How CloudFront caching works with pre-signed URLs and CORS
Hi,
I'm looking for help with understanding how everything works in the following scenario:
- I have an S3 bucket with origin access control configured for my CloudFront distribution.
- S3 and CloudFront have configured CORS with
Access-Control-Allow-Origin: *for this specific environment to simplify it. - CloudFront behaviour has the following settings: Cache policy:
CachingOptimized, Origin request policy:CORS-S3Origin, Response header policy:SimpleCORS - CloudFront has a public key configured and provides access only for pre-signed URLs.
How does caching work in this case? If I understand it, someone will request a file without query parameters ?Expires=111111&Signature=xxxxx it will cache 403 response and all following requests will fail because of the CachingOptimized policy, which doesn't check query parameters.
In what order is CloudFront processing request? If it first checks the pre-signed URL, and if all is good, then provides the file from the cache without query parameters, all should be ok, but I see some strange behaviour of the cache in my case.
- 最新
- 最多得票
- 最多評論
Hi,
You should look at this page to understand the full mechanism: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html
Section "How signed URLs work" say:
CloudFront uses the public key to validate the signature and confirm that the URL hasn't
been tampered with. If the signature is invalid, the request is rejected.
If the signature is valid, CloudFront looks at the policy statement in the URL (or constructs
one if you're using a canned policy) to confirm that the request is still valid. For example,
if you specified a beginning and ending date and time for the URL, CloudFront confirms that
the user is trying to access your content during the time period that you want to allow access.
If the request meets the requirements in the policy statement, CloudFront does the standard
operations: determines whether the file is already in the edge cache, forwards the request to
the origin if necessary, and returns the file to the user.
Best,
Didier
相關內容
AWS 官方已更新 2 年前
Hi Didier,
Thank you for pointing this out; I've been on this page but missed these last steps describing the procedure. Based on this, would it be the correct assumption that after CloudFront validates the signature and expiry and other related access parameters, it will strip all these parameters and look in the cache only the file? For two recurring requests with different signatures to the same object from the same location, my first request will be forwarded to the origin, and the second, I will get from the cache, even if my Caching policy is
CachingOptimized.Hi, thanks for accepting my answer. Yes, my understanding is that CF looks in the cache if the policy allows and then goes to origin if needed. Re CachingOptimized doc says "CloudFront doesn't include any query strings or cookies in the cache key, and only includes the normalized Accept-Encoding header" see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html#managed-cache-caching-optimized