You are a genius! That worked. No changes needed for cloudflare or any other config setting!
@ncw Any thoughts on how to handle this issue? It seems like a common occurrence for any S3 server proxied via CF.
Just a note in the docs or set the sign_accept_encoding flag to false by default?
I spoke too soon. The original error message has been fixed but when you try to actually use it, there are a ton of error messages related to: HostID: , api error RequestEntityTooLarge: Request Entity Too Large and StatusCode: 403, RequestID: , HostID: , api error Forbidden: Forbidden 2025/12/12 08:13:00 ERROR : Attempt 1/3 failed with 11 errors and: operation error S3: HeadObject, https response error StatusCode: 403, RequestID: , HostID: , api error Forbidden: Forbidden. At least on the free version of Cloudflare it seems there is some sort of limitation using the Cloudflare tunnel/proxy/https, etc. So Iāve given up on that so what Iāve done instead is to create a simple A record that points to the tailscale IP address of the server that is running garage. This allows me to still upload/download files remotely as long as Iām on Tailscale. So now my endpoint looks like this: endpoint = http://garage.mydomain.com:9700. This now works great on my phone using the s3 browser app when Iām away with Tailscale running. And I home with rclone, I use the same endpoint since all my systems are always running Tailscale.
For what itās worth, using CloudFlare to proxy storage like that on their free tier is probably against their TOS from what I recall.
In particular:
Cloudflare's Free plan offers essential proxy features (CDN, DNS, SSL) but restricts serving large media/binary files like videos, audio, or large docs, as its Terms of Service (ToS) focus on HTML websites, with a 100MB upload limit on single requests. You can use the proxy for standard web content, but storing and delivering massive media (like a personal video library) violates the free tier's intent, potentially leading to content delivery limits or suspension. For large storage/delivery, use paid plans (Stream, R2 for S3-compatible storage) or bypass Cloudflare for media.
I use the free tier and have for years now and donāt use it for Plex/Emby or anything like that.
I deem it worth not much..
For those who do follow cloudflare TOS the tangent doesnāt mean much and seems to have halted further conversation.
I would like to bump the issue, since I also cannot access the garage bucket from rclone for the same reason, and I am looking for answers.
EDIT: I resolved it by following this #895 - Rclone says AccessDenied: Forbidden: Invalid signature - Deuxfleurs/garage - Forge Deuxfleurs
it was mentioned here before I just had to read.
Basically the config has to include:
acl = private
bucket_acl = private
region = garage
Hope this helps someone!
From a rclone perspective, we donāt condone breaking TOS for services that offer things as itās not great practice.
As a person, it makes companies take free tiers away and such, but thatās a personal choice to make.