Amazon S3 CORS 适用于 HTTP,但不适用于 HTTPS

Posted

技术标签:

【中文标题】Amazon S3 CORS 适用于 HTTP,但不适用于 HTTPS【英文标题】:Amazon S3 CORS works with HTTP but not HTTPS 【发布时间】:2015-09-06 06:53:23 【问题描述】:

我可以让 Amazon S3 使用 http 传递 CORS 标头,但不能使用 https。我如何让它与两者一起工作?如果我们使用 Akamai 作为 CDN 会怎样?

这是我的存储桶配置:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
   <CORSRule>
        <AllowedOrigin>https://*</AllowedOrigin>
        <AllowedOrigin>http://*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule> 
</CORSConfiguration>

这是我的测试。它们之间的唯一区别是一个使用http,另一个使用https。这两种资源在浏览器中加载都很好,但我想在可能是 https 的 CORS 设置中使用它们。

pnore@mbp> curl -i -H "Origin: http://example.com"   -H "Access-Control-Request-Method: GET" -H 'Pragma: no-cache' --verbose http://my.custom.domain/path/to/file/in/bucket | head -n 15
* Adding handle: conn: 0x7fee83803a00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fee83803a00) send_pipe: 1, recv_pipe: 0
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* About to connect() to my.custom.domain port 80 (#0)
*   Trying 23.23.23.23...
* Connected to my.custom.domain (23.23.23.23) port 80 (#0)
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0> GET /path/to/file/in/bucket HTTP/1.1
> User-Agent: curl/7.30.0
> Host: my.custom.domain
> Accept: */*
> Origin: http://example.com
> Access-Control-Request-Method: GET
> Pragma: no-cache
>
< HTTP/1.1 200 OK
< x-amz-id-2: random
< x-amz-request-id: random
< Access-Control-Allow-Origin: http://example.com
< Access-Control-Allow-Methods: GET
< Access-Control-Max-Age: 3000
< Access-Control-Allow-Credentials: true
< Vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method
< Last-Modified: Tue, 10 Jun 2014 15:34:38 GMT
< ETag: "random"
< Accept-Ranges: bytes
< Content-Type: video/webm
< Content-Length: 8981905
* Server AmazonS3 is not blacklisted
< Server: AmazonS3
< Date: Fri, 19 Jun 2015 21:31:22 GMT
< Connection: keep-alive
<
 [data not shown]
HTTP/1.1 200 OK
x-amz-id-2: random
x-amz-request-id: random
Access-Control-Allow-Origin: http://example.com
Access-Control-Allow-Methods: GET
Access-Control-Max-Age: 3000
Access-Control-Allow-Credentials: true
Vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method
Last-Modified: Tue, 10 Jun 2014 15:34:38 GMT
ETag: "random"
Accept-Ranges: bytes
Content-Type: video/webm
Content-Length: 8981905
Server: AmazonS3
Date: Fri, 19 Jun 2015 21:31:22 GMT
...

pnore@mbp> curl -i -H "Origin: http://example.com"   -H "Access-Control-Request-Method: GET" -H 'Pragma: no-cache' --verbose https://my.custom.comain/path/to/file/in/bucket | head -n 15
* Adding handle: conn: 0x7fd24380c000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fd24380c000) send_pipe: 1, recv_pipe: 0
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* About to connect() to my.custom.domain port 443 (#0)
*   Trying 23.23.23.23...
* Connected to my.custom.domain (23.23.23.23) port 443 (#0)
* TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate: my.custom.domain
* Server certificate: GeoTrust SSL CA - G4
* Server certificate: GeoTrust Global CA
> GET /path/to/file/in/bucket HTTP/1.1
> User-Agent: curl/7.30.0
> Host: my.custom.domain
> Accept: */*
> Origin: http://example.com
> Access-Control-Request-Method: GET
> Pragma: no-cache
>
< HTTP/1.1 200 OK
< x-amz-id-2: 
< x-amz-request-id: 
< Last-Modified: Tue, 10 Jun 2014 15:34:38 GMT
< ETag: "random"
< Accept-Ranges: bytes
< Content-Type: video/webm
< Content-Length: 8981905
* Server AmazonS3 is not blacklisted
< Server: AmazonS3
< Date: Fri, 19 Jun 2015 21:31:29 GMT
< Connection: keep-alive
<
 [data not shown]
HTTP/1.1 200 OK
x-amz-id-2: 
x-amz-request-id: 
Last-Modified: Tue, 10 Jun 2014 15:34:38 GMT
ETag: "random"
Accept-Ranges: bytes
Content-Type: video/webm
Content-Length: 8981905
Server: AmazonS3
Date: Fri, 19 Jun 2015 21:31:29 GMT
Connection: keep-alive

...

请注意,第一个请求包含所需的 Access-Control-Allow-Origin 标头,而第二个则没有。

我也尝试过&lt;AllowedOrigin&gt;*&lt;/AllowedOrigin&gt; 并为每个&lt;AllowedOrigin&gt; 使用不同的&lt;CORSRule&gt; 块。

我检查过的参考资料:

    Getting S3 CORS Access-Control-Allow-Origin to dynamically echo requesting domain1 Amazon S3 CORS (Cross-Origin Resource Sharing) and Firefox cross-domain font loading1 Getting S3 CORS Access-Control-Allow-Origin to dynamically echo requesting domain Aws S3 Bucket CORS configuration is not saving properly http://blog.errorception.com/2014/11/enabling-cors-on-amazon-cloudfront-with.html Correct S3 + Cloudfront CORS Configuration? https://forums.aws.amazon.com/thread.jspa?messageID=377513 How to Configure SSL for Amazon S3 bucket HTTPS for Amazon S3 static website SSL on Amazon S3 as "static website"

【问题讨论】:

【参考方案1】:

我找不到明确提到它的文档,但似乎存储桶的 CORS 配置只允许每个 &lt;CORSRule&gt; 元素条目一个 &lt;AllowedOrigin&gt;。配置中最多允许有 100 个 &lt;CORSRule&gt; 条目。因此,为了让您的配置同时支持 httphttps,您应该创建 两个 &lt;CORSRule&gt; 条目,如下所示:

<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  <CORSRule>
    <AllowedOrigin>https://*</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <MaxAgeSeconds>3000</MaxAgeSeconds>
    <AllowedHeader>*</AllowedHeader>
  </CORSRule> 
  <CORSRule>
    <AllowedOrigin>http://*</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <MaxAgeSeconds>3000</MaxAgeSeconds>
    <AllowedHeader>*</AllowedHeader>
  </CORSRule> 
</CORSConfiguration>

FWIW,我没有尝试过,但配置也可能支持协议无关格式,例如只需&lt;AllowedOrigin&gt;//*&lt;/AllowedOrigin&gt;

【讨论】:

以上是关于Amazon S3 CORS 适用于 HTTP,但不适用于 HTTPS的主要内容,如果未能解决你的问题,请参考以下文章

适用于 Amazon S3 的基于开源或付费 JavaScript 的文件管理器 [关闭]

适用于 Amazon S3 的 .NET 库或 asp.net 应用程序

Amazon S3是否需要时间来更新CORS设置?多久?

Amazon S3 中的 Angular CORS(无服务器)

允许使用 Amazon S3 的 OPTIONS HTTP 方法

我们如何为 Amazon S3 存储桶中的文件夹设置 CORS