From 33344da8b39961b5d38dd924ffd35debd611d208 Mon Sep 17 00:00:00 2001
From: Chris Harris <cjh@lbl.gov>
Date: Wed, 25 Feb 2026 18:07:40 +0000
Subject: [PATCH] Allow custom domain to be used with public S3 bucket

This allows a S3 bucket to be put behind CloudFront which
is considered best practice.
---
 .env_sample          | 2 ++
 src/settings/base.py | 2 ++
 src/utils/storage.py | 1 +
 3 files changed, 5 insertions(+)

diff --git a/.env_sample b/.env_sample
index 6bd01cfbd..10378cb12 100644
--- a/.env_sample
+++ b/.env_sample
@@ -72,6 +72,8 @@ AWS_S3_ENDPOINT_URL=http://minio:9000/
 AWS_QUERYSTRING_AUTH=False
 # Optional URL rewriting in compute worker, format: FROM | TO
 #WORKER_BUNDLE_URL_REWRITE=http://localhost:9000|http://minio:9000
+# Optional custom domain for public bucket, e.g. if you have a CDN in front of your S3 storage
+#AWS_S3_PUBLIC_CUSTOM_DOMAIN=<your-domain.com>
 
 
 # -----------------------------------------------------------------------------
diff --git a/src/settings/base.py b/src/settings/base.py
index ed5b978d7..c0c337691 100644
--- a/src/settings/base.py
+++ b/src/settings/base.py
@@ -386,6 +386,7 @@ def setup_celery_logging(**kwargs):
                 "use_ssl": os.environ.get('S3_USE_SIGV4', 'true').lower() == 'true',
                 "querystring_auth": os.environ.get('AWS_QUERYSTRING_AUTH'),
                 "default_acl": os.environ.get('AWS_DEFAULT_ACL'),
+                "custom_domain": os.environ.get("AWS_S3_PUBLIC_CUSTOM_DOMAIN", ""),
             },
         },
         "bundle": {
@@ -473,6 +474,7 @@ def setup_celery_logging(**kwargs):
 AWS_STORAGE_PRIVATE_BUCKET_NAME = os.environ.get('AWS_STORAGE_PRIVATE_BUCKET_NAME')
 AWS_S3_CALLING_FORMAT = os.environ.get('AWS_S3_CALLING_FORMAT', 'boto.s3.connection.OrdinaryCallingFormat')
 AWS_S3_ENDPOINT_URL = os.environ.get('AWS_S3_ENDPOINT_URL', '')
+AWS_S3_PUBLIC_CUSTOM_DOMAIN = os.environ.get('AWS_S3_PUBLIC_CUSTOM_DOMAIN', '')
 AWS_DEFAULT_ACL = None  # Uses buckets security access policies
 AWS_QUERYSTRING_AUTH = os.environ.get(
     # This stops signature/auths from appearing in saved URLs
diff --git a/src/utils/storage.py b/src/utils/storage.py
index 7bb88bc2a..8e95bb722 100644
--- a/src/utils/storage.py
+++ b/src/utils/storage.py
@@ -12,6 +12,7 @@
 
         class PublicStorageClass(S3Boto3Storage):
             bucket_name = getattr(settings, "AWS_STORAGE_BUCKET_NAME", None)
+            custom_domain = getattr(settings, "AWS_S3_PUBLIC_CUSTOM_DOMAIN", "")
 
         class PrivateStorageClass(S3Boto3Storage):
             bucket_name = getattr(settings, "AWS_STORAGE_PRIVATE_BUCKET_NAME", None)