- Newest
- Most votes
- Most comments
The point of the cryptographic signing of the URL is that it prevents it from being modified, ensuring that only the action that was originally authorised is possible to execute. When you modify the URL, it no longer matches the signature and will be rejected.
As the blog post explains, those parameters are meant to be consumed by CloudFront when authenticating the request. I'm not quite understanding what your origin would be doing with them.
The custom query string parameters you want to send to your origin must be included in the URL that you originally sign, apparently in your Node.js code, in this case. You cannot modify the URL after signing it; you have to add what you want in the URL before calculating the signature.
The "restrict viewer access" option in your screenshot is what tells CloudFront to check the URLs it's receiving against tampering by validating the signature, and that's why CloudFront rejects all signed URLs that you've modified afterwards.
Hello,
Why CloudFront Removes Parameters...?
The documentation you linked (https://aws.amazon.com/cloudfront/streaming/) mentions that CloudFront removes certain query parameters by default (like Key-Pair-Id, Policy, and Signature) before forwarding the request to your origin. This is to prevent unauthorized access by modifying these parameters.
The Solution Simplify:
There are two approaches to tackle this:
1.Pass Information in the Policy Document:
- Instead of sending the prefix information in the URL, include it directly within the policy document you use to generate the signed URL. This way, your origin server can access the information needed to process the request without modifying the URL itself.
- The AWS documentation provides examples of how to include custom policy variables (https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecurityAndPrivateContent.html). You can use this approach to define variables for the prefixes and include them in your policy document.
2.Forward the Original URL with Headers:
- This method involves forwarding the original signed URL (including the additional parameters) to your origin server.
- You can then set custom headers on the request to your origin server containing the original Policy, Key-Pair-Id, and Signature values before CloudFront removes them.
- Your origin server can then access these headers to validate the request and process it accordingly.
Relevant content
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 8 months ago
I am not using lambda, i am using my own nodejs server. So this GET request ends up in my server. The plan is There i fetch the m3u8 from s3 and parse it line by line, append key and signature(im trying to get them from query params using prefix, but cannot) to .ts names and then return new m3u8 as response.
But if query params are not passed, which key and signature i am going to append to ts files?