S3与Cloudflare不允许直接访问 [英] S3 with Cloudflare disallow direct access

问题描述

我试图让Cloudflare作为S3上托管的文件的CDN，其方式是没有人可以直接访问文件。例如：

I am trying to have Cloudflare to act as CDN for files hosted on S3, in a way that nobody can access the files directly. For example:

S3存储桶： cdn.mydomain.com.s3.amazonaws.com

CDN（Cloudflare）： cdn.mydomain.com

CDN (Cloudflare): cdn.mydomain.com

想要能够访问 cdn.mydomain.com/file.jpg （Cloudflare），但不能访问 cdn.mydomain.com.s3.amazonaws。 com / file.jpg （S3）。

What I want is to be able to access cdn.mydomain.com/file.jpg (Cloudflare) but not cdn.mydomain.com.s3.amazonaws.com/file.jpg (S3).

现在我有一个在Cloudflare上配置的CNAME指向我的存储桶， ：

Right now I have a CNAME configured on Cloudflare that points to my bucket, and the following CORS:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>Authorization</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

如果我尝试通过S3或CDN访问任何文件，

If I try to access any file, via S3 or CDN, I get permission denied. If I make a file public (aka grantee Everyone), I can then access that file via S3 and CDN.

我已尝试更改 AllowedOrigin c> $

I have tried changing the AllowedOrigin with *.mydomain.com, but no luck.

推荐答案

我找到了解决方案。

I found the solution. The article at CloudFlare's support center doesn't mention this.

您必须编辑存储桶策略，而不是编辑 CORS。而不是允许你的域，像文章说，有权访问存储桶，你必须允许CloudFlare IP的。供参考，以下是IP列表： https://www.cloudflare.com/ips

You have to edit the bucket policy, not the CORS. And instead of allowing your domain, like that article says, to have access to the bucket, you have to allow CloudFlare IP's. For the reference, here is the list of IP's: https://www.cloudflare.com/ips

以下是使用CloudFlare的存储桶策略示例：

Here is the bucket policy sample to work with CloudFlare:

    {
        "Sid": "SOME_STRING_ID_HERE",
        "Effect": "Allow", // or deny
        "Principal": {"AWS": "*"}, // or whatever principal you want
        "Action": "s3:GetObject", // or whatever action you want
        "Resource": "arn:aws:s3:::cdn.mydomain.com/*", // or whatever resource you want
        "Condition": {
            "IpAddress": {
                "aws:SourceIp": [
                    "103.21.244.0/22",
                    "103.22.200.0/22",
                    "103.31.4.0/22",
                    "104.16.0.0/12",
                    "108.162.192.0/18",
                    "131.0.72.0/22",
                    "141.101.64.0/18",
                    "162.158.0.0/15",
                    "172.64.0.0/13",
                    "173.245.48.0/20",
                    "188.114.96.0/20",
                    "190.93.240.0/20",
                    "197.234.240.0/22",
                    "198.41.128.0/17",
                    "199.27.128.0/21"
                ]
            }
        }
    }

这篇关于S3与Cloudflare不允许直接访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！