Cloudfront Adding Query Parameters To Signed URL Causes Access Denied

0

So i have been following this article:

https://aws.amazon.com/tr/blogs/networking-and-content-delivery/secure-and-cost-effective-video-streaming-using-cloudfront-signed-urls/

I am facing with a strange error at this step: Enter image description here

Since cloud front removes mentioned parameters when its directing request it to my origin, i need to add them on my server as Key-Pair-Id-PREFIX, Policy-PREFIX and Signature-PREFIX

I am adding them as stated in documentation but as soon as i add a query parameter, i suddenly immediately get access denied error from signed url.

If i dont add any query parameters in addition to what is generated i can access the resource. Access granted: https://d4btsmypjqzd3.cloudfront.net/streams/oiilo65vhierva0n/rvj7m3ep1bgy76brsvnecbr5k9glvdp1/2024-08-05_22-07-56.562/rvj7m3ep1bgy76brsvnecbr5k9glvdp1-2024-08-05_22-07-56.562.m3u8?Policy=somepolicy&Key-Pair-Id=somekeypairid&Signature=somesignature

Access denied: https://d4btsmypjqzd3.cloudfront.net/streams/oiilo65vhierva0n/rvj7m3ep1bgy76brsvnecbr5k9glvdp1/2024-08-05_22-07-56.562/rvj7m3ep1bgy76brsvnecbr5k9glvdp1-2024-08-05_22-07-56.562.m3u8?Policy=somepolicy&Key-Pair-Id=somekeypairid&Signature=somesignature&Policy-prefix=somepolicy&Key-Pair-Id-prefix=somekeypairid&Signature-prefix=somesignature

But my origin needs to know about mentioned query params so that i can modify the m3u8 with those. But i cannot pass them because as soon as i add them to url access denied occurs. very strange

Why?? Behaviour settings: Enter image description here Enter image description here Enter image description here Enter image description here

asked a month ago203 views
3 Answers
0

The point of the cryptographic signing of the URL is that it prevents it from being modified, ensuring that only the action that was originally authorised is possible to execute. When you modify the URL, it no longer matches the signature and will be rejected.

As the blog post explains, those parameters are meant to be consumed by CloudFront when authenticating the request. I'm not quite understanding what your origin would be doing with them.

EXPERT
Leo K
answered a month ago
  • I am not using lambda, i am using my own nodejs server. So this GET request ends up in my server. The plan is There i fetch the m3u8 from s3 and parse it line by line, append key and signature(im trying to get them from query params using prefix, but cannot) to .ts names and then return new m3u8 as response.

    But if query params are not passed, which key and signature i am going to append to ts files?

0

The custom query string parameters you want to send to your origin must be included in the URL that you originally sign, apparently in your Node.js code, in this case. You cannot modify the URL after signing it; you have to add what you want in the URL before calculating the signature.

The "restrict viewer access" option in your screenshot is what tells CloudFront to check the URLs it's receiving against tampering by validating the signature, and that's why CloudFront rejects all signed URLs that you've modified afterwards.

EXPERT
Leo K
answered a month ago
0

Hello,

Why CloudFront Removes Parameters...?

The documentation you linked (https://aws.amazon.com/cloudfront/streaming/) mentions that CloudFront removes certain query parameters by default (like Key-Pair-Id, Policy, and Signature) before forwarding the request to your origin. This is to prevent unauthorized access by modifying these parameters.

The Solution Simplify:

There are two approaches to tackle this:

1.Pass Information in the Policy Document:

  • Instead of sending the prefix information in the URL, include it directly within the policy document you use to generate the signed URL. This way, your origin server can access the information needed to process the request without modifying the URL itself.
  • The AWS documentation provides examples of how to include custom policy variables (https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecurityAndPrivateContent.html). You can use this approach to define variables for the prefixes and include them in your policy document.

2.Forward the Original URL with Headers:

  • This method involves forwarding the original signed URL (including the additional parameters) to your origin server.
  • You can then set custom headers on the request to your origin server containing the original Policy, Key-Pair-Id, and Signature values before CloudFront removes them.
  • Your origin server can then access these headers to validate the request and process it accordingly.
profile picture
EXPERT
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions