visa/MasterCard/PayPal, no deduction within free quota, mandatory for activating R2 service)

2. Activate R2 & Create Bucket​

  1. Log in to Cloudflare Dashboard → Left sidebar R2 Object Storage
  2. Click Enable R2, complete payment method verification
  3. Click Create Bucket, input custom bucket name (all lowercase, no special symbols)
  4. Storage location: Select Asia-Pacific for fastest domestic access
  5. Save and enter the bucket management panel

Part 2: Backend Admin Configuration (Core Setup)​

R2 is fully compatible with S3 API. We need to configure R2 API Access Keys (for website backend upload/delete) and CORS rules (for forum BBCode normal display).

1. Generate R2 API Credentials (Backend Authorization)​

Used for forum/website backend binding, realizing file upload, overwrite, list and delete permissions.
  1. R2 Overview Page → Click Manage R2 API Tokens
  2. Create API Token → Set custom token name (e.g. forum-r2-storage)
  3. Permission scope: Select Edit & Read (full bucket operation permissions)
  4. Bucket scope: Bind the newly created bucket
  5. Generate and save three core credentials (only displayed once):
  • Account ID (Cloudflare account unique ID)
  • Access Key ID
  • Secret Access Key
⚠️ Critical Reminder: The Secret Key cannot be retrieved after refresh. Please back it up securely!

2. R2 Bucket CORS Configuration (Fix Broken Images)​

Default R2 cross-origin restrictions will cause forum embedded images to fail to load. Add universal CORS rules to adapt all forum programs.
Bucket Page → Settings → CORS Policy → Edit → Paste the following JSON:

[
{
"AllowedHeaders": ["*"],
"AllowedMethods": ["GET", "HEAD"],
"AllowedOrigins": ["*"],
"ExposeHeaders": []
}
]
Production Optimization: Replace ["*"] with your forum domain (e.g. ["https://yourforum.com"]) to improve security.

3. Public Access & Custom Domain Configuration (Optional)​

R2 default public file access is allowed, no need to manually turn off block rules like S3.
  1. Bucket → Settings → Public Access → Custom Domains
  2. Connect your custom domain (e.g. img.yourdomain.com)
  3. Automatically apply Cloudflare SSL certificate, enable HTTPS access

Part 3: Standard R2 URL Structure & BBCode Usage​

After backend configuration is completed, users can use standard BBCode tags to embed R2 images and files in forum posts.

1. R2 Standard File URL Format​

Official Default Domain
https://<ACCOUNT_ID>.r2.cloudflarestorage.com/<BUCKET_NAME>/<FILE_NAME>
Custom Domain (Recommended)

2. Universal BBCode Usage Tutorial​

A. Embed R2 Image (Image Display)​

Applicable to jpg/png/gif/webp and other image formats, directly rendered in posts.
Syntax

Example
nature.png

B. File Download Link (PDF/ZIP/Document)​

Applicable to non-image files, create clickable download text links.
Syntax
Custom Download Text
Example
Download Official User Manual

C. Clickable Image Thumbnail (Image Button)​

Realize click image jump to specified website, suitable for buttons/advertising diagrams.
Syntax

Example


Part 4: Fault Troubleshooting Table​

Fault PhenomenonRoot CauseSolution
403 Access Denied1. API token permission insufficient2. File private access enabled3. URL path errorRe-generate Edit-level API token; confirm file public access; check URL spelling
Backend cannot upload files1. Wrong Account ID/Key2. Endpoint not R2 standard address3. No full bucket permissionFill in correct R2 endpoint: https://r2.cloudflarestorage.com; verify token permissions
Broken image icon in posts1. CORS rule not saved or error2. File expired/ deleted3. HTTP non-HTTPS linkRe-save CORS configuration; use full HTTPS URL; re-upload missing files
Direct access normal, forum embedding failedBrowser cross-origin cache restrictionClear browser cache; refresh CORS policy; wait 1-2 minutes for rule take effect

Part 5: Administrator Complete Checklist​

  • ✅ R2 service activated + bucket created successfully
  • ✅ Valid Account ID + R2 API Access/Secret Key backed up
  • ✅ Standard CORS policy configured to solve cross-origin errors
  • ✅ Website/Forum backend filled with R2 endpoint and key information
  • ✅ Custom domain bound (optional) + SSL effective
  • ✅ Test upload image, verify BBCode renders normally
    [*]✅ Test file download link to ensure no 403/404 errors
    [/LIST]
    [HR][/HR]
    [HEADING=1]Part 6: Security & Usage Notes[/HEADING]
    [LIST]
    [*][B]Zero Fee Advantage[/B]: R2 has no outbound traffic fees, unlimited public download, only excess storage capacity is charged
    [*][B]Key Security[/B]: Do not disclose R2 Secret Key in posts, prevent malicious upload and deletion
    [*][B]File Specification[/B]: Do not upload sensitive/private files to public buckets
    [*][B]Rule Optimization[/B]: Formal forums replace wildcard CORS with fixed domain names to prevent cross-site abuse
    [*][B]Cache Acceleration[/B]: Custom domain automatically enables Cloudflare global CDN, faster access than official domain
    [/LIST]
 
Back
Top