对于存储桶中不存在的密钥，我如何让 S3 存储桶返回 404(而不是 403)/ [英] How do I have an S3 bucket return 404 (instead of 403) for a key that does not exist in the bucket/

问题描述

我正在使用 S3 来存储一些关键业务文档.我希望存储桶在尝试访问存储桶中不存在的对象时返回 404 状态代码.

I am using S3 to store some business critical documents. I want the bucket to return a 404 status code when trying to access an object that does not exist in the bucket.

但是，我发现它不断返回403

However, I am finding that it keeps on returning me "403

这是一个使用 S3 网站 url 的会话示例.

here is an example of a session using the S3 website url.

> GET /foobar.txt HTTP/1.1
> User-Agent: curl/7.21.6 (x86_64-pc-linux-gnu) libcurl/7.21.6 OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3
> Host: <bucketname>.s3-website-us-east-1.amazonaws.com
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< Last-Modified: Mon, 09 Sep 2013 19:10:28 GMT
< ETag: "14e13b81b3ce5b129d1f206b3e514885"
< x-amz-error-code: AccessDenied
< x-amz-error-message: Access Denied
< x-amz-request-id: <snip>
< x-amz-id-2: <snip>
< Content-Type: text/html
< Content-Length: 11
< Date: Thu, 26 Sep 2013 20:01:45 GMT
< Server: AmazonS3
< 
Not found!

请注意，未找到！"启用 S3 网站托管时，字符串来自存储桶属性上设置的错误文档.

Note, the "Not Found!" string is coming from the error document set on the bucket properties when enabling S3 website hosting.

我也试过直接使用bucket url访问

I have also tried accessing using the bucket url directly

http://.s3.amazonaws.com/

http://.s3.amazonaws.com/

返回相同的内容，除了错误文档，我得到一个 XML 文档

and that returns the same, except that instead of the error document, I get a XML document

我该如何解决这个问题?

How do I solve this problem?

推荐答案

当用户没有列出存储桶内容的权限时，S3 返回 403 而不是 404.

S3 returns a 403 instead of a 404 when the user doesn't have permission to list the bucket contents.

如果您查询一个对象并收到 404，那么您就知道该对象不存在.如果您无权列出存储桶内容，则您不应该知道这些信息，因此 S3 不会告诉您它不存在，而是告诉您您正在尝试做一些不允许做的事情.当您得到 403 而不是 404 时，您无法知道您请求的对象不存在.它可能不存在，也可能存在，而您只是无权访问它.您无法确定，因此没有绕过安全措施.

If you query for an object and receive a 404, then you know that object doesn't exist. This is information you shouldn't know if you don't have permission to list the bucket contents so instead of telling you it doesn't exist, S3 just tells you that you're trying to do something you're not allowed to do. When you get a 403 instead of a 404 you have no way of knowing that the object you requested doesn't exist. It might not exist or it might exist and you just don't have permission to access it. There's no way for you to know for sure and so no security is bypassed.

我相信任何有权列出存储桶内容的人都会收到 404 而不是 403.

I believe anyone with access to list the bucket contents will get a 404 instead of a 403.

这篇关于对于存储桶中不存在的密钥，我如何让 S3 存储桶返回 404(而不是 403)/的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！