亚马逊S3文件prevent盗链?亚马逊、盗链、文件、prevent
我想允许任何人以播放位于我的S3的视频在我的网站作为的src 在<视频> 标记,但不可以让人们使用它作为一个的src 在其网站或玩直接输入网址到浏览器栏的视频。
I'd like to allow anyone to play a video located in my s3 on my site as the src on a <video> tag but not allow people to use it as a src on their site or to play the video directly by typing the url into the browser bar.
我不要希望人们这样做的:
和我不希望下面的HTML出现在http:// 您 -site.com但只有在http:// 我 -site.com
and I don't want the following HTML to appear on http://your-site.com but only on http://my-site.com:
<html>
<video src="https://s3.amazonaws.com/my-bucket/my-video.mp4"></video>
</html>
我已经看到了一些SO 的链接上,但我想在code说话,因为我还没有能够使这些解决方案为我工作。
I've seen some SO links on this but I wanted to talk in code since I haven't been able to make these solutions work for me.
下面是我的水桶政策,当前的不可以工作
Here's my bucket policy that is currently NOT working:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://my-site.com/*"
]
}
}
}
}
两个问题:
要测试我斗的政策,我把上面的HTML的测试文件在我的本地果然我可以通过键入访问视频的http://localhost/test.html 。为什么我的水桶政策preventing呢? (我只希望它的工作 http://my-site.com/test.html )
要prevent人输入查询的S3网址到浏览器吧,我想我需要从桶里政策单独的解决方案,因为它不是清楚,我从AWS文档如何$经由p $ pvent直接访问浏览器。我在想哈希的URL,使其难以猜测。也许还有使用AWS桶政策或其他解决方案,但如何?
To test my bucket policy, I put the above HTML in a test file on my localhost and sure enough I can access the video by typing http://localhost/test.html. Why isn't my bucket policy preventing this? (I'd only want it to work from http://my-site.com/test.html)
To prevent people from inputing the s3 URL into the browser bar, I was thinking I need a separate solution from the bucket policy since it's not clear to me from the AWS documentation how to prevent direct access via the browser. I was thinking of hashing the url to make it hard to guess. Perhaps there are ways using the AWS bucket policy or other solutions though?
要更清楚,我的文件存储在S3上,但它们是由亚马逊的CloudFront的交付。所以,我的CloudFront的URL SRC目前media.my-site.com/my-video.mp4。该CNAME是media.my-site.com。
To be more clear, my files are stored on s3 but they are delivered by Amazon's CloudFront. So my CloudFront url src is currently media.my-site.com/my-video.mp4. The CNAME being media.my-site.com.
推荐答案
由于CloudFront的当前不会让你直接限制访问(尽我的理解),我会做这样的事情:
Given that CloudFront currently does not let you directly restrict access (to the best of my understanding), I would do something like:
<video src="/media.php?v=my-video.mp4"></video>
那么你的忽略原始文件看起来像:
if (isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER'] != 'my-site.com')
{
header('HTTP/1.1 503 Hot Linking Not Permitted');
// display some message / image / video
exit;
}
# this base url changes from time to time
$url = 'http://cdn.my-site.com';
header("Location: $url/{$_GET['v']}");
要使其不太明显,可能要建立一个重写路由 /media/my-video.mp4 到文件中。这样一来,它看起来并不像有一个中间PHP脚本。
To make it less obvious, you may want to set up a rewrite to route /media/my-video.mp4 into the file. That way, it doesn't look like there is an intermediate PHP script.
究竟你是怎么做到的引荐检查取决于安全需要的水平。有的人禁用引荐,所以你可能希望允许空的。或者,你甚至可以检查,看是否有会话变量或cookie存在,等等。
Exactly how you do the referrer check depends on the level of security you want. Some people disable referrers, so you may want to allow empty ones. Or you could even check to see if a session variable or cookie exists, etc.
当然,最终用户将能够嗅出真实的URL。这就是为什么你可能要随时更改您的CNAME时间。
Of course, the end user will be able to sniff out the real URL. This is why you may want to change your CNAME from time to time.
这个解决方案是希望足以阻止滥用你的网站的人,但绝不是完美的。
This solution is hopefully good enough to discourage people from abusing your site, but is by no means perfect.
