stackoom
  简体   繁体   中英

Access Denied (403) from AWS Cloudfront Signed Cookie on Rails backed app

 原文  2015-06-24 03:44:40       ruby-on-rails/ amazon-web-services/ amazon-s3/ amazon-cloudfront/ amazon-signed-cookie

Question

I tried whole day for this, but I couldn't...

A. I made a model for creating signed cookie. I got help from : spacevatican.org 

def cookie_data(resource, expiry)
  raw_policy = policy(resource, expiry)
  {
    'CloudFront-Expires' => expiry.utc.to_i,
    'CloudFront-Signature' => sign(raw_policy),
    'CloudFront-Key-Pair-Id' => ENV['CLOUDFRONT_KEY_PAIR_ID']
  }
end

private

def policy(url, expiry)
  {
     "Statement"=> [
        {
           "Resource" => url,
           "Condition"=>{
              "DateLessThan" =>{"AWS:EpochTime"=> expiry.utc.to_i}
           }
        }
     ]
  }.to_json.gsub(/\s+/,'')
end

def safe_base64(data)
  Base64.strict_encode64(data).tr('+=/', '-_~')
end

def sign(data)
  digest = OpenSSL::Digest::SHA1.new
  key    = OpenSSL::PKey::RSA.new ENV['CLOUDFRONT_PRIVATE_KEY']
  result = key.sign digest, data
  safe_base64(result)
end

B. Call cookie_data with 'resource' and 'expiry'. I got help from randalv for proper resource. 

base_domain = '.myapp.com' # sample name
cookie_domain: '.myapp.com'

cookie_data("http://#{URI.parse(base_domain).host}/*", 1.hour.from_now).each do |name, value|
  cookies[name] = { value: value, domain: cookie_domain }
end

C. From A & B, Three validation of Cloudfront are passed - 1. Three cookies existing validation, and 2. Expiry existing validation, 3. Decoding avalible validation. I know these three validation because of error message on invalid request. But after all, I am always faved with same message - Access Denied.

There are some suspects.

  1. My CNAME of Cloudfront is 'img.myapp.com' (sample), But My testing domain is 'http://dev.myapp.com/#/home' , and this is my local developing server(I changed localhost name).
    So I tried with many combinations of (base_domain, cookie_domain) : (img.myapp.com, .myapp.com), (.myapp.com, .myapp.com), (dev.myapp.com, .myapp.com).
    But All Denied.

  2. My Cloudfront & S3 Settings are same with those on randalv . But I mind two things. 'Restrict Bucket Access' is 'NO' on origin settings of cloudfront. And I do not create CORS configuration on S3.

1 answers

solution1
 3 ACCPTED  2015-06-24 08:36:02

I solved myself. I had three defects, and now it works well after correcting them.

First , I changed expires to policy. 

'CloudFront-Expires' => expiry.utc.to_i,

to 

'CloudFront-Policy' => safe_base64(raw_policy),

Actually, I had used policy(custom) instead of expires(canned). During my trying, I had changed. But I don't know why expires version doesn't work.

Second , My base_domain is 'img.myapp.com' and cookie_domain is '.myapp.com'.

Third , Do not input bucket name on your final url. Very trivial mistake, but important.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Decode a signed cookie in rails? Heroku Rails 4 App Assets not loaded over AWS Cloudfront Signed AWS Cloudfront URLs for the asset pipeline Access denied to mysql database as root in rails app AWS s3 access PRIVATE bucket url from rails app Ruby on Rails app can't query AWS - error 403 forbidden Rails: AWS S3 Access denied error with Paperclip upload Rails 4 App - Heroku / Cloudfront - Assets not serving from origin properly Invalidate Cloudfront Cache in Rails app css is not cached in cloudfront for rails app?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM