亚马逊S3直接上传文件,从客户端浏览器 - 私有密钥泄露 [英] Amazon S3 direct file upload from client browser - private key disclosure
问题描述
我实现从客户端计算机的直接文件上传到Amazon S3通过REST API只使用JavaScript的,没有任何服务器端code。所有工作正常,但有一点是令人担忧的我...
I'm implementing a direct file upload from client machine to Amazon S3 via REST API using only JavaScript, without any server-side code. All works fine but one thing is worrying me...
当我请求发送到Amazon S3 REST API,我需要签署的请求,并把签名改成验证头。要创建一个签名,我必须用我的秘密密钥。但是,所有的事情发生在一个客户端,因此,密钥可以从页面的源代码很容易发现(即使我模糊处理/加密我的消息来源)。
When I send a request to Amazon S3 REST API, I need to sign the request and put a signature into Authentication header. To create a signature, I must use my secret key. But all things happens on a client side, so, the secret key can be easily revealed from page source (even if I obfuscate/encrypt my sources).
我该如何处理呢?而且是它在所有问题吗?也许我可以限制特定的私有密钥使用只REST API调用从一个特定的CORS起源和容下和POST方法或者链路密钥只S3和具体斗?可能还有另外的身份验证方法?
How can I handle this? And is it a problem at all? Maybe I can limit specific private key usage only to REST API calls from a specific CORS Origin and to only PUT and POST methods or maybe link key to only S3 and specific bucket? May be there are another authentication methods?
无服务器的解决方案是理想的,但我可以考虑让一些服务器端处理,但不包括上传文件到我的服务器,然后发送到S3。
"Serverless" solution is ideal, but I can consider involving some serverside processing, excluding uploading a file to my server and then send in to S3.
推荐答案
我想你想要的是基于浏览器的上传使用POST。
I think what you want is Browser-Based Uploads Using POST.
基本上,你确实需要服务器端code,但它是所有生成签名的策略。一旦客户端code有签政策,它可以使用POST直接向S3上传没有数据通过你的服务器。
Basically, you do need server-side code, but all it does is generate signed policies. Once the client-side code has the signed policy, it can upload using POST directly to S3 without the data going through your server.
下面是官方文档的链接:
Here's the official doc links:
图:<一href="http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingHTTPPOST.html">http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingHTTPPOST.html
例如code:<一href="http://docs.aws.amazon.com/AmazonS3/latest/dev/HTTPPOSTExamples.html">http://docs.aws.amazon.com/AmazonS3/latest/dev/HTTPPOSTExamples.html
签署的政策将走在你的HTML在这样的形式:
The signed policy would go in your html in a form like this:
<html>
<head>
...
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
...
</head>
<body>
...
<form action="http://johnsmith.s3.amazonaws.com/" method="post" enctype="multipart/form-data">
Key to upload: <input type="input" name="key" value="user/eric/" /><br />
<input type="hidden" name="acl" value="public-read" />
<input type="hidden" name="success_action_redirect" value="http://johnsmith.s3.amazonaws.com/successful_upload.html" />
Content-Type: <input type="input" name="Content-Type" value="image/jpeg" /><br />
<input type="hidden" name="x-amz-meta-uuid" value="14365123651274" />
Tags for File: <input type="input" name="x-amz-meta-tag" value="" /><br />
<input type="hidden" name="AWSAccessKeyId" value="AKIAIOSFODNN7EXAMPLE" />
<input type="hidden" name="Policy" value="POLICY" />
<input type="hidden" name="Signature" value="SIGNATURE" />
File: <input type="file" name="file" /> <br />
<!-- The elements after this will be ignored -->
<input type="submit" name="submit" value="Upload to Amazon S3" />
</form>
...
</html>
注意FORM操作发送文件的直接到S3 - 不通过你的服务器
Notice the FORM action is sending the file directly to S3 - not via your server.
每当你的用户要上传的文件,您将创建策略和签名您服务器。你页面返回到用户浏览器。然后,用户可以上传文件,直接到S3,而无需通过你的服务器。
Every time one of your users wants to upload a file, you would create the POLICY and SIGNATURE on your server. You return the page to the user's browser. The user can then upload a file directly to S3 without going through your server.
当你签署了策略,你通常做几分钟后,该政策到期。这迫使你的用户向您的服务器上传之前。这使您可以监视和限制上传,如果你的愿望。
When you sign the policy, you typically make the policy expire after a few minutes. This forces your users to talk to your server before uploading. This lets you monitor and limit uploads if you desire.
的唯一数据去或者从您的服务器已签署的网址。你的密钥的秘密留在服务器上。
The only data going to or from your server is the signed URLs. Your secret keys stay secret on the server.
这篇关于亚马逊S3直接上传文件,从客户端浏览器 - 私有密钥泄露的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
