I have setup a cloudfront system for a website.
To serve of the fly picture transformation, i added a custom origin, being the website.
So, in my distribution, i have 2 origins :
- s3 bucket
- mywebsite.com/images
Wen i call cdn.mywebsite.com/500/picture.jpg
It will call my website like : website.com/api.php/file/500/picture.jpg
I get the s3 object, create the thumb, save it on server then upload to s3.
Up to here, it all works.
Now, i would like that the next request to this file does not go to my origin custom website, but to the s3 stored file.
I cannot find a way to define order of importance (weight) for multiple origins.
It seams that once frontcloud has a "route", it keeps the same one.
Any ideas ?
You cannot do multiple origins for a Cloud Front Distributions from the AWS side you have to customize this using either
Amazon CloudFront REST API
Bucket Explorer
Check this guide has both steps http://www.bucketexplorer.com/documentation/amazon-s3--how-to-create-distributions-post-distribution-with-multiple-origin-servers.html
Related
I'm using the AWS S3 bucket in a very simple way.
There's a bucket, <somebucket1>
There's a folder, <somebucket1>/sitevideos
And video files in it, <somebucket1>/sitevideos/video.mp4
I use this bucket so playback using HTML5 video (<video></video>) is more optimised and doesn't lag compared to just calling the video from the same server of the website (which is ridiculous).
The video files are encrypted, but they are set to be read-only to Public.
Now, my worries are, because they are public, people can download them from the S3 bucket instead of playing them on the website.
The Question
Is there a way to play a video file in S3 bucket, on an HTML video from a remote website, but will refuse downloads of the file if they are accessed directly via the S3 path?
If there are tutorials for this, I'd appreciate it. If this is already on the S3 documentation, I apologise for the laziness, please show me the link. I also heard that you can set them the permission to private, but they can still play on a remote server (although I haven't made that work).
Cheers & many thanks
A Bucket Policy can be configured to Restrict Access to a Specific HTTP Referrer.
For example, if a web page includes an image on the page, then the HTTP request for that object will include a referer. (I presume this would work for a video, too.)
However, this is not very good security, since the HTTP request can be easily manipulated to include the referer (eg in a web scraper).
A more secure method would be to use a Pre-Signed URL. This is a specially-constructed URL that grants time-limited access to a private Amazon S3 object.
When rendering the web page, your app would determine whether the user is permitted to access the object. If so, it would construct the pre-signed URL using AWS credentials. The URL can then be included in the standard HTML tags (eg <img src='...'>). The user will be able to access the object until the expiry time. If they shared the URL with somebody else (eg in a Tweet), other people would also be able to access the object until the expiry time.
By the way, Amazon CloudFront can also serve video content using various video protocols. It also supports pre-signed URLs (and also signed cookies).
The client has a site running on PHP deployed over AWS infrastructure. I have access to AWS console of a client.
There are some images in his site that is loading from cloudfront (which I understand is mapped to an S3 bucket). I need to update these images, but I do not know which S3 bucket they are in, since client has a lot of S3 buckets configured. How do I figure this one from the console?
First, you will need to find the CloudFront distribution that is serving the content. Find the distribution with the same cloudfront.net URL that you're using to access the images.
Then, look at the behaviors and origins of the distribution to determine when it is going to each origin, and which origin is serving the path. This will then tell you which Amazon S3 bucket is being used.
also to add on John's answer; after you have changed the image in origin S3 bucket; you will have to invalidate the cache for those images in CloudFront .. otherwise even though origin has changed u will keep seeing old images
I need your help or get some Idea in doing the Integration of s3 through a third party vendor application. I have some issues that I am not able to resolve, since I am not an expert with the Amazon s3 stuff.
So I have an application that is called Medallia and I am trying to perform a feed pull to export or download a file which is uploaded into the s3 bucket. I was able to figure out how to upload the file to the s3 bucket, but I am stuck on downloading the files or (feed pulling) the file to the app
I have added the information below for you to review!
