Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Cloudfront returning 403

0

Dear Support and Community,

I use the following code to get a cloudfront distributed audiostream on my website. Without cookie authorization everything works fine. When I use the code on my wordpress website the cookies get set as expected but cloudfront still rejects access with a 403 error. Do you see any mistakes I could have made?

BR Iggy

<?php
/**
 * Plugin Name: CloudFront Auth Plugin 0.5
 * Description: Ein Plugin zur Implementierung der CloudFront-Cookie-Authentifizierung.
 * Version: 0.5
 * Author: us
 * License: GPL2
 */


function createSignedCookie($streamHostUrl, $resourceKey, $timeout){
    error_log('function createSignedCookie gestartet');
    $keyPairId = "APKA5**********HZVB"; // Key Pair
    $expires = time() + $timeout; // Expire Time
    $url = $streamHostUrl . '/' . $resourceKey; // Service URL -> The path for that the cookies shall be valid
    $ip=$_SERVER["REMOTE_ADDR"] . "\/24"; // IP
    $json = '{"Statement":[{"Resource":"'.$url.'","Condition":{"DateLessThan":{"AWS:EpochTime":'.$expires.'}}}]}';
    
    $private_key_path = __DIR__ . '/private_key.pem';
    $fp = fopen($private_key_path, 'r');
    if (!$fp) {
        return;
    }
    $priv_key=fread($fp, 8192);
    fclose($fp);
    
    $key = openssl_get_privatekey($priv_key);
    if(!$key){
        return;
    }
    if(!openssl_sign($json, $signed_policy, $key, OPENSSL_ALGO_SHA1)){
        error_log('Failed to sign policy: ' . openssl_error_string());
        return;
    }
    
    $base64_signed_policy = base64_encode($signed_policy);
    
    $policy = strtr(base64_encode($json), '+=/', '-_~'); //Canned Policy
    
    $signature = str_replace(array('+','=','/'), array('-','_','~'), $base64_signed_policy);
    
    $signedCookie = array(
        "CloudFront-Key-Pair-Id" => $keyPairId,
        "CloudFront-Policy" => $policy,
        "CloudFront-Signature" => $signature
    );
    return $signedCookie;
}
                                        


function TriggerSignedCookies(){

    $signedCookieCustomPolicy = createSignedCookie('cookietest.ourwebsite.com', 'music.mp3', 300);

    foreach ($signedCookieCustomPolicy as $name => $value) {
        setcookie($name, $value, 0, "/", "ourwebsite.com", true, true);
    }
}
 
function SetCloudFrontCookies() {
    global $post;
                                        
    if (is_a($post, 'WP_Post') && has_shortcode($post->post_content, 'SetCookies')) {

        TriggerSignedCookies();
    }
}

function ShortcodeHandler() {
    // Gibt einen leeren String zurück, um zu verhindern, dass "1" auf der Website angezeigt wird.
    return '';
}

function ShortcodeInit() {
    add_shortcode('SetCookies', 'ShortcodeHandler');
}

add_action('init', 'ShortcodeInit', 0);
add_action('send_headers', 'SetCloudFrontCookies', 0);
?>
Argomenti
Networking e distribuzione di contenutiServizi multimediali
Tag
Amazon CloudFrontLive Video Streaming
Lingua
English
TheIggy
posta un anno fa429 visualizzazioni
1 Risposta
4
  1. Make sure the CloudFront distribution is configured to require signed cookies: Go to your CloudFront distribution settings in the AWS Management Console. Under the "Behaviors" tab, make sure the "Restrict Viewer Access (Use Signed URLs or Signed Cookies)" is set to "Yes." Confirm that the "Trusted Key Groups" or "Trusted Signers" are set correctly with the key pair you're using.
  2. Review the CloudFront behavior settings: Make sure the "Forward Cookies" setting is set to "All" 3.Modify the cookie path and domain: Update the cookie path and domain in the setcookie() function. If your CloudFront distribution is on a subdomain, you should set the cookie path to the root ("/") and the domain to the subdomain (e.g., "cookietest.ourwebsite.com"). 4.Verify that the cookies are being sent with the request: Use browser developer tools to check if the cookies (CloudFront-Key-Pair-Id, CloudFront-Policy, and CloudFront-Signature) are being sent with the request to CloudFront.
  3. Check the CloudFront access logs: Enable access logging for your CloudFront distribution. Check the logs in the specified S3 bucket for more information about the 403 error. This might give you a better idea of what's causing the issue.
profile picture
ESPERTO
Sedat Salman
con risposta un anno fa
  • TheIggy
    un anno fa

    Thank you for your reply. Yes, the distribution is configured to use signed cookies. The cookies are being sent. I can see them in the Cloudfront standard logs. Do you mean the cache policy shall forward cookies to the origin? I don't think that my origin (an externally hosted icecast server) could handle the Cloudfront cookies. My server logs don't show any login attempts.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente