aws
1.waf
- 添加referer
- 创建waf验证referer
仅当referer为允许的域名才可访问。 缺点:适合*.xx.com这种域名,而当前的项目皆为不同域名,每次新增新项目都需要添加新的验证 优点:实现简单,快速配置。
2.lamda
通过lamda统一验证自定义参数校验,成功后向后继续访问
官网的介绍总是摸不着头脑
所以有了简单的referer操作
- 修改s3策略
{
"Version": "2012-10-17",
"Id": "PreventHotLinking",
"Statement": [
{
"Sid": "Allow get requests originated",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::.example.s3.bucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"域名/*"
]
}
}
}
]
}
可以看到我们只要添加Condition就可以做referer校验,waf根本没必要.已用postman测试有效。
- 引入cdn
引入cdn后,可以通过cdn添加header,这样客户端可不添加referer 新问题是cdn如何验证referer呢?
百度,google大部分讲的是用lamda来验证,然而如今技术在更新,
aws cdn上已经有cloudfront function可以选择
cloudfront function只有一个参数event,打印结构为:
{
"version": "1.0",
"context": {
"distributionDomainName": "d123.cloudfront.net",
"distributionId": "E123",
"eventType": "viewer-request",
"requestId": "4TyzHTaYWb1GX1qTfsHhEqV6HUDd_BzoBZnwfnvQc_1oF26ClkoUSEQ=="
},
"viewer": {
"ip": "1.2.3.4"
},
"request": {
"method": "GET",
"uri": "/index.html",
"querystring": {},
"headers": {
"referer": {
"value": "xxxxx"
}
},
"cookies": {}
}
}
为此我们验证referer只需要稍微改写发布即可
var response403 = {
statusCode: 403,
statusDescription: "forbidden",
};
function handler(event) {
// NOTE: This example function is for a viewer request event trigger.
// Choose viewer request for event trigger when you associate this function with a distribution.
var request = event.request;
var referer = request.headers.referer;
if (referer == undefined || referer == null) {
return response403;
}
if (referer.value != "期望的域名") {
return response403;
}
return request;
}
之后在cloudfront的行为中修改查看器请求即可生效。
当然也可以通过这种方式添加更复杂的验证
具体可参考aws官网教程
example-function-validate-token
网友评论