如何使用PHP在我的安全站点上显示受保护的Amazon S3图像? [英] How do I display protected Amazon S3 images on my secure site using PHP?
问题描述
我正在尝试将网站的图像从主机移至Amazon S3云托管.这些图像是客户工作地点的图像,不能公开获得.我希望最好使用Amazon提供的PHP SDK在我的网站上显示它们.
I am trying to move images for my site from my host to Amazon S3 cloud hosting. These images are of client work sites and cannot be publicly available. I would like them to be displayed on my site preferably by using the PHP SDK available from Amazon.
到目前为止,我已经能够为转换编写脚本,以便我查找数据库中的记录,获取文件路径,适当命名,然后将其发送到Amazon.
So far I have been able to script for the conversion so that I look up records in my database, grab the file path, name it appropriately, and send it to Amazon.
//upload to s3
$s3->create_object($bucket, $folder.$file_name_new, array(
'fileUpload' => $file_temp,
'acl' => AmazonS3::ACL_PRIVATE, //access denied, grantee only own
//'acl' => AmazonS3::ACL_PUBLIC, //image displayed
//'acl' => AmazonS3::ACL_OPEN, //image displayed, grantee everyone has open permission
//'acl' => AmazonS3::ACL_AUTH_READ, //image not displayed, grantee auth users has open permissions
//'acl' => AmazonS3::ACL_OWNER_READ, //image not displayed, grantee only ryan
//'acl' => AmazonS3::ACL_OWNER_FULL_CONTROL, //image not displayed, grantee only ryan
'storage' => AmazonS3::STORAGE_REDUCED
)
);
在复制所有内容之前,我已经创建了一个简单的表单来测试图像的上传和显示.如果我使用ACL_PRIVATE上传图像,则可以获取公共URL并没有访问权限,也可以使用临时密钥获取公共URL并显示图像.
Before I copy everything over, I have created a simple form to do test upload and display of the image. If I upload an image using ACL_PRIVATE, I can either grab the public url and I will not have access, or I can grab the public url with a temporary key and can display the image.
<?php
//display the image link
$temp_link = $s3->get_object_url($bucket, $folder.$file_name_new, '1 minute');
?>
<a href='<?php echo $temp_link; ?>'><?php echo $temp_link; ?></a><br />
<img src='<?php echo $temp_link; ?>' alt='finding image' /><br />
使用此方法,我的缓存将如何工作?我猜测每次刷新页面或修改我的记录之一时,我都会再次拉该图像,从而增加获取请求的次数.
Using this method, how will my caching work? I'm guessing every time I refresh the page, or modify one of my records, I will be pulling that image again, increasing my get requests.
我还考虑过使用存储桶策略仅允许从某些引荐来源检索图像.我是否正确理解亚马逊应该只从我指定的页面或域中获取请求?
I have also considered using bucket policies to only allow image retrieval from certain referrers. Do I understand correctly that Amazon is supposed to only fetch requests from pages or domains I specify?
我引用了: https://forums.aws.amazon.com/thread.jspa? messageID = 188183𭼗 进行设置,但是对于我需要在对象上使用哪种安全性感到困惑.如果我将它们设为私有",它们似乎仍然不会显示,除非我使用了前面提到的临时链接.如果我将它们公开,则无论引用者如何,都可以直接导航到它们.
I referenced: https://forums.aws.amazon.com/thread.jspa?messageID=188183𭼗 to set that up, but then am confused as to which security I need on my objects. It seemed like if I made them Private they still would not display, unless I used the temp link like mentioned previously. If I made them public, I could navigate to them directly, regardless of referrer.
我要离开这里做什么吗?这不是S3真正支持的,还是我缺少简单的东西?我浏览了SDK文档并进行了大量搜索,觉得应该对此文档进行更清晰的记录,因此希望这里的任何输入都可以在这种情况下对其他人有所帮助.我读过其他一些人用唯一的ID命名文件,但由于模糊性而提高了安全性,但这在我的情况下不会减少安全性,对于尝试保护安全的人来说,这可能不是最佳实践.
Am I way off what I'm trying to do here? Is this not really supported by S3, or am I missing something simple? I have gone through the SDK documentation and lots of searching and feel like this should be a little more clearly documented so hopefully any input here can help others in this situation. I've read others who name the file with a unique ID, creating security through obscurity, but that won't cut it in my situation, and probably not best practice for anyone trying to be secure.
推荐答案
提供图像的最佳方法是使用PHP SDK生成URL.这样,下载就可以直接从S3发送到您的用户.
The best way to serve your images is to generate a url using the PHP SDK. That way the downloads go directly from S3 to your users.
您不需要按照@mfonda的建议通过服务器下载-您可以在S3对象上设置所需的任何缓存标头-如果这样做,您将失去使用S3的一些主要好处.
You don't need to download via your servers as @mfonda suggested - you can set any caching headers you like on S3 objects - and if you did you would be losing some major benefits of using S3.
但是,正如您在问题中指出的那样,URL总是会更改(实际上是查询字符串),因此浏览器将不会缓存文件.简单的解决方法是始终使用相同的到期日期,以便始终生成相同的查询字符串.或者最好还是自己缓存" URL(例如在数据库中),然后每次重复使用.
However, as you pointed out in your question, the url will always be changing (actually the querystring) so browsers won't cache the file. The easy work around is simply to always use the same expiry date so that the same querystring is always generated. Or better still 'cache' the url yourself (eg in the database) and reuse it every time.
显然,您必须将过期时间设置在很远的将来,但是如果您愿意,可以每隔一段时间重新生成这些url.例如,在数据库中,您将存储生成的url和到期日期(您也可以从url进行解析).然后,您可以只使用现有的网址,或者,如果到期日期已过,则生成一个新的网址.等等...
You'll obviously have to set the expiry time somewhere far into the future, but you can regenerate these urls every so often if you prefer. eg in your database you would store the generated url and the expiry date(you could parse that from the url too). Then either you just use the existing url or, if the expiry date has passed, generate a new one. etc...
这篇关于如何使用PHP在我的安全站点上显示受保护的Amazon S3图像?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
