All geek questions in one place

S3 with Cloudflare denies direct access

I am trying to get Cloudflare to act as a CDN for files hosted on S3 so that no one can access the files directly. For instance:

S3 Bucket: cdn.mydomain.com.s3.amazonaws.com

CDN (Cloudflare): cdn.mydomain.com

I want to have access to cdn.mydomain.com/file.jpg (Cloudflare), but not cdn.mydomain.com.s3.amazonaws.com/file.jpg (S3).

Now I have a CNAME configured on Cloudflare that points to my bucket, and the following CORS:

 <?xml version="1.0" encoding="UTF-8"?> <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <CORSRule> <AllowedOrigin>*</AllowedOrigin> <AllowedMethod>GET</AllowedMethod> <MaxAgeSeconds>3000</MaxAgeSeconds> <AllowedHeader>Authorization</AllowedHeader> </CORSRule> </CORSConfiguration>

If I try to access any file through S3 or CDN, I get permission to refuse. If I make the file public (aka grantee Everyone), I can then access this file through S3 and CDN.

I tried changing AllowedOrigin to *.mydomain.com , but no luck.

+5
source share
3 answers

I have found a solution. an article in the CloudFlare Support Center does not mention this.

You need to edit the bucket policy, not CORS. And instead of allowing your domain, as in this article, to have access to the bucket, you should allow the use of CloudFlare IP. For reference, here is the IP list: https://www.cloudflare.com/ips

Here is an example bucket policy for working with CloudFlare:

  { "Sid": "SOME_STRING_ID_HERE", "Effect": "Allow", // or deny "Principal": {"AWS": "*"}, // or whatever principal you want "Action": "s3:GetObject", // or whatever action you want "Resource": "arn:aws:s3:::cdn.mydomain.com/*", // or whatever resource you want "Condition": { "IpAddress": { "aws:SourceIp": [ "103.21.244.0/22", "103.22.200.0/22", "103.31.4.0/22", "104.16.0.0/12", "108.162.192.0/18", "131.0.72.0/22", "141.101.64.0/18", "162.158.0.0/15", "172.64.0.0/13", "173.245.48.0/20", "188.114.96.0/20", "190.93.240.0/20", "197.234.240.0/22", "198.41.128.0/17", "199.27.128.0/21" ] } } }
+7
source

It is better to use your domain name as an entry protector for s3 rather than a list of IP addresses.

Go to the S3 Console website
Select Property Panel
In the Resolution section
Select Add CORS Configuration
Add CORSRules for Your Domain Names

S3-CORS-Config Example

More CORS configuration can be found here.

Observe the error, but this answer only prohibits other sites from linking to your assets, and not generating from your S3 endpoint for you ...

0
source

The decision made does not work for sure. It just allows you to access CloudFlare. For this solution to work, you must explicitly deny everything else in politics. This bucket policy is updated for the latest Cloudflare IP addresses (including IPv6), and also prohibits all users from accessing the Cloudflare IP address.

 { "Id": "Policy1517260196123", "Version": "2012-10-17", "Statement": [ { "Sid": "A string ID here", "Action": "s3:*", "Effect": "Deny", "Resource": "arn:aws:s3:::yourbucket.example.com/*", "Condition": { "NotIpAddress": { "aws:SourceIp": [ "103.21.244.0/22", "103.22.200.0/22", "103.31.4.0/22", "104.16.0.0/12", "108.162.192.0/18", "131.0.72.0/22", "141.101.64.0/18", "162.158.0.0/15", "172.64.0.0/13", "173.245.48.0/20", "188.114.96.0/20", "190.93.240.0/20", "197.234.240.0/22", "198.41.128.0/17", "2400:cb00::/32", "2405:8100::/32", "2405:b500::/32", "2606:4700::/32", "2803:f800::/32", "2c0f:f248::/32", "2a06:98c0::/29" ] } }, "Principal": { "AWS": "*" } } ]

}

0
source

Source: https://habr.com/ru/post/1257345/

More articles:


All Articles