I am hosting a website on an S3 bucket using the static website functionality.
In between the client and the website there is CloudFlare.
I have enabled a CFlare functionality that adds some custom headers to the requests reaching the S3.
Is there a way to check if these headers do reach my website?
Related
Reading this page https://docs.aws.amazon.com/AmazonS3/latest/userguide/cors.html it states that :
Your users load the website endpoint: http://website.s3-website.us-east-1.amazonaws.com
Now you want to use JavaScript on the webpages that are stored in this bucket to be able to make authenticated GET and PUT requests against the same bucket by using the Amazon S3 API endpoint for the bucket, website.s3.us-east-1.amazonaws.com. A browser would normally block JavaScript from allowing those requests
Why would a browser require CORS to be enabled for requests back to the same server that hosts the static content ? i.e. website.s3.us-east-1.amazonaws.com.
I can understand confusion, it could be rewritten better.
S3 REST API endpoints are of the format s3.us-east-1.amazonaws.com and website endpoints are website.s3.us-east-1.amazonaws.com
When we host website and do GET/PUT requests, they call s3 api with param as bucket name (website) and path. Hence, CORS is needed.
I am unable to make S3 images hosting to work over HTTPS. I read that "Amazon S3 website endpoints do not support HTTPS." - docs
I'm fine with hosting my images over HTTP, however, when I put the following tag in HTML:
<img src="http://MY-BUCKET-NAME.s3-website.eu-central-1.amazonaws.com/images/51612809-741c-40c7-8c29-7b332be709d7.jpg">
Chrome requests
https://MY-BUCKET-NAME.s3-website.eu-central-1.amazonaws.com/images/c1612a09-741c-40c6-8c29-7b332be709d7.jpg
(notice http became https), which results in ERR_CONECTION_TIMED_OUT.
How to make it work?
As we discussed in the comments, Chrome doesn't like mixed content anymore, i.e. it won't let you embed http content on a website that's served via https.
Now there are multiple options to make this work:
Downgrade the main website to http (don't do this, it's a terrible idea)
Make the bucket or at least the objects that you embed publicly readable in S3 and use the native https endpoint that S3 offers. It will look something like this:
https://<bucketname>.s3.<region>.amazonaws.com/<object-key>.jpg
This has essentially the same costs associated with it as your current solution. You might need to do some annoying CORS stuff though.
Set up a CloudFront distribution in front of your bucket and configure it to serve content from S3. You can use an Origin Access Identity to secure the communication between CloudFront and S3 and even customize TLS-configurations in CloudFront. This will give you caching closer to your users but comes with extra costs.
We have some videos in an S3 bucket. they've been transformed using AWS Elastic Transcoder to .m3u8 / .ts
We want the users to be able to stream these videos on both a web app and a mobile app.
Now, we want to secure this streaming, so our videos won't get pirated.
So, our proposed solution is as follows:
Prevent public access to the S3 bucket
create a cloudfront distribution with the bucket as the origin
Only enable access to this CDN using pre-signed URLs/cookies
For web app: use a pre-signed cookie (set by an endpoint at our backend that requires authentication), so that it works well with HLS (since the app needs to fetch a new segment every few seconds)
But now we don't know what to do with our mobile app. We can't use pre-signed cookies since there's no browser, and we can't use pre-signed URLs, since we'll need a signed URL for each segment we need to fetch. Any suggestions and solutions are welcome.
For our similar use-case:
We used CloudFront url and not S3 signed url. Because S3 signed URL is valid at object level and not folder level.
For paid videos, security and access was managed by Lambda#Edge on viewer requests.
Although we used OAuth and database inside that lambda, but surprisingly, we didn't face any bottlenecks on Lambda#Edge. For future plans we considered using Redis for seamless access validation inside Lambda#Edge.
I'm using CloudFront CDN to simply cache my static contents in "Origin Pull" mode. The CloudFront origin is my website.
However, I've encountered a CORS problem. My browser doesn't let my web pages load my fonts files and SVGs from CloudFront.
After googling this matter a bit, I noticed that all blogs/tutorials explain how to enable CORS on an S3 bucket used as the origin for CloudFront, and letting CloudFront forward the Access-Control-Allow-XXX headers from S3 to the client.
I don't need an S3 bucket and would like to keep it that way for the sake of simplicity, if possible.
Is it possible to enable CORS on CloudFront? Even a quick and dirty solution, such as setting the access control header on all responses would be good enough.
Following up the comment above, CORS is a request made FROM a domain different of the TO domain. The key part to avoid this, is in the server which returns your requests return the header allowing cross origin requests.
Your fonts, which should be your website's assets, should be kept in the same server as your website, therefore CORS should not be an issue.
I'm currently utilizing an S3 bucket's rest api to access images for my company's application. I've written lambda functions to help lighten the load on my application, but in order to utilize these functions I have to change the settings in my S3 bucket to act as a static website host. When I do this I can longer access the original rest api. I would like to utilize both the REST api and the static website url to make the transition from one to the other smooth, but I can't find any details about doing this. Is it even possible?
Rest API request example https://s3.amazonaws.com/bucketname.mycompany.com/spacebackground.jpg
Static Website Example
http://bucketname.mycompany.com.s3-website-us-west-1.amazonaws.com/spacebackground(1)Full.jpg
Once I change a bucket to static website host I get a "permanent redirect" http response.
Is it possible to utilize both?
You are missing the cloud service named CloudFront.
https://aws.amazon.com/cloudfront/
You can map both lambda and your static website to a single domain. For Example,
https://www.example.com/ --- will be a static site
https://www.example.com/api -- belongs to API.
Create a CloudFront Distribution, configure your origins and Map to your url pattern.
You can also specify which url need to be self signed or which one to keep public as well.
It will be a breeze.
Hope it helps.