En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

restrict access to CloudFront URL

0

I have a CloudFront distribution pulling content from a private S3 bucket and aliased to my website domain. Currently, I can access the website from its own domain, but also from the CloudFront distribution's URL. I want to allow access only to the website domain and deny the CloudFront URL. Can I do that?

Sujets
CalculRéseaux et diffusion de contenu
Balises
Approvisionnement du site WebAmazon CloudFront
Langue
English
pmartini
demandé il y a 5 mois522 vues
1 réponse
0
Réponse acceptée

Hello.

It is possible to block using CloudFront Functions.
For example, you can check the host part included in the request header using the code below, and if "cloudfront.net" is included, you can return HTTP status code 403.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/functions-tutorial.html

function handler(event) {
    var request = event.request;
    var host = request.headers.host.value;

    if (host.includes('cloudfront.net')) {
        return {
            statusCode: 403,
            statusDescription: 'Forbidden',
            body: {
                "encoding": "text",
                "data": "<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>"
            }
        };
    }

    return request;
}

I think it is also possible to block using custom rules using AWS WAF.
https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-rules-creating.html

profile picture
EXPERT
Riku_Kobayashi
répondu il y a 5 mois
profile picture
EXPERT
MaxCloud
vérifié il y a 5 mois
profile picture
EXPERT
Gary Mclean
vérifié il y a 5 mois
profile pictureAWS
EXPERT
Didier_Durand
vérifié il y a 5 mois
  • pmartini
    il y a 5 mois

    Thank you Riku! Just noting that "data" in the response body should only contain plain text, as html tags are displayed literally.

  • Gary Mclean EXPERT
    il y a 5 mois

    HTML tags may have shown because the encoding is set to text.

  • pmartini
    il y a 5 mois

    Thank you Gary! The Developer Guide says: "You can specify the encoding as plain text ("encoding": "text") or as Base64-encoded content ("encoding": "base64")." Both encodings show html tags literally. Is there another way? I tried "text/html", but I got a 503.

  • pmartini
    il y a 5 mois

    To force parsing html tags one needs to send the content-type header as well, so the correct function syntax is the following:

    function handler(event) { var request = event.request; var host = request.headers.host.value;

    if (host.includes('cloudfront.net')) { return { statusCode: 403, statusDescription: 'Forbidden', headers: { "content-type": { "value": "text/html" } }, body: { "encoding": "text", "data": "<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>" } }; }

    return request;

    }

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents