如何为 IP 地址设置 Amazon S3 策略
[英]How to setup Amazon S3 policy for ip address
问题描述
I am using an S3-compatible storage (digital ocean spaces) to host images from my web application.
我正在使用与 S3 兼容的存储(数字海洋空间)来托管来自我的 Web 应用程序的图像。 To prevent hotlinking and minimize direct downloads I applied this policy:为了防止盗链并最大限度地减少直接下载,我应用了此策略:
{
"Id": ip referer policy example",
"Statement": [
{
"Sid": "Allow get requests originating from my server.",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "server-ip-address"
}
}
}
]
}
The trick seemed to work and I am now unable to access the files directly, however, neither can my web application.这个技巧似乎奏效了,我现在无法直接访问文件,但是,我的 Web 应用程序也不能。 Have I done something wrong?我做错了什么吗?
Is there a way to debug a referrer or something?有没有办法调试引用者或其他东西?
1 个解决方案
解决方案1
0 2021-06-29 10:27:43
Content is private by default.默认情况下,内容是私有的。 Your policy is not granting any access via an Allow statement, so the content is not accessible.您的策略未通过Allow语句授予任何访问权限,因此内容不可访问。 The Deny can be used to remove permissions granted by an Allow , but does not itself grant access. Deny可用于删除Allow授予的权限,但本身并不授予访问权限。
You could change it into an Allow policy, and change NotIpAddress into IpAddress .您可以将其更改为Allow策略,并将NotIpAddress更改为IpAddress 。 This would grant access to your server to download content.这将授予访问您的服务器以下载内容的权限。 However, it would be better to use an S3-style API call to download content from your own bucket rather than using an anonymous HTTP request.但是,最好使用 S3 样式的 API 调用从您自己的存储桶下载内容,而不是使用匿名 HTTP 请求。
If you are putting a link to the object in an HTML page, then the policy will provide the security that you expect because the user's browser will attempt to access the object and it will be denied access since the request is not originating from your server's IP address.如果您在 HTML 页面中放置指向该对象的链接,则该策略将提供您期望的安全性,因为用户的浏览器将尝试访问该对象,并且该对象将被拒绝访问,因为该请求不是来自您服务器的 IP地址。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.