阅读背景:

AWS Cloudfront在Rails支持的应用程序上签名的Cookie

来源:互联网 

I tried whole day for this, but I couldn't...

我为此试了一整天,但我做不到……

A. I made a model for creating signed cookie. I got help from : spacevatican.org

答:我做了一个创建签名cookie的模型。我得到了来自spacevatican.org的帮助

def cookie_data(resource, expiry)
  raw_policy = policy(resource, expiry)
  {
    'CloudFront-Expires' => expiry.utc.to_i,
    'CloudFront-Signature' => sign(raw_policy),
    'CloudFront-Key-Pair-Id' => ENV['CLOUDFRONT_KEY_PAIR_ID']
  }
end

private

def policy(url, expiry)
  {
     "Statement"=> [
        {
           "Resource" => url,
           "Condition"=>{
              "DateLessThan" =>{"AWS:EpochTime"=> expiry.utc.to_i}
           }
        }
     ]
  }.to_json.gsub(/\s+/,'')
end

def safe_base64(data)
  Base64.strict_encode64(data).tr('+=/', '-_~')
end

def sign(data)
  digest = OpenSSL::Digest::SHA1.new
  key    = OpenSSL::PKey::RSA.new ENV['CLOUDFRONT_PRIVATE_KEY']
  result = key.sign digest, data
  safe_base64(result)
end

B. Call cookie_data with 'resource' and 'expiry'. I got help from randalv for proper resource.

B.用“资源”和“过期”调用cookie_data。我从兰道夫那里得到了适当的帮助。

base_domain = '.myapp.com' # sample name
cookie_domain: '.myapp.com'

cookie_data("https://#{URI.parse(base_domain).host}/*", 1.hour.from_now).each do |name, value|
  cookies[name] = { value: value, domain: cookie_domain }
end

C. From A & B, Three validation of Cloudfront are passed - 1. Three cookies existing validation, and 2. Expiry existing validation, 3. Decoding avalible validation. I know these three validation because of error message on invalid request. But after all, I am always faved with same message - Access Denied.

C.从A & B,通过三个Cloudfront验证- 1。3个cookie现有验证,2个。到期现有验证,3。解码结果验证。由于无效请求的错误消息,我知道这三种验证。但毕竟,我总是喜欢同样的消息——访问被拒绝。

There are some suspects.

有一些怀疑。

  1. My CNAME of Cloudfront is 'img.myapp.com' (sample), But My testing domain is 'https://dev.myapp.com/#/home', and this is my local developing server(I changed localhost name).
    So I tried with many combinations of (base_domain, cookie_domain) : (img.myapp.com, .myapp.com), (.myapp.com, .myapp.com), (dev.myapp.com, .myapp.com).
    But All Denied.

    我的CNAME是“img. appmy.com”(示例),但我的测试域是“https://dev.myapp.com/#/home”,这是我的本地开发服务器(我更改了localhost名称)。所以我尝试了很多组合(base_domain, cookie_domain): (img.myapp.com,。myapp.com),(。myapp.com,。myapp.com), (dev.myapp.com,。myapp.com)。但所有否认。

  2. My Cloudfront & S3 Settings are same with those on randalv. But I mind two things. 'Restrict Bucket Access' is 'NO' on origin settings of cloudfront. And I do not create CORS configuration on S3.

    我的Cloudfront和S3设置与randalv上的设置相同。但我介意两件事。“限制桶访问”是cloudfront的原点设置上的“NO”。我没有在S3上创建CORS配置。

1 个解决方案

#1


3  

I solved myself. I had three defects, and now it works well after correcting them.

我自己解决了。我有三个缺点,现在改正后效果很好。

First, I changed expires to policy.

首先,我将过期改为政策。

'CloudFront-Expires' => expiry.utc.to_i,

to

'CloudFront-Policy' => safe_base64(raw_policy),

Actually, I had used policy(custom) instead of expires(canned). During my trying, I had changed. But I don't know why expires version doesn't work.

实际上,我使用了策略(自定义)而不是expires(罐头)。在我努力的过程中,我改变了。但是我不知道为什么过期版本不起作用。

Second, My base_domain is 'img.myapp.com' and cookie_domain is '.myapp.com'.

其次,我的base_domain是img. appmy.com, cookie_domain是。myapp.com。

Third, Do not input bucket name on your final url. Very trivial mistake, but important.

第三,不要在最终url上输入bucket名称。非常小的错误,但很重要。


分享到: