CloudFront的私人内容+签名的网址架构 [英] Cloudfront private content + signed urls architecture
问题描述
让我开始一个简单介绍到一个系统我正在考虑迁移到S3 +的Cloudfront的建筑。
Let me start out with a quick introduction to the architecture of a system I'm considering migrating to S3+Cloudfront.
我们在树中的一些实体订购。树的叶子有许多资源(JPG图像是特异性的),通常以20 5000的顺序,平均〜200。每个资源都有一个通过我们的结肠设置今天担任一个唯一的URL。
We have a number of entities order in a tree. The leaves of the tree has a number of resources (jpg images to be specific), usually in the order of 20-5000, with an average of ~200. Each resource has a unique URL that is served through our colo setup today.
我可以只转移所有这些资源到S3,设置的Cloudfront最重要的是和来完成。如果我没有保护的资源。
I could just transfer all of these resources to S3, setup Cloudfront on top of that and be done. If only I didn't have to protect the resources.
大多数实体是公共的(即,〜99%),其余在很多方面(登录,IP,时间等)的一个AF保护。一旦实体被保护的,所有的资源必须得到保护过,并经过有效的授权已完成,才可以访问。
Most entities are public (that is, ~99%), the rest af protected in one of many ways (login, ip, time, etc.). Once an entity is protected, all the resources must be protected too, and can only be accessed after a valid authorization has been performed.
我可以通过创建两个S3的桶解决这个问题。对于私人内容我会产生签署的Cloudfront的URL的用户被授权后。然而,实体的状态可能会改变从公众私人随意,反之亦然。该系统管理员可能会改变的一个实体在实体树的任何级别,从而导致在整个树级联变化。一个变化可能导致〜20K实体的变化,再乘以200的资源,这将影响到400万的资源。
I could solve this by creating two S3 buckets - one private and one public. For the private content I'd generate signed Cloudfront URL's after the user was authorized. However, the state of an entity might change from public to private arbitrarily, and vice versa. An admin of the system might change an entity at any level of the entity tree, thus causing a cascading change throughout the tree. One change might cause a change of ~20k entities, multiplied by 200 resources, that would affect 4 million resources.
我可以运行的状态变化的后台监控服务,但会很麻烦,并改变400万S3项目的ACL将需要相当长的时间,而正在发生,我们要么必须不受保护的私人内容,或公开的内容,我们不得不产生签订的URL。
I could run a service in the background monitoring for state changes, but that would be cumbersome, and changing the ACLs of 4 million S3 items would take considerable time, and while that's happening we'll either have unprotected private content, or public content that we'd have to generate signed URLs for.
另一种可能性是,使所有资源的私人默认。在一个实体作出的每一个要求,我们将生成的自定义策略授予访问权限,对于特定的用户,以实体中包含的所有资源(通过自定义策略使用通配符的URL)。这就需要建立为每个访问者,每个实体的政策 - 这不会是一个问题,但。然而,这将意味着,我们的用户不能缓存内容的任何时间越长,作为URL将改变为每个新的会话。而对于私有内容不是一个问题,它会吸我们抛弃所有缓存的〜99%是公共的实体。
Another possibility would be to make all resources private by default. On each and every request made to an entity, we would generate a custom policy granting access, for that specific user, to all resources contained in the entity (by using wildcard url's in the custom policy). This would require the creation of a policy for each visitor, per entity - that wouldn't be a problem though. However, that would mean that our users can't cache anything any longer, as the URL will change for each new session. While not a problem for private content, it would suck for us to ditch all caching for the ~99% of the entities that are public.
另一种选择是保持所有内容的私人和使用私人实体上述方法。对于公共实体,我们可以生成一个自定义策略,每个公共实体,所有用户都共享。如果我们设定的6小时的使用寿命,并确保5个小时后,以产生一个新的策略,用户将确保至少一小时的一个政策寿命。这具有能够缓存长达6小时的优点,同时允许私人内容,可能的话,为长达6小时的状态改变之后是公共的。这是可以接受的,但我不知道这是值得的(试图找出缓存/命中的请求比当前)。显然,我们可以调整5/6小时的边框,使在较长/更短的曝光给私营实体的成本越长/短缓存。
Yet another option would be to keep all content private and use the above approach for private entities. For public entities we could generate a single custom policy, per public entity, that all users would share. If we set a lifetime of 6 hours and made sure to generate a new policy after 5 hours, a user would be ensured a policy lifetime of at least one hour. This has the advantage of enabling caching for up to 6 hours, while allowing private content to, possibly, be public for up to 6 hours after a state change. This would be acceptable, but I'm not sure it's worth it (trying to work out the cache/hit ratio of requests currently). Obviously we could tweak the 5/6 hour border to enable longer/shorter cache at the cost of longer/shorter exposure to private entities.
有没有人部署了类似的解决方案?任何AWS功能我俯瞰,可能是使用?一般而言,任何意见?
Has anyone deployed a similar solution? Any AWS features I'm overlooking that might be of use? Any comments in general?
推荐答案
根据大家的要求,我在回答这个问题我自己。
Based on popular request, I'm answering this question myself.
收集相关的指标,做一些计算,我们最终的结论,我们可以忍受较少的缓存,通过CloudFront的越快服务对象的速度偏差之后。实际执行详见我的博客:<一href="http://improve.dk/archive/2011/10/26/how-to-set-up-and-serve-private-content-using-s3.aspx">How设置和发球私人内容使用S3和Amazon CloudFront的
After gathering relevant metrics and doing some calculations, we ended up concluding we could live with less caching, offset by the faster object serving speed of CloudFront. The actual implementation is detailed on my blog: How to Set Up and Serve Private Content Using S3 and Amazon CloudFront
这篇关于CloudFront的私人内容+签名的网址架构的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
