配置AWS Cloudfront以从s3存储桶提供签名的URL
[英]Configure AWS cloudfront for serving signed url from s3 bucket
问题描述
i've have a folder named private in my s3 bucket and the contents in that folder only accessed by authorised user (ie Public read access is disabled). 
我的s3存储桶中有一个名为private的文件夹,并且该文件夹中的内容仅由授权用户访问(即,公共读取访问已禁用)。
So i am generating sigened url's for accessing one of the object in that folder it works fine. 因此,我正在生成已签名的url,用于访问该文件夹中的对象之一,效果很好。
Here is the signed URL format 这是签名的URL格式
s3-<region>.amazonaws.com/<folder>/<imagename>??X-Amz-Content-Sha256=.......
Also i have created cloudfront distribution for the above s3 bucket for better performance. 我也为上述s3存储桶创建了Cloudfront发行版,以获得更好的性能。 here is the cloudfront url xxxxjjjj.cloudfront.net 这是cloudfront网址xxxxjjjj.cloudfront.net
So how can i serve my signed url with this cloudfront distribution?? 那么,如何通过此Cloudfront发行版本提供我的签名URL?
When i try with this url 当我尝试使用此网址
xxxxjjjj.cloudfront.net/<folder>/<imagename>??X-Amz-Content-Sha256=.......
I will get access denied error,i think this is not the right way to deliver the s3 signed url content with cloudfront distribution. 我将收到拒绝访问错误,我认为这不是通过Cloudfront分发交付s3签名url内容的正确方法。
Using php laravel framework 使用PHP Laravel框架
2 个解决方案
解决方案1
5 2017-02-16 12:00:05
Signed URLs for CloudFront use a different format and different credentials than signed URLs for S3. CloudFront的签名URL与S3的签名URL使用不同的格式和凭据。
Read Serving Private Content through CloudFront . 阅读通过CloudFront提供私人内容 。
There is a laravel-url-signer on GitHub or you can write your own code from this example in the CloudFront docs . GitHub上有一个laravel-url-signer ,或者您可以在CloudFront docs中的此示例中编写自己的代码。
For testing your CloudFront and S3 settings, you can use aws cloudfront sign ... in aws-cli to generate a test signed URL. 为了测试您的CloudFront和S3设置,您可以在aws-cli中使用aws cloudfront sign ...生成测试签名的URL。
解决方案2
0 2017-04-09 08:52:49
There is an example for what you are asking using PHP SDK in this link https://docs.aws.amazon.com/aws-sdk-php/v3/guide/service/cloudfront-signed-url.html 在此链接中有一个示例说明您使用PHP SDK的要求:https://docs.aws.amazon.com/aws-sdk-php/v3/guide/service/cloudfront-signed-url.html
and here's the equivalent code in Larave (5.3) using custom policy: 这是使用自定义策略的Larave(5.3)中的等效代码:
public static function signedUrl($resourceKey) {
//$resourceKey = 'videos/example.mp4'
$baseUrl = 'https://xxxxjjjj.cloudfront.net';
$fullUrl = $baseUrl . '/' . $resourceKey;
$expires = time() + 300;
$customSigningPolicy = <<<POLICY
{
"Statement": [
{
"Resource": "{$fullUrl}",
"Condition": {
"DateLessThan": {"AWS:EpochTime": {$expires}}
}
}
]
}
POLICY;
// CloudFront Signed Urls
/** @var CloudFrontClient $cloudFront */
$cloudFront = \AWS::createClient('CloudFront');
$url = $cloudFront->getSignedUrl([
'url' => $fullUrl,
'policy' => $customSigningPolicy,
'key_pair_id' => 'YOUR_KEY_PAIR_ID',
'private_key' => '/path/to/your/cloudfront-private-key.pem'
]);
return $url;
}
PS I found a mistake in the aws example, since they used the $resourceKey as the Resource value in the policy which is not woking, what worked with me is to use the full url of the file. PS:我在aws示例中发现了一个错误,因为它们使用$ resourceKey作为未唤醒策略中的Resource值,所以对我有用的是使用文件的完整url。
Their code: 他们的代码:
$resourceKey = 'videos/example.mp4';
$customPolicy = <<<POLICY
{
"Statement": [
{
"Resource": "{$resourceKey}",
"Condition": {
"IpAddress": {"AWS:SourceIp": "{$_SERVER['REMOTE_ADDR']}/32"},
"DateLessThan": {"AWS:EpochTime": {$expires}}
}
}
]
}
POLICY;
What Worked: 工作原理:
$resourceKey = 'videos/example.mp4'; // or $resourceKey = 'videos/*'; or $resourceKey = '*';
$fullUrl = $baseUrl . '/' . $resourceKey;
$customPolicy = <<<POLICY
{
"Statement": [
{
"Resource": "{$fullUrl}",
"Condition": {
"IpAddress": {"AWS:SourceIp": "{$_SERVER['REMOTE_ADDR']}/32"},
"DateLessThan": {"AWS:EpochTime": {$expires}}
}
}
]
}
POLICY;
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.