Your Fastly CDN configuration causes downloads.openwrt.org URLs without a trailing slash to redirect to mirror-03.infra.openwrt.org, and the URLs to artifacts on that server don't redirect to the CDN. That means users who mistype or mis-copy-paste a URL end up downloading direct from your infrastructure, increasing your costs and probably providing worse download speeds, depending on their location. I suggest updating your configuration to normalize URLs before making a caching decision, if possible.
I also tested using multiple slashes in the URL path, and those hit the CDN. URLs with /../ don't, but that's much less likely to happen accidentally.
https://downloads.openwrt.org/releases/ is served by the Fastly CDN:
[jbosboom@promenade ~]$ curl --head --follow 'https://downloads.openwrt.org/releases/'
HTTP/2 200
server: nginx
content-type: text/html
access-control-allow-origin: *
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT, X-CustomHeader, Keep-Alive, User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Type, Content-Range, Range
tmp-path:
accept-ranges: bytes
date: Sat, 20 Dec 2025 02:46:50 GMT
via: 1.1 varnish
age: 3235
x-served-by: cache-bur-kbur8200029-BUR
x-cache: HIT
x-cache-hits: 1
x-timer: S1766198810.216782,VS0,VE1
alt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400
content-length: 13907
but the same URL without a trailing slash redirects to mirror-03.infra.openwrt.org (note the location: header on the first response and the lack of CDN cache headers on the second):
[jbosboom@promenade ~]$ curl --head --follow 'https://downloads.openwrt.org/releases'
HTTP/2 301
server: nginx
content-type: text/html
location: https://mirror-03.infra.openwrt.org/releases/
access-control-allow-origin: *
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT, X-CustomHeader, Keep-Alive, User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Type, Content-Range, Range
tmp-path:
accept-ranges: bytes
age: 580
date: Sat, 20 Dec 2025 02:47:25 GMT
via: 1.1 varnish
x-served-by: cache-bur-kbur8200163-BUR
x-cache: HIT
x-cache-hits: 0
x-timer: S1766198846.844538,VS0,VE1
alt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400
content-length: 162
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 20 Dec 2025 02:47:26 GMT
Content-Type: text/html
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: DNT, X-CustomHeader, Keep-Alive, User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Type, Content-Range, Range
and downloading, e.g., the x86 image builder doesn't redirect back to the CDN:
[jbosboom@promenade ~]$ curl --head --follow 'https://mirror-03.infra.openwrt.org/releases/24.10.5/targets/x86/64/openwrt-imagebuilder-24.10.5-x86-64.Linux-x86_64.tar.zst'
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 20 Dec 2025 02:55:50 GMT
Content-Type: application/octet-stream
Content-Length: 35907642
Last-Modified: Fri, 19 Dec 2025 01:00:50 GMT
Connection: keep-alive
ETag: "6944a3c2-223e83a"
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: DNT, X-CustomHeader, Keep-Alive, User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Type, Content-Range, Range
Accept-Ranges: bytes
The behavior is the same in browsers (tested in Chromium and Firefox). The pages say "supported by Fastly CDN" in the lower-right, but they aren't being served from the CDN.