为Amazon CloudFront创建签名Cookie

时间:2015-04-01 05:22:41

标签: python amazon-web-services amazon-cloudfront amazon-signed-cookie

除了签名网址,亚马逊最近还引入了Cloudfront signed cookie

类似的问题一直是signed url。显然有signed url in the cloudfront SDK

的支持

但是我在aws python SDK中找不到这个功能的支持。

我如何创建签名cookie?

1 个答案:

答案 0 :(得分:8)

我创建了一个boto功能请求来添加它,但在此期间我使用了我的django python应用程序。这是我从我自己那里得到的简单代码。在底部是一个示例django视图方法,以便您可以看到我如何为包含Cloudfront内容的网页设置cookie。

import time
from boto.cloudfront import CloudFrontConnection
from boto.cloudfront.distribution import Distribution
from config import settings
import logging
from django.template.context import RequestContext
from django.shortcuts import render_to_response
logger = logging.getLogger('boto')
logger.setLevel(logging.CRITICAL) #disable DEBUG logging that's enabled in AWS by default (outside of django)

AWS_ACCESS_KEY="AKABCDE1235ABCDEF22A"#SAMPLE
AWS_SECRET_KEY="a1wd2sD1A/GS8qggkXK1u8kHlh+BiLp0C3nBJ2wW" #SAMPLE
key_pair_id="APKABCDEF123ABCDEFAG" #SAMPLE
DOWNLOAD_DIST_ID = "E1ABCDEF3ABCDE" #SAMPLE replace with the ID of your Cloudfront dist from Cloudfront console

############################################
def generate_signed_cookies(resource,expire_minutes=5):
    """
    @resource   path to s3 object inside bucket(or a wildcard path,e.g. '/blah/*' or  '*')
    @expire_minutes     how many minutes before we expire these access credentials (within cookie)
    return tuple of domain used in resource URL & dict of name=>value cookies
    """
    if not resource:
        resource = 'images/*'
    dist_id = DOWNLOAD_DIST_ID
    conn = CloudFrontConnection(AWS_ACCESS_KEY, AWS_SECRET_KEY)
    dist = SignedCookiedCloudfrontDistribution(conn,dist_id)
    return dist.create_signed_cookies(resource,expire_minutes=expire_minutes)

############################################
class SignedCookiedCloudfrontDistribution():

    def __init__(self,connection,download_dist_id,cname=True):
        """
        @download_dist_id   id of your Cloudfront download distribution
        @cname          boolean True to use first domain cname, False to use 
                        cloudfront domain name, defaults to cname
                        which presumably matches your writeable cookies ( .mydomain.com)
        """
        self.download_dist = None
        self.domain = None
        try:
            download_dist = connection.get_distribution_info(download_dist_id)
            if cname and download_dist.config.cnames:
                self.domain = download_dist.config.cnames[0] #use first cname if defined
            else:
                self.domain = download_dist.domain_name
            self.download_dist = download_dist
        except Exception, ex:
            logging.error(ex)

    def get_http_resource_url(self,resource=None,secure=False):
        """
        @resource   optional path and/or filename to the resource 
                   (e.g. /mydir/somefile.txt);
                    defaults to wildcard if unset '*'
        @secure     whether to use https or http protocol for Cloudfront URL - update  
                    to match your distribution settings 
        return constructed URL
        """
        if not resource:
            resource = '*'
        protocol = "http" if not secure else "https"
        http_resource = '%s://%s/%s' % (protocol,self.domain,resource)
        return http_resource

    def create_signed_cookies(self,resource,expire_minutes=3):
        """
        generate the Cloudfront download distirbution signed cookies
        @resource   path to the file, path, or wildcard pattern to generate policy for
        @expire_minutes  number of minutes until expiration
        return      tuple with domain used within policy (so it matches 
                    cookie domain), and dict of cloudfront cookies you
                    should set in request header
        """
        http_resource = self.get_http_resource_url(resource,secure=False)    #per-file access #NOTE secure should match security settings of cloudfront distribution
    #    http_resource = self.get_http_resource_url("somedir/*")  #blanket access to all /somedir files inside my bucket
    #    http_resource = self.get_http_resource_url("*")          #blanket access to all files inside my bucket

        #generate no-whitespace json policy, then base64 encode & make url safe
        policy = Distribution._canned_policy(http_resource,SignedCookiedCloudfrontDistribution.get_expires(expire_minutes))
        encoded_policy = Distribution._url_base64_encode(policy)

