S3 assets publicly accessible for DMs also

Hi team,

We just finished installing Mastodon on an EC2 instance with an S3 bucket as the backend for file storage. We have the S3 bucket name is same as a subdomain which is behind Cloudflare for caching files.domain.com, and the same is configured as S3_ALIAS_HOST and S3_BUCKET.

One question we had was when files are uploaded in this bucket, all the objects seem to be with public ACL. That makes sense for public posts/emojis etc. But if two users have shared a file on a direct message (which should be private), that file link is also public. Is there a way to proxy these with the user session? Did we configure this wrongly?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.