AWS CloudFront访问控制允许来源和签名Cookie /网址
[英]AWS CloudFront Access-Control-Allow-Origin and Signed Cookie/Urls
问题描述
I'm stuck with a CORS at S3+Cloudfront+Signed Urls. 
我在S3 + Cloudfront + Signed Urls遇到了CORS。
My use cases is: 我的用例是:
First story (successful): 第一个故事(成功):
I have an Amazon S3 bucket with a Cloudfront.
我有一个带Cloudfront的Amazon S3存储桶。 Files are accessible by the DOMAIN1/filelink可以通过DOMAIN1/file链接访问DOMAIN1/fileI write a simple test JS script to get file from DOMAIN1 and put it at the
DOMAIN2/test.html我编写了一个简单的测试JS脚本来从DOMAIN1中获取文件,并将其放在DOMAIN2/test.html- I'm able to get file successfully. 我能够成功获取文件。 CORS is fine . CORS很好 。
Second case (successful too): 第二种情况(也成功):
- I restrict Cloud Front distribution by using Signed Url. 我通过使用签名网址来限制Cloud Front分发。
- At first I tried is to access a file at DOMAIN1 without Signature. 最初,我尝试的是访问DOMAIN1上没有签名的文件。 Got an Access denied. 得到了拒绝访问。 It's ok, since request is not signed. 没关系,因为请求未签名。
- I've created a signed URL and able to download the file successfully. 我已经创建了一个签名的URL,并且能够成功下载文件。
Third case (failed) 第三种情况(失败)
- I put signed url (from 2nd case) to the
DOMAIN2/test.htmltest script我将签名的URL(从DOMAIN2/test.html情况开始)放到DOMAIN2/test.html测试脚本中 - And always got a
No 'Access-Control-Allow-Origin' headererror.并始终No 'Access-Control-Allow-Origin' header错误。
So Cloudfront is not sending a header in case of restricted distribution. 因此,在分配受限的情况下,Cloudfront不会发送标头。
CORS xml is: CORS xml是:
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>http://*</AllowedOrigin>
<AllowedOrigin>https://*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>HEAD</AllowedMethod>
<MaxAgeSeconds>10</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
It must be some issue in the CloudFront/S3/IAM settings. CloudFront / S3 / IAM设置中一定有问题。 How I can fix it? 我该如何解决?
2 个解决方案
解决方案1
0 2016-02-23 05:31:29
Seems like a solution was to setup a correct access rights to the S3 bucket. 似乎一种解决方案是为S3存储桶设置正确的访问权限。 Instead the "Everyone" access, need an "Any AWS authenticated user" or "Cloudfront appropriate user". 取而代之的是“所有人”访问,需要“任何经AWS身份验证的用户”或“适合Cloudfront的用户”。
解决方案2
0 2017-06-19 18:02:49
I went to Cloudfront Distributions -> MYPRIVATECLOUDFRONTID -> Behaviors and added the Following: 我去了Cloudfront Distributions -> MYPRIVATECLOUDFRONTID -> Behaviors并添加了以下内容:
Path Pattern = path/to/my/file.ext
Forward Headers = Whitelist
And added to Whitelist Header: Origin 并添加到Whitelist Header: Origin
Don't forget to uncheck the option Restrict Viewer Access (Use Signed URLs or Signed Cookies) - for me, it was marked to not restrict even though I have marked the whole cache to be restricted. 不要忘记取消选中“ Restrict Viewer Access (Use Signed URLs or Signed Cookies) -对我来说,即使我已将整个缓存标记为受限,它也被标记为不受限。
My next step is to automatically set this whitelist on demand. 我的下一步是根据需要自动设置此白名单。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.