问题描述
在Amazon S3上,您可以按域限制对存储桶的访问。
On Amazon S3, you can restrict access to buckets by domain.
但是据我从一个有用的StackOverflow用户那里了解,您不能在CloudFront上执行此操作。但为什么?如果我是正确的,CloudFront仅允许基于时间的限制或IP限制(->所以我需要知道随机访问者的IP .. ??)还是我遗漏了什么?
But as far as I understand from a helpful StackOverflow user, you cannot do this on CloudFront. But why? If I am correct, CloudFront only allows time-based restrictions or IP restrictions (--> so I need to know the IP's of random visitors..?) Or am I missing something?
这里是S3文档的引文,表明可能对每个域进行限制:
Here is a quote from S3 documentation that suggests that per-domain restriction is possible:
--->允许从您的目录读取这些对象在网站上,您可以使用aws:referer键添加允许条件带有s3:GetObject权限的存储桶策略,该条件必须使get请求必须源自特定网页。
---> " To allow read access to these objects from your website, you can add a bucket policy that allows s3:GetObject permission with a condition, using the aws:referer key, that the get request must originate from specific webpages. "
->有没有办法使这种方法也可以在CloudFront上工作?还是为什么在CloudFront上不提供这样的服务?
--> Is there a way to make this method work on CloudFront as well? Or why something like this is not available on CloudFront?
->是否有类似的服务可能且更容易设置?
--> Is there a similar service where this is possible, easier to setup?
推荐答案
结合使用CloudFront和WAF(Web应用程序防火墙),您可以基于IP地址,引荐来源网址或域来限制请求。
Using CloudFront along with WAF (Web Application Firewall), you can restrict requests based on IP address, referrers, or domains.
这是有关限制热链接的AWS博客教程。
Here is a AWS blog tutorial on restricting "hotlinking".
在此示例中,它禁止请求 Referrer:
标头与特定域不匹配的请求。
In this example, it prohibits requests where the Referrer:
header does not match a specific domain.
这篇关于Amazon CloudFront与S3->限制域访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!