如何禁用Amazon S3原始终端节点访问 [英] How to disable Amazon S3 raw endpoint access
问题描述
说您想在S3上托管一个静态网站:
Say you want to host a static web site on S3 :
- 您创建一个名称为
your-website.com的存储桶,并将其设置为虚拟主机; - 您在域的区域文件中添加了一个CNAME,以指向您的S3存储桶.
- You create a bucket with name
your-website.comand set it up for web hosting; - You add a CNAME in your domain's zone file to point to your S3 bucket.
太好了.当您访问http://your-website.com时,一切正常.但是您不希望访问原始/裸"端点.
Great. Everything works fine when you visit http://your-website.com. But you don't want the raw/"naked" endpoint to be accessible.
存储桶中是否有任何设置可以禁止直接访问http://your-website.com.s3-website.your-region.amazonaws.com?
Is there any setting in the bucket to disable direct access to http://your-website.com.s3-website.your-region.amazonaws.com ?
原因是,如果同时通过http://your-website.com和http://your-website.com.s3-website.your-region.amazonaws.com可以访问您的网站,则会损害您的SEO(重复内容)
The reason is that if your web site is accessible both through http://your-website.com and http://your-website.com.s3-website.your-region.amazonaws.com would hurt your SEO (duplicate content)
推荐答案
您提到的主要问题是SEO.为此,您可以使用其他技术,这些技术可能比最初提出的技术更容易实现.
You mention your major concern is SEO. For that purpose, you could use a other techniques, that are probably easier to implement than the one you initially asked about.
处理重复内容的主要技术之一是使用rel=canonical,这可能相当容易实现.有关更多信息,请参见 http://googlewebmastercentral. blogspot.com.br/2013/04/5-common-mistakes-with-relcanonical.html
One of the main techniques to deal with duplicate content is to use rel=canonical, which is probably fairly easy to implement. For more information, see http://googlewebmastercentral.blogspot.com.br/2013/04/5-common-mistakes-with-relcanonical.html
如果除非客户端通过您的CNAME进行连接,否则您坚持要禁用对存储桶的访问权限,那么最好的选择是使用CloudFront.您在存储桶上禁用S3网站托管选项,将您的S3存储桶设为私有(即,删除存储桶策略或允许公共读取的ACL),创建CloudFront分配,将您的存储桶定义为源,在您的分配上配置CNAME,更改您的存储桶DNS记录指向您的分发而不是存储桶,在您的分发上创建一个原始访问身份(OAI),然后为该OAI授予对存储桶的访问权限. ew.
If you insist on the need to disable access to the bucket unless the client connects through your CNAME, your best bet is to use CloudFront. You disable the S3 website hosting option on your bucket, make your S3 bucket private (i.e., remove bucket policies or ACLs allowing public read), create a CloudFront distribution, define your bucket as the origin, configure a CNAME on your distribution, change your DNS records to point to your distribution instead of bucket, create an Origin Access Identity (OAI) on your distribution and grant access to your bucket for that OAI. Phew.
通过所有这些操作,用户将无法访问S3存储桶中的内容(显然,除非他们拥有AK/SK有权读取存储桶并发送已签名的请求).唯一的方法是通过您的域.
By doing all this, there's no way for a user to access the content on your S3 bucket (unless they have an AK/SK with permissions to read the bucket, and send a signed request, obviously). The only way will be through your domain.
For more detail on Origin Access Identity, see http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
这篇关于如何禁用Amazon S3原始终端节点访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
