php AWS S3预签名请求缓存

nkkqxpd9  于 2023-10-15  发布在  PHP
关注(0)|答案(6)|浏览(116)

我想将用户个人资料图片存储在S3存储桶中,但要保持这些图片的私密性。为了做到这一点,我创建了一个预签名的网址,每当图像是必需的。然而,这每次都会创建一个唯一的URL,这意味着浏览器永远不会缓存图像,我最终会在GET请求中付出更多。
下面是我的代码生成的URL的例子,我使用Laravel:

  1. $s3 = \Storage::disk('s3');
  2. $client = $s3->getDriver()->getAdapter()->getClient();
  3. $expiry = new \DateTime('2017-07-25');
  5. $command = $client->getCommand('GetObject', [
  6.     'Bucket' => \Config::get('filesystems.disks.s3.bucket'),
  7.     'Key'    => $key
  8. ]);
  10. $request = $client->createPresignedRequest($command, $expiry);
  12. return (string) $request->getUri();

我认为通过指定日期时间而不是时间单位,它会创建相同的URL,但实际上它会将剩余的秒数添加到URL,这里有一个例子:
xxxx.s3.eu-west-2.amazonaws.com/profile-pics/92323.png?X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AXXXXXXXXXXX%2Feu-west-2%2Fs3%2Faws4_request&X-Amz-Date=20170720T112123Z&X-Amz-SignedHeaders=host&X-Amz-Expires=391117&X-Amz-Signature=XXXXXXXXX

是否可以生成可重复的预签名请求URL,以便用户浏览器可以缓存图像?

php

6条答案

按热度按时间
hmtdttj4

hmtdttj41#

这是我在看完这篇文章后想到的一个python解决方案。它使用freezegun库来操纵时间,使签名在给定的时间段内保持不变。

  1. import time
  2. import datetime
  4. import boto3
  5. from freezegun import freezetime
  7. S3_CLIENT = boto3.client("s3")
  9. SEVEN_DAYS_IN_SECONDS = 604800
  10. MAX_EXPIRES_SECONDS = SEVEN_DAYS_IN_SECONDS
  13. def get_presigned_get_url(bucket: str, key: str, expires_in_seconds: int = MAX_EXPIRES_SECONDS) -> str:
  14.         current_timestamp = int(time.time())
  15.         truncated_timestamp = current_timestamp - (current_timestamp % expires_in_seconds)
  16.         with freeze_time(datetime.datetime.fromtimestamp(truncated_timestamp)):
  17.             presigned_url = S3_CLIENT.generate_presigned_url(
  18.                 ClientMethod="get_object",
  19.                 Params={
  20.                     "Bucket": bucket,
  21.                     "Key": key,
  22.                     "ResponseCacheControl": f"private, max-age={expires_in_seconds}, immutable",
  23.                 },
  24.                 ExpiresIn=expires_in_seconds,
  25.                 HttpMethod="GET",
  26.             )
  27.         return presigned_url
展开查看全部
赞(0)分享  回复(0)举报  2023-10-15
hc8w905p

hc8w905p2#

也许是一个迟来的回复,但我会添加我的方法,以利于人们阅读这在未来。
为了强制浏览器缓存生效,每次都生成相同的URL是很重要的,直到你特别希望浏览器从服务器重新加载内容。不幸的是,sdk中提供的预签名者依赖于当前的时间戳,每次都会导致一个新的url。
这个例子是用Java编写的,但是它可以很容易地扩展到其他语言。
GetObjectRequest构建器(用于创建预签名的URL)允许覆盖配置。我们可以提供一个自定义签名器来修改它的行为