Amazon s3 (Vendor Application Settings)
pull method: Amazon s3
Feedpull: feedpull.va.dev.us-west-1.medallia
Amazon s3 access Key: AKIA****(Confidential)
End Point: s3-website-us-gov-west-1.amazonaws.com
I have added the URL from where i took the end point from. I am not sure if i have to use Web or Storage. (http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-endpoints.html) Please inform!
Why am I doing this?
- So that I can have the files that gets uploaded to Amazon s3 bucket be pulled on schedule every end of the week to update/maintain the third party application.
Additional Info Needed (If Possible)
I need to have the python installed and have a Command to COI and then drop files on to the s3 bucket. This will help me to test the s3 Bucket (on the web services) through Automatic feed pull.
ERRORS
Before no end-point
Error while pulling feedpull. The configuration is using the wrong endpoint for the specified bucket for s3. exception: nonfatal error.
After end-point
Error while pulling feedpull: s3 Pull (feedpull I)Unable to execute HTTP request. Connect timed out. One possible cause is a malformed endpoint. nonfatal error exception.
Thank you!
The web site hosting endpoints are for unsecured, publicly-accessible content, and don't support authentication... so that isn't likely what you are looking for.
Assuming you're working in US GovCloud, you want one of the REST endpoints:
s3-fips-us-gov-west-1.amazonaws.com
s3-us-gov-west-1.amazonaws.com
The first one is FIPS 140 Level 2 compliant, so I would suggest that this is the one you want, unless you have a reason not to.
I have a (php) website where teachers upload recordings of their class, and the students can log in and then play back the recording.
I want to make these videos more secure. Currently, the videos are stored on my server, and anyone with the url can download them. So, (1) I want to store them somewhere that can't be downloaded just using a url. And second, I need to stop them from right-clicking and saving the video as it is being played.
I'm trying to work this out with s3 but not getting it...
Is this possible? Does it need to use a special player? Does streaming the video help (can any video be streamed)?
I appreciate the help, I've spent many hours researching this and just getting more confused as I go along!
There are a couple of options you may wish to use.
1. Amazon CloudFront RTMP Distribution
Amazon CloudFront is a Content Distribution Network that caches content closer to users worldwide, in over 60 locations. It also has the ability to service Real-Time Media Playback (RTMP) protocols. This means that your web page could present a media player (eg JW Player, Flowplayer, or Adobe Flash) and CloudFront can serve the content.
See: Working with RTMP Distributions
CloudFront Distributions can also service private content. Your application can generate a URL that provides content for a limited period of time. The content is served via a media protocol, so the entire file cannot be easily downloaded.
See: Serving Private Content through CloudFront
2. Amazon S3 Pre-Signed URLs
By default, all objects in Amazon S3 are private. You can then add permissions so that people can access your objects. This can be done via:
Access Control List permissions on individual objects
A Bucket Policy (as per yours above)
IAM Users and Groups
A Pre-Signed URL
A Pre-Signed URL can be used to grant access to S3 objects as a way of "overriding" access controls. A normally private object can be accessed via a URL by appending an expiry time and signature. This is a great way to serve private content without requiring a web server.
Similar to the above example with CloudFront, your application can generate a URL that provides access to S3 content for a limited time period. Once the period expires, the Pre-Signed URL will no longer function. However, during the active period, people would be able to download the entire file, so this might not be advisable for video content you wish to protect.
I was wondering if it's possible to manipulate or change the names of files upon deploying the distribution.
Reason for during this, is that we don't have the actual files on our own servers but is provided by a partner. Is it somehow possible to run a php function upon deploy to change the name of the file on the cdn ?
So eg.
partner.example.com/image/123120913.jpg
to
1234.cloudfront.com/image/SHOE-NAME.jpg
One way is to import all images first to local storage and upon that download change filename - but seems very extensive.
As we can provide the image name easy if it's possible to run a php function upon deploying.
Amazon CloudFront is a caching service that retrieves content from a specified origin (eg web server, Amazon S3), stores it in a cache and then serves it to users.
Amazon CloudFront does not create aliases to filenames. It simply passes the request to the origin. If the origin is a web server, you could write a web app that returns any type of information given the request URL, but CloudFront cannot rename or map filenames.