如何s3对象网址，与云锋配合？

Posted 2021-04-16

我目前在S3上私自存储文件。在我的Rails应用中，在attachment.rb模型中，我可以获得私有文件的公共URL，比如这样。

def cdn_url ( style='original' )
  attachment.s3_object(style).url_for( :read, secure: true, response_content_type: self.meta['file_content_type'], expires: 1.hour ).to_s
end

问题是这是提供给S3的URL，然后重写URL，使用我的Cloudfront原点URL，会出现错误。

我们计算出的请求签名与你提供的签名不匹配。请检查您的密钥和签名方式。

我如何获得像下面这样的公共 URL 资产，但通过 Cloudfront 服务该资产？

答案

第一种方法（简单

只要用 aws_cf_signer 宝石。把它放在你的捆绑器里。

用这个你可以做一些像

def cdn_url (options = {})
  style = options[:style] || 'original'
  cloudfront_domain =  options[:cloudfront_domain] || 'example.cloudfront.net'
  cloudfront_pem_key_path = options[:cloudfront_pem_key_path]
  cloudfront_key_paid_id = options[:cloundfrount_key_paid_id] 
  path = attachment.path(style)  #path of the file
  # you can get this values from your aws a/c , most probably by going int 
  # https://console.aws.amazon.com/iam/home?#security_credential      
  signer = AwsCfSigner.new(cloudfront_pem_key_path, cloudfront_key_paid_id)
  # this configuration may vary. 
  # visit https://github.com/dylanvaughn/aws_cf_signer 
  # and check all available settings/options   
  url = signer.sign(path, :ending => Time.now + 3600)
  cloudfront_domain + url
end 

有了这个，你可以用这样的方式来访问网址

  cdn_url(cloudfront_pem_key_path: '/users/downloads/pri.pem' , cloudfront_key_paid_id: '33243424XXX')

第二种方式

# A simple function to return a signed, expiring url for Amazon Cloudfront. 
# This will require openssl, digest/sha1, base64 and maybe other libraries. 
 
module CloudFront
  def get_signed_expiring_url(domain,path, expires_in, private_key_filename, key_pair_id)
 
    # AWS works on UTC, so make sure you are not using local time
    expires = (Time.now.getutc + expires_in).to_i.to_s
 
    private_key = OpenSSL::PKey::RSA.new(File.read(private_key_filename))
 
    # path should be your S3 path without a leading slash and without a file extension.
    # e.g. files/private/52
    policy = %Q[{"Statement":[{"Resource":"#{path}","Condition":{"DateLessThan":{"AWS:EpochTime":#{expires}}}}]}]
    signature = Base64.strict_encode64(private_key.sign(OpenSSL::Digest::SHA1.new, policy))
 
    # I'm not sure exactly why this is required, but it's in Amazon's perl script and seems necessary
    # Different base64 implementations maybe? 
    signature.tr!("+=/", "-_~")
    
    "#{domain}#{path}?Expires=#{expires}&Signature=#{signature}&Key-Pair-Id=#{key_pair_id}"
  end
end
 

有了它，你可以做一些事情，比如

def cdn_url ( style='original',cloudfront_pem_key_path,key_pair_id)
  path = attachment.path(style)  #path of the file
  # you can get this values from your aws a/c , most probably by going int 
  CloudFront.get_signed_expiring_url 'example.cloudfront.net', path, 45.seconds ,'/users/downloads/pri.pem', 'as12XXXXX')
end
 

试试吧，说不定会有效果。请确保正确设置正确的桶访问策略。accessDenied 错误 http:/www.jppinto.com201112access-denied-to-file-amazon-s3-bucket

另一答案

使用 aws sdk gem.

见 API文档

关于生成的细节 对对象进行操作的预署URL

提供access-key-id和secret-access-key:-。

S3 = AWS::S3.new(
 :access_key_id => 'access_key_id',
 :secret_access_key => 'secret_access_key')

在controller中加入以下几行：-----------------------------------------。

bucket = S3.buckets['bucket_name']
s3_obj = bucket.objects["Path-to-file"]
return s3_obj.url_for(:read, :expires => 60*60).to_s

此链接将在1小时后失效。此后，该链接将无法访问。