I created a private distribution in Cloudfront to prevent hotlinking. I managed to create links to my objects with signed URL which is working fine now.
My only concerns, is that images link inside my css stylesheets are not working because they are not signed. So if I have, for instance:
background-image: url('../img/bg.png');
The background image is not going to show up since the stylesheet does not include a signed url, and therefore, Cloudfront refuses to serve the content.
Is there anything I can do to prevent this ?
Create a CloudFront Key Pair Once you're logged in using root credentials, follow these steps: Go to the AWS account security credentials page. Expand “CloudFront key pairs” and click the “Create New Key Pair” button. From the opened dialog, download and save the generated private key file and public key file.
If you are serving dynamic content such as web applications or APIs directly from an Amazon Elastic Load Balancer (ELB) or Amazon EC2 instances to end users on the internet, you can improve the performance, availability, and security of your content by using Amazon CloudFront as your content delivery network.
Open the CloudFront console at https://console.aws.amazon.com/cloudfront/v3/home . Choose Create Distribution, and then choose Get Started. Under Origin Settings, for Origin Domain Name, choose the Amazon S3 bucket that you created earlier. For the other settings under Origin Settings, accept the default values.
Go to the CloudFront Console and create a new Distribution. The first part are the Origin Settings. As „Origin Domain Name“ you must select your S3 Bucket, the „Origin ID“ is set automatically. To use a bucket that is complete private the „Restrict Bucket Access“ must be yes.
Let me step back and ask a fundamental question: Are you really worried about people hotlinking your images? Really? And if someone does, what is the realistic impact it will have on you? Really?
If you have a legitimate reason for preventing people from hot linking, then I'm not really sure that any CDN service (in this case, CloudFront) is the right solution for you.
Hey, I'm just being honest…
There are a few way, each with drawbacks.
Instead of a static CSS file, you generate it off a template (or some other smart way to map resources to CloudFront locations). You can use some degree of caching here by using Last-Modified and max-age Cache headers. The hardest solution but arguably the best protection.
Set up a redirection path for all your CSS resources, basically a small script that rewrites the path to CF (take care to only rewrite CSS resources and nothing else). This allows you to keep your current static CSS but opens up a potential hot linking of your redirection script.
Something in between could be a cron script that generates static CSS files with links that expire in 1.5d) to reduce server load.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With