堆栈内存溢出
  简体   繁体   English

如何限制Lambda函数仅响应特定的来源?

[英]How to restrict a Lambda function to respond only to specific origins?

 原文  2017-06-26 05:59:42       amazon-web-services/ cors/ aws-lambda/ serverless-framework

问题描述

I want to restrict my Lambda function (created with the Serverless Framework tool) to accept requests only from abc.com and def.com . 我想限制我的Lambda函数(使用无服务器框架工具创建)仅接受来自abc.comdef.com请求。 It should reject all other requests. 它应该拒绝所有其他请求。 How can I do this? 我怎样才能做到这一点? I tried setting access control origins like this: 我试图像这样设置访问控制源: 

cors: true
response:
  headers:
    Access-Control-Allow-Origin: "'beta.leafycode.com leafycode.com'"

and like this in the handler: 并在处理程序中这样: 

headers: {
  "Access-Control-Allow-Origin" : "beta.leafycode.com leafycode.com"
},

but nothing worked. 但没有任何效果。 Any idea why? 知道为什么吗?

1 个解决方案

解决方案1
 2 已采纳  2017-06-26 10:21:36

The issue with your code is that Access-Control-Allow-Origin doesn't accept multiple domains . 您的代码存在的问题是Access-Control-Allow-Origin 不接受多个域

From this answer : 这个答案

Sounds like the recommended way to do it is to have your server read the Origin header from the client, compare that to the list of domains you'd like to allow, and if it matches, echo the value of the Origin header back to the client as the Access-Control-Allow-Origin header in the response. 听起来,推荐的方法是让服务器从客户端读取Origin标头,然后将其与您希望允许的域列表进行比较,如果匹配,则将Origin标头的值回显到客户端作为响应中的Access-Control-Allow-Origin标头。

So, when writing support to the OPTIONS verb, which is the verb where the browser will preflight a request to see if CORS is supported, you need to write your Lambda code to inspect the event object to see the domain of the client and dynamically set the corresponding Access-Control-Allow-Origin with the domain. 因此,在为OPTIONS动词编写支持时,该动词是浏览器将对请求进行预检以查看是否支持CORS的动词,您需要编写Lambda代码以检查event对象以查看客户端的域并动态设置与域对应的Access-Control-Allow-Origin

In your question, you have used a CORS configuration for two different types: Lambda and Lamba-Proxy. 在您的问题中,您对两种不同类型使用了CORS配置:Lambda和Lamba-Proxy。 I recommend that you use the second option, so you will be able to set the domain dynamically. 我建议您使用第二个选项,这样您就可以动态设置域。 

headers: {
  "Access-Control-Allow-Origin" : myDomainValue
},

See more about CORS configuration in the Serverless Framework here . 此处查看有关无服务器框架中的CORS配置的更多信息。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何限制仅由某个 lambda function 访问的机密? - How can I restrict a secret to be accessed only by a certain lambda function? 如何限制用户仅查看特定存储桶 - How to restrict user to view only specific buckets 如何限制 AWS lambda 只能访问一个角色 - How to restrict AWS lambda access to only one role 如何限制对 lambda 的访问 - How to restrict access to a lambda AWS-如何限制用户删除或修改其他人创建的lambda函数 - AWS - How to restrict the user to delete or modify the lambda function created by others 当通过 iFrame 请求时,如何仅允许特定来源访问来自 Cloudfront/S3 来源的内容? - How can I only allow a specific origin to access content from Cloudfront/S3 Origins when requested via iFrame? 如何安排 Lambda function 仅在特定日期每天执行? - How do I schedule a Lambda function to execute everyday only during specific dates? 如何将 AWS S3 存储桶的访问权限限制为特定角色? - How to restrict access to an AWS S3 bucket only to a specific role? 如何在AWS的特定时间触发Lambda function? - How to trigger a Lambda function at specific time in AWS? 如何从javascript中的另一个lambda调用特定的lambda模块function? - How to call a specific lambda module function from another lambda in javascript?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM