Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Amazon Cloudfront private distribution - links to images inside CSS

I created a private distribution in Cloudfront to prevent hotlinking. I managed to create links to my objects with signed URL which is working fine now.

My only concerns, is that images link inside my css stylesheets are not working because they are not signed. So if I have, for instance:

background-image: url('../img/bg.png');

The background image is not going to show up since the stylesheet does not include a signed url, and therefore, Cloudfront refuses to serve the content.

Is there anything I can do to prevent this ?

like image 789
Pierre-Olivier Avatar asked Aug 23 '12 15:08

Pierre-Olivier


People also ask

How do I generate private URL with CloudFront?

Create a CloudFront Key Pair Once you're logged in using root credentials, follow these steps: Go to the AWS account security credentials page. Expand “CloudFront key pairs” and click the “Create New Key Pair” button. From the opened dialog, download and save the generated private key file and public key file.

Can I use CloudFront for dynamic content?

If you are serving dynamic content such as web applications or APIs directly from an Amazon Elastic Load Balancer (ELB) or Amazon EC2 instances to end users on the internet, you can improve the performance, availability, and security of your content by using Amazon CloudFront as your content delivery network.

How do you use Amazon CloudFront to distribute your content?

Open the CloudFront console at https://console.aws.amazon.com/cloudfront/v3/home . Choose Create Distribution, and then choose Get Started. Under Origin Settings, for Origin Domain Name, choose the Amazon S3 bucket that you created earlier. For the other settings under Origin Settings, accept the default values.

How do I access private S3 bucket from CloudFront?

Go to the CloudFront Console and create a new Distribution. The first part are the Origin Settings. As „Origin Domain Name“ you must select your S3 Bucket, the „Origin ID“ is set automatically. To use a bucket that is complete private the „Restrict Bucket Access“ must be yes.


2 Answers

Let me step back and ask a fundamental question: Are you really worried about people hotlinking your images? Really? And if someone does, what is the realistic impact it will have on you? Really?

If you have a legitimate reason for preventing people from hot linking, then I'm not really sure that any CDN service (in this case, CloudFront) is the right solution for you.

Hey, I'm just being honest…

like image 139
Ryan Parman Avatar answered Oct 04 '22 03:10

Ryan Parman


There are a few way, each with drawbacks.

Instead of a static CSS file, you generate it off a template (or some other smart way to map resources to CloudFront locations). You can use some degree of caching here by using Last-Modified and max-age Cache headers. The hardest solution but arguably the best protection.

Set up a redirection path for all your CSS resources, basically a small script that rewrites the path to CF (take care to only rewrite CSS resources and nothing else). This allows you to keep your current static CSS but opens up a potential hot linking of your redirection script.

Something in between could be a cron script that generates static CSS files with links that expire in 1.5d) to reduce server load.

like image 37
Ja͢ck Avatar answered Oct 04 '22 04:10

Ja͢ck