By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How CloudFront caching works with pre-signed URLs and CORS

0

Hi,

I'm looking for help with understanding how everything works in the following scenario:

  1. I have an S3 bucket with origin access control configured for my CloudFront distribution.
  2. S3 and CloudFront have configured CORS with Access-Control-Allow-Origin: * for this specific environment to simplify it.
  3. CloudFront behaviour has the following settings: Cache policy: CachingOptimized, Origin request policy: CORS-S3Origin, Response header policy: SimpleCORS
  4. CloudFront has a public key configured and provides access only for pre-signed URLs.

How does caching work in this case? If I understand it, someone will request a file without query parameters ?Expires=111111&Signature=xxxxx it will cache 403 response and all following requests will fail because of the CachingOptimized policy, which doesn't check query parameters. In what order is CloudFront processing request? If it first checks the pre-signed URL, and if all is good, then provides the file from the cache without query parameters, all should be ok, but I see some strange behaviour of the cache in my case.

Topics
Networking & Content DeliveryStorage
Tags
Amazon CloudFrontpresigned URLCaching
Language
English
profile picture
EXPERT
Dmytro Sirant
asked 3 months ago365 views
1 Answer
0
Accepted Answer

Hi,

You should look at this page to understand the full mechanism: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html

Section "How signed URLs work" say:

CloudFront uses the public key to validate the signature and confirm that the URL hasn't 
been tampered with. If the signature is invalid, the request is rejected.

If the signature is valid, CloudFront looks at the policy statement in the URL (or constructs 
one if you're using a canned policy) to confirm that the request is still valid. For example, 
if you specified a beginning and ending date and time for the URL, CloudFront confirms that 
the user is trying to access your content during the time period that you want to allow access.

If the request meets the requirements in the policy statement, CloudFront does the standard 
operations: determines whether the file is already in the edge cache, forwards the request to 
the origin if necessary, and returns the file to the user.

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 3 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed 22 days ago
  • Dmytro Sirant EXPERT
    3 months ago

    Hi Didier,

    Thank you for pointing this out; I've been on this page but missed these last steps describing the procedure. Based on this, would it be the correct assumption that after CloudFront validates the signature and expiry and other related access parameters, it will strip all these parameters and look in the cache only the file? For two recurring requests with different signatures to the same object from the same location, my first request will be forwarded to the origin, and the second, I will get from the cache, even if my Caching policy is CachingOptimized.

  • Didier_Durand EXPERT
    3 months ago

    Hi, thanks for accepting my answer. Yes, my understanding is that CF looks in the cache if the policy allows and then goes to origin if needed. Re CachingOptimized doc says "CloudFront doesn't include any query strings or cookies in the cache key, and only includes the normalized Accept-Encoding header" see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html#managed-cache-caching-optimized

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content