![](/img/trans.png)
[英]AWS CloudFront Returns Access Denied from S3 Origin with Query String
[英]Cloudfront - item in query string triggers 403 Forbidden from S3 origin on the same resource
我一直在調試 Cloudfront 的一個問題,其中特別在我的請求 URL 的查詢字符串中包含術語“通知”從 S3 返回 403。 以下兩個示例展示了這種行為:
https://my.website.com/app/home?notification=THING - 403 Forbidden
由 S3 返回
https://my.website.com/app/home?notificatio=THING - 304 Not Modified
,我可以毫無問題地訪問資源
在我的測試范圍內,查詢字符串中明確不包含字符串“通知”的任何內容都有效。 只是這個詞特別有問題。
需要注意的一些事項...
origin-request
, origin-response
和viewer-response
事件; 此 function 在轉發到源之前將/index.html
附加到請求 URI。據我了解,S3 不關注轉發的查詢字符串,但是從上面兩個示例中提取請求/響應數據清楚地顯示了行為上的差異,盡管唯一的變量是查詢字符串的內容(我可以告訴反正!)
請求失敗:
{
"config": {
"distributionDomainName": "<redacted>.cloudfront.net",
"distributionId": "<redacted>",
"eventType": "origin-response",
"requestId": "<redacted>"
},
"request": {
"clientIp": "<redacted>",
"headers": {
"x-forwarded-for": [
{
"key": "X-Forwarded-For",
"value": "<redacted>"
}
],
"user-agent": [
{
"key": "User-Agent",
"value": "Amazon CloudFront"
}
],
"via": [
{
"key": "Via",
"value": "1.1 <redacted>.cloudfront.net (CloudFront)"
}
],
"host": [
{
"key": "Host",
"value": "<redacted>.s3.eu-west-1.amazonaws.com"
}
]
},
"method": "GET",
"origin": {
"s3": {
"authMethod": "origin-access-identity",
"customHeaders": {},
"domainName": "<redacted>.s3.eu-west-1.amazonaws.com",
"path": "",
"region": "eu-west-1"
}
},
"querystring": "notification=THING",
"uri": "/app/home/index.html"
},
"response": {
"headers": {
"x-amz-request-id": [
{
"key": "x-amz-request-id",
"value": "<redacted>"
}
],
"x-amz-id-2": [
{
"key": "x-amz-id-2",
"value": "<redacted>"
}
],
"date": [
{
"key": "Date",
"value": "Tue, 15 Dec 2020 17:15:11 GMT"
}
],
"server": [
{
"key": "Server",
"value": "AmazonS3"
}
],
"content-type": [
{
"key": "Content-Type",
"value": "application/xml"
}
],
"transfer-encoding": [
{
"key": "Transfer-Encoding",
"value": "chunked"
}
]
},
"status": "403",
"statusDescription": "Forbidden"
}
}
在職的:
{
"config": {
"distributionDomainName": "<redacted>.cloudfront.net",
"distributionId": "<redacted>",
"eventType": "origin-response",
"requestId": "<redacted>"
},
"request": {
"clientIp": "<redacted>",
"headers": {
"if-modified-since": [
{
"key": "If-Modified-Since",
"value": "<redacted>"
}
],
"if-none-match": [
{
"key": "If-None-Match",
"value": "<redacted>"
}
],
"x-forwarded-for": [
{
"key": "X-Forwarded-For",
"value": "<redacted>"
}
],
"user-agent": [
{
"key": "User-Agent",
"value": "Amazon CloudFront"
}
],
"via": [
{
"key": "Via",
"value": "1.1 <redacted>.cloudfront.net (CloudFront)"
}
],
"host": [
{
"key": "Host",
"value": "<redacted>.s3.eu-west-1.amazonaws.com"
}
]
},
"method": "GET",
"origin": {
"s3": {
"authMethod": "origin-access-identity",
"customHeaders": {},
"domainName": "<redacted>.s3.eu-west-1.amazonaws.com",
"path": "",
"region": "eu-west-1"
}
},
"querystring": "notificatio=THING",
"uri": "/app/home/index.html"
},
"response": {
"headers": {
"x-amz-id-2": [
{
"key": "x-amz-id-2",
"value": "<redacted>"
}
],
"x-amz-request-id": [
{
"key": "x-amz-request-id",
"value": "<redacted>"
}
],
"date": [
{
"key": "Date",
"value": "Tue, 15 Dec 2020 17:17:29 GMT"
}
],
"last-modified": [
{
"key": "Last-Modified",
"value": "Thu, 03 Dec 2020 09:14:18 GMT"
}
],
"etag": [
{
"key": "ETag",
"value": "<redacted>"
}
],
"cache-control": [
{
"key": "Cache-Control",
"value": "no-cache"
}
],
"server": [
{
"key": "Server",
"value": "AmazonS3"
}
]
},
"status": "304",
"statusDescription": "Not Modified"
}
}
恢復這個是因為我發現用谷歌搜索這個問題非常困難。 首先,我將其縮小到 S3 方面的問題。 我的查詢字符串中的“位置”也有類似的問題。 顯然這兩個都被 S3 API 解釋: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingBucket.html#bucket-config-options-intro
我聯系了支持人員,看看是否有辦法解決這個問題,我得到了這個:
“我能夠使用您提供的請求 ID 中的日志來確認這些查詢字符串被解釋為 API 調用。https://xxxx.s3.eu-west-1.amazonaws.com/index.ZFC35FDC?8A8222C70D5FC69D2698測試被解釋為 GetBucketLocation API 操作。通知查詢字符串將被解釋為 GetBucketNotificationConfiguration 操作。在這種情況下,您將無法使用這些查詢字符串參數,例如“位置”。在咨詢了一些同事后問題,我可以確認這是按設計設計的,無法更改。這里的建議是將查詢字符串更改為“loc”之類的內容,這樣您就不會向 S3 發送無意的 API 操作。”
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.