Menu
We want to serve a lot of video files from few available AWS regions. The target audience comes from multiple locations around the globe. The connection speed is not guaranteed. So a CDN (preferably CloudFront) is absolutely required.
The videos need to be protected, so they can only be played if the user is authenticated and authorized to see these videos. Obviously the logic of who can see what and when is a part of the application. Streaming the videos from the origin would be unacceptably slow. Making the videos public and cacheable is not an option either.
How do people solve this kind of problems?
850
A content delivery network (CDN) is a network of interconnected servers that speeds up webpage loading for data-heavy applications. CDN can stand for content delivery network or content distribution network.
By ensuring you secure access by keeping your login credentials safe, leveraging token authentication to protect access to your content, deploying hotlink protection to save on bandwidth costs, and configuring an SSL certificate, you can ensure your CDN, its contents, and your users are secure.
CDNs cache content like web pages, images, and video in proxy servers near to your physical location. This allows you to do things like watch a movie, download software, check your bank balance, post on social media, or make purchases, without having to wait for content to load. You could think of a CDN like an ATM.
Amazon CloudFront also offers Serving Private Content through CloudFront to address your use case:
Many companies that distribute content via the Internet want to restrict access to documents, business data, media streams, or content that is intended for selected users, for example, users who have paid a fee. To securely serve this private content using CloudFront, you can:
Require that your users use special CloudFront signed URLs to access your content, not the standard CloudFront public URLs.
Require that your users access your Amazon S3 content using CloudFront URLs, not Amazon S3 URLs.
It is up to the application to generate and distribute the required Signed URLs, however, given the logic of who can see what and when is a part of the application logic you seem to be well prepared for that part.
Please note that you'll need to ensure Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content so that users are unable to leak/guess S3 URLs and are required to go through CloudFront indeed.
If you want to use CloudFront signed URLs to provide access to objects in your Amazon S3 bucket, you probably also want to prevent users from accessing your Amazon S3 objects using Amazon S3 URLs. If users access your objects directly in Amazon S3, they bypass the controls provided by CloudFront signed URLs, including control over when a URL expires and control over which IP addresses can be used to access the objects. [...]
You restrict access to Amazon S3 content by creating an origin access identity, which is a special CloudFront user. You change Amazon S3 permissions to give the origin access identity permission to access your objects, and to remove permissions from everyone else. [...]
[emphasis mine]
182
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
