8

我有存储在 Amazon S3 中的音频文件,可以从基于 Web 的音乐播放器应用程序和移动应用程序访问这些文件。即使是未登录的用户也应该能够访问音乐。但是我不希望人们使用该链接来下载内容。这可以在 s3 中完成吗?

谢谢你

4

3 回答 3

7

您可以根据 HTTP 引用者限制访问。它不是防弹的(Referrer 可能会被欺骗),但它会阻止随意下载。

您使用存储桶策略来限制 Referrer 的可能值。

此页面上有一个示例(向下滚动一点)http://docs.aws.amazon.com/AmazonS3/latest/dev/AccessPolicyLanguage_UseCases_s3_a.html

这是他们的例子:

{
  "Version":"2008-10-17",
  "Id":"http referer policy example",
  "Statement":[
    {
      "Sid":"Allow get requests originated from www.example.com and example.com",
      "Effect":"Allow",
      "Principal":"*",
      "Action":"s3:GetObject",
      "Resource":"arn:aws:s3:::examplebucket/*",
      "Condition":{
        "StringLike":{
          "aws:Referer":[
            "http://www.example.com/*",
            "http://example.com/*"
          ]
        }
      }
    }
  ]
}

您还可以使用过期的签名 URL - 这将阻止人们从其他站点链接到您的内容。

于 2013-07-15T22:59:15.910 回答
2

One scenario comes to mind:

When your music player app wants to play something, it has to ask your backend for the URL to the MP3. Your backend can produce URLs with "Expires" parameter[1] set to 10 seconds in the future.

This way, the URL returned by your backend is only usable for 10 seconds, which should be more than enough for the music player to initiate the download from S3.

Of course the user could download the file if he/she sees the URL in some kind of HTTP sniffer in the 10 second window and starts the download.

But there's no bulletproof way to protect user from getting his/hers hands on the content their device accesses. If the content is delivered to a device, there is always a way for sufficiently technical people to get their hands on it.

p.s. Just a heads-up, if your MP3 player supports seeking (especially seeking by sending another HTTP range-request), you'd have to re-get a new URL with refreshed "expires" parameter from your backend.

[1] http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html

于 2014-07-12T14:15:36.413 回答
1

我也遇到了这个要求,并且对如何实现这个有更新的答案。

在您的存储桶的“权限”选项卡上,选择“存储桶策略”按钮并填写以下代码:

{
    "Version": "2012-10-17",
    "Id": "Policy1542209806458",
    "Statement": [
        {
            "Sid": "Explicit deny to ensure requests are allowed only from specific referer.",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::your-bucket-arn/*",
            "Condition": {
                "StringNotLike": {
                    "aws:Referer": [
                        "http://yourdomain.com/*"
                    ]
                }
            }
        }
    ]
}

这将允许来自您域的引用者的请求。请注意设置您的Resource字段并更改允许的aws:Referer列表。

这仍然可以被欺骗,但它是直接链接 S3 对象的简单障碍。

于 2018-11-14T15:53:35.473 回答