发表新帖
发表新帖

How do I prevent hotlinking on Amazon S3 without using signed URLs?

后端 未结
关注
7 705
误落风尘
误落风尘 2020-12-24 02:36

Is there any way I can prevent hotlinking on Amazon S3 without using signed URLs?

相关标签:
7条回答
  • 傲寒
    2020-12-24 03:13

    By setting up the right S3 bucket policy, you can add referral policy to prevent the hotlink.

    http://s3browser.com/working-with-amazon-s3-bucket-policies.php

    0 讨论(0)
  • 面向向阳花
    2020-12-24 03:14

    Not really. You could run an EC2 instance and proxy through that.

    0 讨论(0)
  • Happy的楠姐
    2020-12-24 03:19

    It's in their official docs

    Change examplebucket to your bucket name, and example.com to your domain.

    "Version":"2012-10-17",
"Id":"http referer policy example",
"Statement":[
  {
    "Sid":"Allow get requests originating from www.example.com and example.com.",
    "Effect":"Allow",
    "Principal":"*",
    "Action":"s3:GetObject",
    "Resource":"arn:aws:s3:::examplebucket/*",
    "Condition":{
      "StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
    }
  }
]
}
    0 讨论(0)
  • 粉色の甜心
    2020-12-24 03:26

    You need a bucket policy that both allows referrers from your domain(s) and denies referrers who are not from your domains. I've found that images can be hotlinked if you don't include the explicit denial - many guides and examples just give the allow policy and don't mention the deny part.

    Here's my policy, just change BUCKET-NAME and YOUR-WEBSITE to your own details:

    {
  "Version": "2008-10-17",
  "Id": "",
  "Statement": [
    {
      "Sid": "Allow in my domains",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::BUCKET-NAME/*",
      "Condition": {
        "StringLike": {
          "aws:Referer": [
            "http://www.YOUR-WEBSITE.com/*"
          ]
        }
      }
    },
    {
      "Sid": "Deny access if referer is not my sites",
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::BUCKET-NAME/*",
      "Condition": {
        "StringNotLike": {
          "aws:Referer": [
            "http://www.YOUR-WEBSITE.com/*"
          ]
        }
      }
    }
  ]
}
    0 讨论(0)
  • 一向
    2020-12-24 03:31

    I use Apache RewriteMap to remap relative links to select file extensions -- *.jpg, *.gif, *swf, *.fla to Cloudfront. Basically makes the url of your images present as relative links to your site. It doesn't prevent discovery of the S3/cloudfront url totally, just adds a layer of difficulty for the would be thief.

    Might be worth a try, apply the hotlink restrictions via htaccess with the above method in place. I haven't tried it myself.

    0 讨论(0)
  • 花落未央
    2020-12-24 03:31

    There's a good tutorial here. Make sure to check out the comments, since there's a whitespace character in the website's code that causes the solution not to work.

    0 讨论(0)
 看不清?
提交回复
热议问题