Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can I use signed and unsigned urls on the same Cloudfront distribution?

The title more or less says it all. Judging from the fact that "restrict viewer access" section of the Cloudfront management console (picture below) uses radio buttons, It appears that its an either/or situation.cloudfront console

QUESTION: Are there other ways to parse one's S3 bucket such that it can have both public (i.e., viewable by anyone) and private (i.e., signed urls) content in it?

like image 502
tim peterson Avatar asked Sep 19 '13 23:09

tim peterson


1 Answers

I can answer my own question. Yes, you can have signed and unsigned urls at the same Cloudfront distribution. In the example below, my distribution is called blahblah.cloudfront.com. The key is to specify two "origin server"s. One for the signed urls and another for the unsigned urls.

->AWS Management Console->Cloudfront->Distribution settings of selected Distribution

->Origins: create both origins (e.g., pointing to 2 different S3 buckets)

->Behaviors: create "path patterns" for each origin such that Cloudfront can 
distinguish which origin the Cloudfront url points to. E.g., in my S3 bucket named 
"tim-UNsigned-bucket" I set the path pattern to `uploads/*`.  For my signed url bucket, 
I gave it the more general path pattern of `*` and prioritized it 2nd.
As you can see below, this means that my unsigned url includes the path, uploads/, 
whereas my signed does not.

Resulting Cloudfront url structure:

  • Signed urls: https:// or http://blahblah.cloudfront.com/file1.jpg?Policy=asf...

  • UNsigned urls: https:// or http://blahblah.cloudfront.com/uploads/file2.jpg

Note: Making any of these changes can take Cloudfront several minutes (5-15 minutes) to update. Therefore, do your best to make all the changes in my directions with the fewest mistakes possible otherwise it will take you forever.

like image 124
tim peterson Avatar answered Oct 06 '22 00:10

tim peterson