Question

我们当前的S3政策内容如下：

{
"Version": "2008-10-17",
"Id": "45103629-690a-4a93-97f8-1abe2f9bb68c",
"Statement": [
    {
        "Sid": "AddPerm",
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::incredibad29/*"
    }
]
}

这只允许任何人从内部访问文件。

我们想添加一个hotlinking语句，因此用户只能在我们网站上提交时才能访问该文件。所以来自以incredibad29.com或www.incredibad.com开头的域名

我无法弄清楚如何做到这一点。任何帮助都会很棒，谢谢！

Answer 1

如果是图像和其他媒体类型，则存在使用内容类型标题的已知黑客攻击：

There’s a workaround that you may use to block hotlinking of selective images and files that you think are putting a major strain in your Amazon S3 budget. When you upload a file to your Amazon S3 account, the service assigns a certain Content-Type to every file based on its extension. For instance, a .jpg file will have the Content-Type set as image/jpg while a .html file will have the Content-Type as text/html. A hidden feature in Amazon S3 is that you can manually assign any Content-Type to any file, irrespective of the file’s extension, and this is what you can use to prevent hotlinking.

来自：http://www.labnol.org/internet/prevent-image-hotlinking-in-amazon-s3/13156/

我认为这几乎是基本技术。但是，如果您浏览“google s3 hotlinking deny的6350结果，您可能会找到其他方法：”

S3策略停止热链接？

1 个答案: