通过CDN服务受保护的资产 [英] Serve protected assets through CDN

问题描述

我们希望提供来自少数可用AWS区域的大量视频文件。目标受众来自全球各地。无法保证连接速度。因此，绝对需要CDN（最好是CloudFront）。

We want to serve a lot of video files from few available AWS regions. The target audience comes from multiple locations around the globe. The connection speed is not guaranteed. So a CDN (preferably CloudFront) is absolutely required.

视频需要受到保护，因此只有在用户经过身份验证和授权后才能观看这些视频才能播放。显然，谁可以看到什么以及何时看到的逻辑就是应用程序的一部分。从原点开始流式传输视频会非常慢。

The videos need to be protected, so they can only be played if the user is authenticated and authorized to see these videos. Obviously the logic of who can see what and when is a part of the application. Streaming the videos from the origin would be unacceptably slow. Making the videos public and cacheable is not an option either.

人们如何解决此类问题？

How do people solve this kind of problems?

推荐答案

Amazon CloudFront 还提供通过CloudFront提供私有内容，以解决您的用例：

Amazon CloudFront also offers Serving Private Content through CloudFront to address your use case:

许多通过Internet分发内容的公司希望
限制访问文档，商业数据，媒体流或内容
的用户，例如，已支付
a费用的用户。要使用CloudFront安全地提供此私有内容，您
可以：

Many companies that distribute content via the Internet want to restrict access to documents, business data, media streams, or content that is intended for selected users, for example, users who have paid a fee. To securely serve this private content using CloudFront, you can:

• 要求您的用户使用特殊的CloudFront签名URL才能访问您的内容，而不是标准CloudFront公共URL。

• Require that your users use special CloudFront signed URLs to access your content, not the standard CloudFront public URLs.

要求您的用户使用CloudFront URL（而不是Amazon S3 URL）访问您的Amazon S3内容。

Require that your users access your Amazon S3 content using CloudFront URLs, not Amazon S3 URLs.

由应用程序来生成和分发所需的签名URL ，但是 the谁可以看到什么以及何时看到应用程序逻辑的一部分的逻辑，您似乎已经为该部分做好了充分的准备。

It is up to the application to generate and distribute the required Signed URLs, however, given the logic of who can see what and when is a part of the application logic you seem to be well prepared for that part.

请注意，需要确保使用原始访问身分识别限制对Amazon S3内容的访问，以使用户无法泄漏/猜测S3 URL，并且确实需要通过CloudFront。

Please note that you'll need to ensure Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content so that users are unable to leak/guess S3 URLs and are required to go through CloudFront indeed.

如果您想使用CloudFront签名URL提供对Amazon S3存储桶中对象的访问，您可能还希望阻止用户使用Amazon S3 URL访问您的Amazon S3对象。直接在Amazon S3中访问对象，它们会绕过CloudFront签名URL提供的控制，包括控制URL何时过期以及控制可用于访问对象的IP地址。 [...]

If you want to use CloudFront signed URLs to provide access to objects in your Amazon S3 bucket, you probably also want to prevent users from accessing your Amazon S3 objects using Amazon S3 URLs. If users access your objects directly in Amazon S3, they bypass the controls provided by CloudFront signed URLs, including control over when a URL expires and control over which IP addresses can be used to access the objects. [...]

您可以通过创建原始访问身份来限制对Amazon S3内容的访问，该身份是CloudFront的特殊用户。您更改了Amazon S3权限，以赋予原始访问身份访问您对象的权限，并从其他所有人中删除权限。 [...]

You restrict access to Amazon S3 content by creating an origin access identity, which is a special CloudFront user. You change Amazon S3 permissions to give the origin access identity permission to access your objects, and to remove permissions from everyone else. [...]

[重点是我的]

这篇关于通过CDN服务受保护的资产的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！