这是CDN的架构,用于调整图像大小并通过AWS CloudFront提供图像:
如果在S3存储桶中未找到图像,则会发出 307临时重定向(而不是404)来通过API网关访问Lambda。 Lambda调整图像大小(基于S3存储桶中的原始图像)并将其上传到S3存储桶中。浏览器再次使用新生成的图像永久重定向到S3存储桶。
当我想通过CloudFront访问同一图像时,我收到 403 Forbidden 错误。它来自S3或CloudFront。如状态所示,这可能与访问权限有关。
为什么将CloudFront添加到工作请求链中会导致403错误?
什么有效:
https://{bucket}.s3-website-{region}.amazonaws.com/100x100/image.jpg
HTTP/1.1 307 Temporary Redirect
x-amz-id-2: xxxx
x-amz-request-id: xxxx
Date: Sat, 19 Aug 2017 15:37:12 GMT
Location: https://{gateway}.execute-api.{region}.amazonaws.com/prod/resize?key=100x100/image.jpg
Content-Length: 0
Server: AmazonS3
https://{gateway}.execute-api.{region}.amazonaws.com/prod/resize?key=100x100/image.jpg
HTTP/1.1 301 Moved Permanently
Content-Type: application/json
Content-Length: 0
Connection: keep-alive
Date: Sat, 19 Aug 2017 15:37:16 GMT
x-amzn-RequestId: xxxx
location: http://{bucket}.s3-website-eu-west-1.amazonaws.com/100x100/image.jpg
X-Amzn-Trace-Id: xxxx
X-Cache: Miss from cloudfront
Via: 1.1 {distribution}.cloudfront.net (CloudFront)
X-Amz-Cf-Id: xxxx
http://{bucket}.s3-website-{region}.amazonaws.com/100x100/image.jpg
HTTP/1.1 200 OK
x-amz-id-2: xxxx
x-amz-request-id: xxxx
Date: Sat, 19 Aug 2017 15:37:18 GMT
Last-Modified: Sat, 19 Aug 2017 15:37:17 GMT
x-amz-version-id: null
ETag: xxxx
Content-Type: image/png
Content-Length: 20495
Server: AmazonS3
什么不起作用:
https://{distribution}.cloudfront.net/100x100/image.jpg
HTTP/1.1 403 Forbidden
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
Date: Sat, 19 Aug 2017 15:38:24 GMT
Server: AmazonS3
X-Cache: Error from cloudfront
Via: 1.1 {distribution}.cloudfront.net (CloudFront)
X-Amz-Cf-Id: xxxx
我已将S3存储桶作为源添加到CloudFront中
最佳答案
该错误是由于将REST端点(例如s3.amazonaws.com)用于类似网站的功能(重定向,html错误消息和索引文档)而引起的。这些功能仅由网站端点提供(例如bucketname.s3-website-us-east-1.amazonaws.com)。
http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteEndpoints.html
这让我感到困惑,因为在创建CloudFront发行版时,REST端点是通过控制台中的自动完成功能提供的。必须手动输入正确的端点。