[英]How do I restrict access of my S3 web site to specific domains or IP addresses?
I have a static web site hosted in an S3 bucket.我有一个托管在 S3 存储桶中的 static web 站点。 With an SSL certificate on AWS, let's say the site is
https://myawssite.com/somefolder/
.在 AWS 上使用 SSL 证书,假设该站点是
https://myawssite.com/somefolder/
。 On some other page, say http://containerpage.com
, I have an iframe in which I put在其他页面上,比如说
http://containerpage.com
,我有一个 iframe 我把
<iframe src="https://myawssite.com/somefolder?url=/content/x83822" frameborder="0" allowfullscreen></iframe>
I want to allow the content to show only when the reference to myawssite.com
is on http://containerpage.com
, but I don't want to allow the viewing of the content if anyone just puts https://myawssite.com/somefolder?url=/content/x8382
into a browser, or puts the iframe into their own web page (on a web site not at myawssite.com
). I want to allow the content to show only when the reference to
myawssite.com
is on http://containerpage.com
, but I don't want to allow the viewing of the content if anyone just puts https://myawssite.com/somefolder?url=/content/x8382
into a browser, or puts the iframe into their own web page (on a web site not at myawssite.com
).
Assuming containerpage.com
is at IP address 5.33.253.12, I thought I could do it with an s3 bucket policy like this:假设
containerpage.com
位于 IP 地址 5.33.253.12,我想我可以使用这样的 s3 存储桶策略来做到这一点:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject*",
"Resource": "arn:aws:s3:::mybucketname/*",
"Condition": {
"StringEquals": {
"aws:SourceIp": "5.33.253.12/32"
}
}
}
]
}
This is not working.这是行不通的。 Ideally I would like to specify the permitted domain (
containerpage.com
), instead of the IP address, but I can't even get the IP address to work.理想情况下,我想指定允许的域(
containerpage.com
),而不是 IP 地址,但我什至无法让 IP 地址工作。
Can anyone spot what I am doing wrong, or if the whole approach is not correct?谁能发现我做错了什么,或者整个方法不正确?
Thanks in advance for any suggestions!在此先感谢您的任何建议!
You are giving the ip address which will refer to http://containerpage.com/*
.您正在提供 ip 地址,该地址将引用
http://containerpage.com/*
。
and as @marcin commented you should use aws:refer
.正如@marcin 评论的那样,您应该使用
aws:refer
。
policy should be this like:政策应该是这样的:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject*",
"Resource": "arn:aws:s3:::mybucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": "http://containerpage.com"
}
}
}
]
}
Restricting access based upon Referer is not secure.基于Referer限制访问是不安全的。 It can be easily circumvented.
它很容易被规避。 A simple web search reveals many methods to fake the
referer
field.一个简单的 web 搜索揭示了许多伪造
referer
字段的方法。
For a more secure method, see this StackOverflow answer: My S3 Bucket Policy only applies to some Objects有关更安全的方法,请参阅此 StackOverflow 答案:我的 S3 存储桶策略仅适用于某些对象
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.