如何具有与S3铲斗返回404（而不是403）为不桶中存在一个键/ [英] How do I have an S3 bucket return 404 (instead of 403) for a key that does not exist in the bucket/

问题描述

我使用的S3存储一些关键业务文档。我想水桶返回试图访问一个不桶里存在的对象时，404状态code。

I am using S3 to store some business critical documents. I want the bucket to return a 404 status code when trying to access an object that does not exist in the bucket.

不过，我发现，它一直在我返回403

However, I am finding that it keeps on returning me "403

下面是一个使用S3网站的网址会话的例子。

here is an example of a session using the S3 website url.

> GET /foobar.txt HTTP/1.1
> User-Agent: curl/7.21.6 (x86_64-pc-linux-gnu) libcurl/7.21.6 OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3
> Host: <bucketname>.s3-website-us-east-1.amazonaws.com
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< Last-Modified: Mon, 09 Sep 2013 19:10:28 GMT
< ETag: "14e13b81b3ce5b129d1f206b3e514885"
< x-amz-error-code: AccessDenied
< x-amz-error-message: Access Denied
< x-amz-request-id: <snip>
< x-amz-id-2: <snip>
< Content-Type: text/html
< Content-Length: 11
< Date: Thu, 26 Sep 2013 20:01:45 GMT
< Server: AmazonS3
< 
Not found!

请注意，在未找到！字符串从桶里属性错误文档集使S3网站托管的时候来了。

Note, the "Not Found!" string is coming from the error document set on the bucket properties when enabling S3 website hosting.

我也曾尝试直接访问使用水桶的url

I have also tried accessing using the bucket url directly

HTTP：//.s3.amazonaws.com/

http://.s3.amazonaws.com/

和返回相同的，所不同的是，而不是错误的文件，我得到一个XML文档

and that returns the same, except that instead of the error document, I get a XML document

我该如何解决这个问题？

How do I solve this problem?

推荐答案

S3返回403，而不是404，当用户没有权限列出桶含量。

S3 returns a 403 instead of a 404 when the user doesn't have permission to list the bucket contents.

如果您查询的对象，并收到404，那么你知道，对象不存在。这是信息，你不应该知道，如果你没有权限列出桶含量所以不是告诉你它不存在，S3只是告诉你，你正在尝试做一些事情你不能做。当你得到一个403而不是404，你没有办法知道你请求的对象不存在的。它可能不存在或可能存在，你只是没有权限访问它。有没有办法让你知道肯定，因此没有安全旁路。

If you query for an object and receive a 404, then you know that object doesn't exist. This is information you shouldn't know if you don't have permission to list the bucket contents so instead of telling you it doesn't exist, S3 just tells you that you're trying to do something you're not allowed to do. When you get a 403 instead of a 404 you have no way of knowing that the object you requested doesn't exist. It might not exist or it might exist and you just don't have permission to access it. There's no way for you to know for sure and so no security is bypassed.

我相信，任何人都可以访问列出的桶含量将得到的403 404代替。

I believe anyone with access to list the bucket contents will get a 404 instead of a 403.

这篇关于如何具有与S3铲斗返回404（而不是403）为不桶中存在一个键/的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！