提供私人内容:S3签名URL与CloudFront签名URL
[英]Serving Private Content: S3 Signed URL vs CloudFront Signed URL
问题描述
I want to have a small website/page which will interact with a web service of mine. 
我想要一个小型网站/页面,该网站/页面将与我的Web服务交互。 I want to restrict access to this page. 我想限制对该页面的访问。 This page being very small, I don't want to bother with having a separate server for this, so decided to use S3's static website hosting. 该页面很小,我不想为此而拥有单独的服务器,因此决定使用S3的静态网站托管。
The basic idea would be to have a login.html page which will have a login form (take username and password), authenticate with the web service and after successful registration return a signed URL to the private page. 基本思想是拥有一个login.html页面,该页面具有一个登录表单(使用用户名和密码),并通过Web服务进行身份验证,并在成功注册后将一个签名的URL返回到私有页面。 This private page will then call the (AJAX/REST) web service for further interaction etc. 然后,此私有页面将调用(AJAX / REST)Web服务进行进一步的交互等。
I stumbled upon CloudFront's serving private content feature by creating signed URLs or signed cookies. 我通过创建签名的URL或签名的cookie偶然发现了CloudFront的服务私人内容功能。 But later on, found that we can have signed S3 URLs also. 但是后来发现我们也可以签署S3 URL。 (Both have URL expiry features.) (两者均具有URL到期功能。)
What are the differences b/w both (S3 signed URL vs CloudFront signed URL/cookies)? 两者之间有什么区别(S3签名的URL与CloudFront签名的URL / cookie)?
The page/website would have very little traffic and speed/latency isn't our concern. 该网页/网站将有很少的流量和速度/延迟不是我们关注的问题。
My question is: should I stick with CloudFront signed URLs feature or would just S3 suffice? 我的问题是:我应该坚持使用CloudFront签名URL功能还是仅使用S3就足够了?
Also for CloudFront, if let's say I have to do a bugfix/patch in the page, then it doesn't get updated right away once you upload the file to S3. 同样对于CloudFront,如果说我必须在页面中进行错误修复/补丁,那么一旦将文件上传到S3,它就不会立即更新。 It takes at least 24 hours since it is cached by the edge servers. 由于边缘服务器已对其进行缓存,因此至少需要24小时。 How do you deal with this? 您如何处理?
Anything about this design that I should be aware of? 关于这个设计,我应该注意什么? Any security concerns/loopholes? 是否有安全隐患/漏洞?
EDIT: The web service which I have is basically kind of serverless. 编辑:我拥有的Web服务基本上是无服务器的。 It is a bunch of AWS Lambda functions and API Gateway in front of those Lambda functions. 它是一堆AWS Lambda函数和这些Lambda函数之前的API Gateway。
1 个解决方案
解决方案1
0 2016-08-11 06:22:06
I am not sure if this is what you are looking for but I will give it a shot. 我不确定这是否是您要寻找的东西,但我会试一试。
I think you want Signed Cookies. 我想您要签名Cookie。 The issue (from what I understand only using this method for the past few days) with Signed URLs is that once they are in the wild they keep working unless you set the expire to a very short time. 签名URL的问题(据我所知,过去几天仅使用此方法)是,一旦URL泛滥,它们便会继续工作,除非您将过期设置为很短的时间。 So in theory your user could logout and still use a signed URL to access your content. 因此,从理论上讲,您的用户可以注销并仍然使用签名的URL来访问您的内容。
If you use the cookie method you can have a call in your code to confirm the user is logged in and if not clear the cookies and Cloudfront will stop serving the content. 如果使用cookie方法,则可以在代码中调用以确认用户已登录,如果不清除,则cookie将会停止,并且Cloudfront将停止提供内容。
You will need to add another behaviour in your distribution to allow access to your signing page etc. (ie when not logged in). 您将需要在分发中添加其他行为,以允许访问您的签名页等(例如,未登录时)。
The trick here is to NOT use signed URLs at all. 这里的技巧是根本不使用签名的URL。 If you do Cloudfront takes precident on the URLs over the cookies. 如果这样做,Cloudfront会优先考虑Cookie上的URL。 So if you clear the cookies the signed URLs still work. 因此,如果清除cookie,则已签名的URL仍然有效。
As for the cache settings you would need to look at fingerprinting ( http://guides.rubyonrails.org/asset_pipeline.html#what-is-fingerprinting-and-why-should-i-care-questionmark for an example). 至于缓存设置,您需要查看指纹识别(例如, http://guides.rubyonrails.org/asset_pipeline.html#what-is-fingerprinting-and-why-should-i-care-questionmark )。 Not sure how you could do this in your scenario but that would do the trick. 不知道如何在您的方案中执行此操作,但这可以解决问题。 Change the fingerprint and Cloudfront thinks it a new file and away you go. 更改指纹后,Cloudfront会认为它是一个新文件,您就可以离开了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.