        #assemble the 3 Cloudfront cookies
        signature = SignedCookiedCloudfrontDistribution.generate_signature(policy,private_key_file=settings.AMAZON_PRIV_KEY_FILE)
        cookies = {
            "CloudFront-Policy" :encoded_policy,
            "CloudFront-Signature" :signature,
            "CloudFront-Key-Pair-Id" :key_pair_id #e.g, APKA..... -> same value you use when you sign URLs with boto distribution.create_signed_url() function
        }
        return self.domain,cookies

    @staticmethod
    def get_expires(minutes):
        unixTime = time.time() + (minutes * 60)
        expires = int(unixTime)  #if not converted to int causes Malformed Policy error and has 2 decimals in value
        return expires

    @staticmethod
    def generate_signature(policy,private_key_file=None):
        """
        @policy     no-whitespace json str (NOT encoded yet)
        @private_key_file   your .pem file with which to sign the policy
        return encoded signature for use in cookie
        """
        #sign the policy - code borrowed from Distribution._create_signing_params()
        signature = Distribution._sign_string(policy, private_key_file)
        #now base64 encode the signature & make URL safe
        encoded_signature = Distribution._url_base64_encode(signature)
        return encoded_signature

############################################
def sample_django_view_method(request,template="mytemplate.html"):
    expireLen = 30 #30 minutes
    s3resource = "somepath_in_my_bucket/afile.mp4"
    context = {} #variables I'm passing to my html template
    response = render_to_response(template, context, context_instance=RequestContext(request))
    domain,cookies = generate_signed_cookies(s3resource,expire_minutes=expireLen)
    #TROUBLESHOOTING COOKIES:
    #NOTE - Cookie Domain must be a domain you control that spans your app & your Cloudfront CNAME
    #NOTE - (e.g. if my webapp is www.mydomain.com and my AWS Download Distribution has cname cloud.mydomain.com, cant set cookies from webapp to 
            # www.mydomain.com or localhost.mydomain.com or cloud.mydomain.com and have them work 
        # -> instead set cookies to .mydomain.com to work across sub-domains, you can then verify in request headers to CloudFront that these cookies get passed.
        # TIP - if you set_cookies from a page with a .mydomain.com suffix, but don't see them get set in Chrome they didn't get set because of permissions - can't set to a diff subdomain or diff base domain
        # TIP - if you set_cookies and see them in Chrome but don't see them in request headers to Cloudfront, cookie domain is likely too narrow, need to widen to span subdomains
    base_domain = '.mydomain.com'
    # NOTE: Sanity check when testing so you can flag any gotchas - I have not fully tested using non-cname urls inside policy vs all possible domains for cookie itself   
    if not domain.endswith(base_domain):
        logger.warn("This likely won't work - your resource permissions use a different domain than your cookies")
    for name,value in cookies.items():
        response.set_cookie(name,value=value,httponly=True,domain=base_domain)
    return response

############################################

if __name__ == '__main__':
    domain,cookies = generate_signed_cookies('images/*',expire_minutes=30)

关于我的设置的注意事项:

  • 我必须对我已经设置的下载发行版进行一次更改。为签名的URL工作:我必须添加一个带有与我的网站匹配的基本域的cname。
  • 我使用了Chrome网络开发者工具:

    • 网络:查看在云端呼叫中发送的请求标头,并参阅403 vs 200 / status / response size
    • 控制台:在我完成所有工作之前看到403错误
    • 资源> Cookie - 验证[localhost或您的主机] .mydomain.com Cookie是否显示已填充的3个Cloudfront Cookie,它们是否设置为Domain = .mydomain.com,并且这些值与请求标头中的值匹配到Cloudfront(如果缺少,可能的域名配置错误)

我的AWS配置

  • S3需要Cloudfront origin
  • Cloudfront下载分发:
    • 分发设置:
      • cname已定义:cloud.mydomain.com(NEW FOR ME!)
      • 默认Cloudfront证书
    • Origins选项卡:定义了1个映射到我的S3存储桶的原点
    • “行为”标签 - 默认:
      • 所有这些都与我已使用签名网址
      • 的设置保持不变
      • HTTP和HTTPS
      • GET,HEAD
      • 转发标题:无
      • 使用原始缓存标头
      • 最小TTL:0
      • 转发Cookie:无
      • 转发QueryStrings:否
      • 平滑流媒体:否
      • 限制查看者访问权限:是(自签名网址以来没有更改)
      • 值得信赖的签名者:自我

一旦您拥有上面的cookie生成代码,最棘手的部分:

  • 确保Cookie域正确
  • 确保您的政策中的路径/资源与您的应用发出的请求相匹配