防止 Amazon Cloudfront 盗链 [英] Preventing Amazon Cloudfront hotlinking
问题描述
我使用 Amazon Cloudfront 来托管我网站的所有图像和视频,以便更快地将它们提供给我的用户,这些用户非常分散在全球各地.我还对 Cloudfront 上托管的元素应用了非常积极的前向缓存,将 Cache-Control
设置为 public, max-age=7776000
.
我最近很恼火地发现第三方网站在未经授权的情况下盗链到我的 Cloudfront 服务器以在他们自己的页面上显示图像.
我已经配置了 .htaccess
以防止在我自己的服务器上进行盗链,但还没有在 Cloudfront 上找到这样做的方法,它似乎不支持本机功能.而且,令人讨厌的是,亚马逊的 Bucket 策略可用于防止盗链,仅对 S3 有效,对 CloudFront 分发没有影响 [链接].如果您想利用这些政策,您必须直接从 S3 提供您的内容.
搜索我的服务器日志以查找热链接器并手动更改文件名并不是一个现实的选择,尽管我这样做是为了结束最公然的攻击.</p>
欢迎提出任何建议.
- 转到 CloudFront 设置
- 编辑分配的分配设置
- 转到行为"选项卡并编辑或创建行为
- 将转发标头设置为白名单
- 将 Referer 添加为白名单标头
- 保存右下角的设置
确保也处理源上的 Referer 标头.
I use Amazon Cloudfront to host all my site's images and videos, to serve them faster to my users which are pretty scattered across the globe. I also apply pretty aggressive forward caching to the elements hosted on Cloudfront, setting Cache-Control
to public, max-age=7776000
.
I've recently discovered to my annoyance that third party sites are hotlinking to my Cloudfront server to display images on their own pages, without authorization.
I've configured .htaccess
to prevent hotlinking on my own server, but haven't found a way of doing this on Cloudfront, which doesn't seem to support the feature natively. And, annoyingly, Amazon's Bucket Policies, which could be used to prevent hotlinking, have effect only on S3, they have no effect on CloudFront distributions [link]. If you want to take advantage of the policies you have to serve your content from S3 directly.
Scouring my server logs for hotlinkers and manually changing the file names isn't really a realistic option, although I've been doing this to end the most blatant offenses.
Any suggestions would be welcome.
You can forward the Referer
header to your origin
- Go to CloudFront settings
- Edit Distributions settings for a distribution
- Go to the Behaviors tab and edit or create a behavior
- Set Forward Headers to Whitelist
- Add Referer as a whitelisted header
- Save the settings in the bottom right corner
Make sure to handle the Referer header on your origin as well.
这篇关于防止 Amazon Cloudfront 盗链的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!