Amazon CloudFront-使用签名URL保护视频 [英] Amazon CloudFront - protect video with Signed URL
问题描述
背景:
带有S3存储的Amazon Cloudfront视频交付:我正在使用定制的360度视频播放器。播放器仅链接到MP4视频。视频不会流式传输,而只是直接链接并逐步下载。
Amazon Cloudfront video delivery with S3 storage: I am using a custom 360-degree video player. The player simply links to MP4 videos. The videos are not streamed but just a direct link with progressive download.
问题亟待解决--->签名URL
1)这些视频只能从我的网站而不是其他网站播放。否则,有人将只是热链接到视频文件,我将不得不支付亚马逊的流量。
1) The videos should ONLY play back from my website and not from other websites. Otherwise someone will just hotlink to the videofiles, and I will have to pay for the Amazon traffic.
2)在何处以及如何插入CloudFront签名URL策略?大多数提示建议使用连接到CloudFront的签名URL。但是我不能把这些难题放在一起,因为我只是一个半高级的自学成才的家伙而感到困惑。所以..:
2) Where and how to insert CloudFront "Signed URL" policies?? Most tips suggest to use "Signed URL" that is connected to CloudFront. But I cannot put the puzzles together, too confusing as I am only a semi-advanced self-taught guy. So..:
2A->在何处插入CloudFront策略?在S3控制台上还是在哪里?
2A --> where to insert the CloudFront policy? On S3 console?Or where?
2B->确切地写什么,请。提供一个可行的例子!
2B --> what exactly to write, pls. provide a working example!
2C->如何包括一个特定域
2C --> how to include one specific domain
3)我也怀疑仅仅保护S3存储桶中的文件权限还不够,CloudFront可能会忽略该权限规则。
3)I also suspect that protecting the file permissions in a S3 bucket is not enough, CloudFront may ignore that permission rule. Is that correct?
指导:
如果没有任何作用,我正在寻找进行为时1小时的付费Skype指导会议,其中我们使用屏幕共享设置了1个视频以及CloudFront签名URL。所有内容均附有分步说明,因此我可以自己为其他视频重复该过程。而且对于预算敏感的Kickstarter / Indiegogo项目,Skype会话价格合理。
If nothing works, I am looking for a paid, 1-hour Skype guidence session where we set up 1 video together with CloudFront Signed URL, using screensharing. All with step-by-step explanation, so I can repeat the process for the other videos myself. And the Skype session is affordable for a budget sensitive Kickstarter / Indiegogo project.
我非常感谢您的帮助!谢谢!
I appreciate any help, really do! Thanks!
推荐答案
1)视频只能从我的网站而不是其他网站播放。否则,有人会只是热链接到视频文件,我将不得不为亚马逊的流量付费。
1) The videos should ONLY play back from my website and not from other websites. Otherwise someone will just hotlink to the videofiles, and I will have to pay for the Amazon traffic.
对,因此您的网站需要可以在可以动态生成链接到视频的HTML页面的平台上运行。
Right, so your web site needs to be running on a platform that can dynamically generate the HTML pages that link to the videos.
2)在何处以及如何插入CloudFront签名URL政策??大多数提示建议使用连接到CloudFront的签名URL。但是我不能把这些难题放在一起,因为我只是一个半高级的自学成才的家伙而感到困惑。因此:..:
2) Where and how to insert CloudFront "Signed URL" policies?? Most tips suggest to use "Signed URL" that is connected to CloudFront. But I cannot put the puzzles together, too confusing as I am only a semi-advanced self-taught guy. So..:
该策略用于生成签名,如果您将其包含在生成的链接中,使用自定义策略 ...看起来像& Policy = ... ,后跟该策略的base64编码版本。
The policy is used to generate the signature, and it is included as part of the link you generate, if you use a custom policy ... it looks like &Policy=... followed by a base64 encoded version of the policy.
它在URL中吗?!是。签名使策略防篡改。这嵌入在您的代码在每次页面加载时生成的签名URL中。如果您使用固定政策,则不要将其保存/发送到任何地方。您将其用于签名计算,然后将其丢弃,因为CloudFront已经知道它包含的内容,因为它与发出的请求相匹配(否则,它是无效的,因此请求正确地失败了。)。
It's in the URL?! Yes. The signature makes the policy tamper-proof. This is embedded in the signed URL that your code generates with each page load. If you use a canned policy, then you don't save/send it anywhere. You use it for signature calculation and then throw it away because CloudFront already knows what it contained, because it matches the request that's being made (else, it's invalid, so the request correctly fails).
2A->在何处插入CloudFront策略?在S3控制台上还是在哪里?
2A --> where to insert the CloudFront policy? On S3 console?Or where?
无处可寻。
2B->确切地写,请。提供一个有效的例子!
2B --> what exactly to write, pls. provide a working example!
有一个有效的例子。
There is a working example in the documentation.
堆栈溢出没有
2C->如何包括一个特定域
2C --> how to include one specific domain
这并非完全如此。按域保护内容根本不能保证内容的安全,因为可以伪造内容。
That's not exactly how this works. Securing content by domain is not securing content at all, because that can be forged.
您的网站提供了签名的链接。这些链接是有效的,因为它们是从您那里获得的。它们只有几秒钟的好处-足以开始下载-足够长的时间,然后就会过期...因此,即使有人与他们建立了热链接,您也不在乎,因为该链接已经过时了。但这就是为什么每次加载页面时都会生成它们。
Your web site provides signed links. The links are valid because they were obtained from you. They are only good for a few seconds -- long enough to start the download -- and then they expire... so even of somebody hotlinks to them, you don't care, because the link is already stale. But that is why you generate them with each page load.
或者,通过CloudFront服务整个站点,然后使用CloudFront签名的cookie允许通过以下方式访问您的受限内容:任何人登录到您的网站。
Alternately, serve your entire site through CloudFront, and then use CloudFront signed cookies to allow access to your restricted content by anyone logged in to your site.
3)我还怀疑保护S3存储桶中的文件权限还不够,CloudFront可能会忽略该权限规则。是对的吗?
3)I also suspect that protecting the file permissions in a S3 bucket is not enough, CloudFront may ignore that permission rule. Is that correct?
否,除非您进行安排,否则CloudFront没有特权访问您的存储桶。 CloudFront原始访问身份授予其访问存储桶中对象的必要权限。
No, CloudFront has no privileged access to your bucket, unless you arrange it. A CloudFront origin access identity gives it the necessary rights to access objects in your bucket.
这篇关于Amazon CloudFront-使用签名URL保护视频的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
