Amazon S3 CORS 适用于 HTTP,但不适用于 HTTPS
Posted
技术标签:
【中文标题】Amazon S3 CORS 适用于 HTTP,但不适用于 HTTPS【英文标题】:Amazon S3 CORS works with HTTP but not HTTPS 【发布时间】:2015-09-06 06:53:23 【问题描述】:我可以让 Amazon S3 使用 http 传递 CORS 标头,但不能使用 https。我如何让它与两者一起工作?如果我们使用 Akamai 作为 CDN 会怎样?
这是我的存储桶配置:
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>https://*</AllowedOrigin>
<AllowedOrigin>http://*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
这是我的测试。它们之间的唯一区别是一个使用http,另一个使用https。这两种资源在浏览器中加载都很好,但我想在可能是 https 的 CORS 设置中使用它们。
pnore@mbp> curl -i -H "Origin: http://example.com" -H "Access-Control-Request-Method: GET" -H 'Pragma: no-cache' --verbose http://my.custom.domain/path/to/file/in/bucket | head -n 15
* Adding handle: conn: 0x7fee83803a00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fee83803a00) send_pipe: 1, recv_pipe: 0
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to my.custom.domain port 80 (#0)
* Trying 23.23.23.23...
* Connected to my.custom.domain (23.23.23.23) port 80 (#0)
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0> GET /path/to/file/in/bucket HTTP/1.1
> User-Agent: curl/7.30.0
> Host: my.custom.domain
> Accept: */*
> Origin: http://example.com
> Access-Control-Request-Method: GET
> Pragma: no-cache
>
< HTTP/1.1 200 OK
< x-amz-id-2: random
< x-amz-request-id: random
< Access-Control-Allow-Origin: http://example.com
< Access-Control-Allow-Methods: GET
< Access-Control-Max-Age: 3000
< Access-Control-Allow-Credentials: true
< Vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method
< Last-Modified: Tue, 10 Jun 2014 15:34:38 GMT
< ETag: "random"
< Accept-Ranges: bytes
< Content-Type: video/webm
< Content-Length: 8981905
* Server AmazonS3 is not blacklisted
< Server: AmazonS3
< Date: Fri, 19 Jun 2015 21:31:22 GMT
< Connection: keep-alive
<
[data not shown]
HTTP/1.1 200 OK
x-amz-id-2: random
x-amz-request-id: random
Access-Control-Allow-Origin: http://example.com
Access-Control-Allow-Methods: GET
Access-Control-Max-Age: 3000
Access-Control-Allow-Credentials: true
Vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method
Last-Modified: Tue, 10 Jun 2014 15:34:38 GMT
ETag: "random"
Accept-Ranges: bytes
Content-Type: video/webm
Content-Length: 8981905
Server: AmazonS3
Date: Fri, 19 Jun 2015 21:31:22 GMT
...
pnore@mbp> curl -i -H "Origin: http://example.com" -H "Access-Control-Request-Method: GET" -H 'Pragma: no-cache' --verbose https://my.custom.comain/path/to/file/in/bucket | head -n 15
* Adding handle: conn: 0x7fd24380c000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fd24380c000) send_pipe: 1, recv_pipe: 0
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to my.custom.domain port 443 (#0)
* Trying 23.23.23.23...
* Connected to my.custom.domain (23.23.23.23) port 443 (#0)
* TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate: my.custom.domain
* Server certificate: GeoTrust SSL CA - G4
* Server certificate: GeoTrust Global CA
> GET /path/to/file/in/bucket HTTP/1.1
> User-Agent: curl/7.30.0
> Host: my.custom.domain
> Accept: */*
> Origin: http://example.com
> Access-Control-Request-Method: GET
> Pragma: no-cache
>
< HTTP/1.1 200 OK
< x-amz-id-2:
< x-amz-request-id:
< Last-Modified: Tue, 10 Jun 2014 15:34:38 GMT
< ETag: "random"
< Accept-Ranges: bytes
< Content-Type: video/webm
< Content-Length: 8981905
* Server AmazonS3 is not blacklisted
< Server: AmazonS3
< Date: Fri, 19 Jun 2015 21:31:29 GMT
< Connection: keep-alive
<
[data not shown]
HTTP/1.1 200 OK
x-amz-id-2:
x-amz-request-id:
Last-Modified: Tue, 10 Jun 2014 15:34:38 GMT
ETag: "random"
Accept-Ranges: bytes
Content-Type: video/webm
Content-Length: 8981905
Server: AmazonS3
Date: Fri, 19 Jun 2015 21:31:29 GMT
Connection: keep-alive
...
请注意,第一个请求包含所需的 Access-Control-Allow-Origin 标头,而第二个则没有。
我也尝试过<AllowedOrigin>*</AllowedOrigin> 并为每个<AllowedOrigin> 使用不同的<CORSRule> 块。
我检查过的参考资料:
-
Getting S3 CORS Access-Control-Allow-Origin to dynamically echo requesting domain1
Amazon S3 CORS (Cross-Origin Resource Sharing) and Firefox cross-domain font loading1
Getting S3 CORS Access-Control-Allow-Origin to dynamically echo requesting domain
Aws S3 Bucket CORS configuration is not saving properly
http://blog.errorception.com/2014/11/enabling-cors-on-amazon-cloudfront-with.html
Correct S3 + Cloudfront CORS Configuration?
https://forums.aws.amazon.com/thread.jspa?messageID=377513
How to Configure SSL for Amazon S3 bucket
HTTPS for Amazon S3 static website
SSL on Amazon S3 as "static website"
【问题讨论】:
【参考方案1】:我找不到明确提到它的文档,但似乎存储桶的 CORS 配置只允许每个 <CORSRule> 元素条目一个 <AllowedOrigin>。配置中最多允许有 100 个 <CORSRule> 条目。因此,为了让您的配置同时支持 http 和 https,您应该创建 两个 <CORSRule> 条目,如下所示:
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>https://*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
<CORSRule>
<AllowedOrigin>http://*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
FWIW,我没有尝试过,但配置也可能支持协议无关格式,例如只需<AllowedOrigin>//*</AllowedOrigin>。
【讨论】:
以上是关于Amazon S3 CORS 适用于 HTTP,但不适用于 HTTPS的主要内容,如果未能解决你的问题,请参考以下文章
适用于 Amazon S3 的基于开源或付费 JavaScript 的文件管理器 [关闭]
适用于 Amazon S3 的 .NET 库或 asp.net 应用程序
Amazon S3 中的 Angular CORS(无服务器)