01 · documentation

Docs

Everything you need to ship against nabz/cloud and nabz/s3. Links go straight to the live thing.

getting started
3
create a workspace
Sign up — a personal org is provisioned automatically.
your first key
Generate an access key; pick admin / read-only / bucket-scoped.
storage quota
Per-tier at-rest storage limit, shown live on /cloud.
nabz/cloud
4
upload & organize
Drag-drop, folders, grid/list, drag-to-move, rename, bulk zip.
share links
Password, expiry, download cap. Revoke any time.
mount as a drive
WebDAV — open & save files from Finder / Explorer, no upload step.
versions & trash
New revision per upload; restore older; 30-day trash recovery.
nabz/s3 — protocol
4
endpoint + signing
AWS SigV4 (header or query) against cloud-s3.nabzclan.vip.
operations
GetObject, PutObject, Head, Delete, List, Create/Delete bucket.
presigned urls
Short-lived signed GET/PUT — generate from the bucket UI.
cors · policy · lifecycle · tags
Per-bucket editors; CORS enforced at request time.
governance
3
bandwidth quotas
Workspace + per-key egress caps. Strictest wins.
metrics & audit
Every signed request logged. By bucket / op / key.
per-key drill-in
Click a key for its sparkline, scope, last 50 requests.
sdks & tools
4
aws-cli
Drop-in config, pre-filled per bucket.
rclone
Sync entire trees.
webdav
Mount nabz/cloud or any S3 bucket as a network drive.
boto3 / aws-sdk-js
Native SDKs work unchanged.
webdav — mount as a drive
files like a folder

Both nabz/cloud and any S3 bucket speak WebDAV, so you can open and save files straight from Finder, Windows Explorer, or any WebDAV client — no separate upload step. There's a dedicated host, webdav.cloud-s3.nabzclan.vip (no Cloudflare upload-size cap), with two distinct paths:

  • /webdav— your workspace's cloud tree (folders, versions honoured, quota enforced).
  • /webdav-s3/<bucket> — one S3 bucket's keyspace; /-delimited prefixes show up as folders.

Authentication is HTTP Basic, either way works: a dedicated WebDAV username + password you set at /cloud/connect, or an existing access key (username = key id, password = secret). Read-only credentials can browse and download but not write; bucket-scoped keys only reach their buckets.

bash
# macOS Finder:  Go → Connect to Server (⌘K)
https://webdav.cloud-s3.nabzclan.vip/webdav

# rclone — the whole cloud tree
rclone config create nabz webdav \
  url=https://webdav.cloud-s3.nabzclan.vip/webdav vendor=other \
  user=<ACCESS_KEY> pass=<SECRET_KEY>

# a single S3 bucket
sudo mount -t davfs \
  https://webdav.cloud-s3.nabzclan.vip/webdav-s3/my-bucket/ /mnt/my-bucket

Per-bucket snippets are pre-filled under /s3/buckets/<name>/connect.

s3 endpoint & signing
sigv4

nabz/s3 accepts AWS Signature v4 two ways: the standard Authorization header (what every SDK sends) and query-string presigned URLs. Region is us-nyc-a1-main, addressing is path-style.

bash
# any AWS SDK / aws-cli works unchanged
aws --endpoint-url https://cloud-s3.nabzclan.vip \
  s3 cp ./file.txt s3://my-bucket/

# the browser can't sign — for that, use a presigned URL (below)
presigned urls
no creds needed

Generate a short-lived signed link from any object's row in the bucket UI, or from /s3/buckets/<name>/presign. GET or PUT, expiry 1 min – 7 days. The link carries the key's permissions: read-only keys can only sign GET; scoped keys only for buckets they reach. nabz/s3 verifies the signature, the expiry window, and the key scope on every hit.

bash
# anyone with the URL can fetch until it expires
curl "https://cloud-s3.nabzclan.vip/my-bucket/report.pdf\
?X-Amz-Algorithm=AWS4-HMAC-SHA256\
&X-Amz-Expires=3600&X-Amz-Signature=..."
per-bucket config
cors · policy · lifecycle · tags
  • CORS — JSON rule array; enforced at request time (preflight OPTIONS + ACAO on responses, wildcard & *.example.com origins).
  • Policy— AWS-style policy document, validated & stored.
  • Lifecycle— expire objects by prefix + age; a worker sweeps every 15 min.
  • Tags — free-form key/value labels on the bucket.
  • SSE sse-s3 flag recorded per object; surfaced as x-amz-server-side-encryption.
  • Static website — set an index/error doc; bucket root serves it.

Edit any of these from the bucket sidebar, or hit ⌘K inside a bucket for the action palette.

bandwidth quotas
org + per-key

Set an outbound (egress) cap at the workspace level (/s3/metrics) and/or on an individual access key (/s3/keys/<id>). Period is daily or monthly. The strictest of the two applies — when exhausted, GetObject returns 503 SlowDown with a Retry-After header, refused before any storage I/O.

xml
<Error>
  <Code>SlowDown</Code>
  <Message>this access key egress quota exhausted
    (5368709120/5368709120 bytes this period).</Message>
</Error>
versions, trash & limits
  • Storage quota is per-tier and shown live in the /cloud header.
  • Max object5 GB via nginx client_max_body_size.
  • Versions — each re-upload of a cloud file snapshots the previous bytes; restore any older revision from the preview panel.
  • Trash — soft-delete, bulk restore, auto-purge after 30 days.