  1. AwsRequestOverrideConfiguration.builder()
  2.     .signer(new CustomAwsS3V4Signer())
  3.     .credentialsProvider(<You may need to provide a custom credential provider 
  4. here>)))
  5. .build())
  7. GetObjectRequest getObjectRequest =
  8.     GetObjectRequest.builder()
  9.             .bucket(getUserBucket())
  10.             .key(key)
  11.             .responseCacheControl("max-age="+(TimeUnit.DAYS.toSeconds(7)+ defaultIfNull(version,0L)))
  12.             .overrideConfiguration(overrideConfig)
  13.             .build();
  15. public class CustomAwsS3V4Signer implements Presigner, Signer
  16. {
  17.     private final AwsS3V4Signer awsSigner;
  19.     public CustomAwsS3V4Signer()
  20.     {
  21.         awsSigner = AwsS3V4Signer.create();
  22.     }
  24. @Override
  25. public SdkHttpFullRequest presign(SdkHttpFullRequest request, ExecutionAttributes executionAttributes)
  26. {
  27.     Instant baselineInstant = Instant.now().truncatedTo(ChronoUnit.DAYS);
  29.     executionAttributes.putAttribute(AwsSignerExecutionAttribute.PRESIGNER_EXPIRATION,
  30.             baselineInstant.plus(3, ChronoUnit.DAYS));

在这里,我们覆盖签名时钟来模拟一个固定的时间,这最终会导致url中的过期和签名一致,直到未来的某个日期:

  1. Aws4PresignerParams.Builder builder = Aws4PresignerParams.builder()
  2.             .signingClockOverride(Clock.fixed(baselineInstant, ZoneId.of("UTC")));
  4.     Aws4PresignerParams signingParams =
  5.             extractPresignerParams(builder, executionAttributes).build();
  7.     return awsSigner.presign(request, signingParams);
  8.     }
  9. }

更多详情请点击此处:
https://murf.ai/resources/creating-cache-friendly-presigned-s3-urls-using-v4signer-q1bbqgk

展开查看全部
赞(0)分享  回复(0)举报  2023-10-15
vcirk6k6

vcirk6k63#

与其使用预签名的URL机制,不如向应用程序添加一个经过身份验证的端点,并在该端点内检索图像?在你的img标签中使用这个URL。这个端点可以缓存图像,并为浏览器提供适当的响应头来缓存图像。

赞(0)分享  回复(0)举报  2023-10-15
t5fffqht

t5fffqht4#

类似于@Aragorn的概念,但这是更完整的代码。这又是Java。此外,由于我的应用程序是多区域的,我不得不把在区域属性。

  1. import lombok.SneakyThrows;
  2. import lombok.extern.slf4j.Slf4j;
  3. import org.springframework.beans.factory.annotation.Autowired;
  4. import org.springframework.beans.factory.annotation.Value;
  5. import org.springframework.stereotype.Component;
  6. import software.amazon.awssdk.core.client.config.ClientOverrideConfiguration;
  7. import software.amazon.awssdk.core.signer.Signer;
  8. import software.amazon.awssdk.services.s3.S3AsyncClient;
  9. import software.amazon.awssdk.services.s3.S3Client;
  10. import software.amazon.awssdk.services.s3.model.GetObjectRequest;
  11. import software.amazon.awssdk.services.s3.model.PutObjectRequest;
  12. import software.amazon.awssdk.services.s3.presigner.S3Presigner;
  13. import software.amazon.awssdk.services.s3.presigner.model.GetObjectPresignRequest;
  15. import javax.annotation.PostConstruct;
  16. import javax.validation.constraints.NotNull;
  17. import java.net.URI;
  18. import java.net.URISyntaxException;
  19. import java.nio.file.Path;
  20. import java.time.Duration;
  21. import java.util.UUID;
  22. import java.util.concurrent.CompletableFuture;
  24. @Component
  25. @Slf4j
  26. public class S3Operations {
  28.     @Autowired
  29.     private Signer awsSigner;
  31.     private final Map<Region, S3Presigner> presignerMap = new ConcurrentHashMap<>();
  33.     private S3Presigner buildPresignerForRegion(
  34.       AwsCredentialsProvider credentialsProvider,
  35.       Region region) {
  37.         return S3Presigner.builder()
  38.             .credentialsProvider(credentialsProvider)
  39.             .region(region)
  40.             .build();
  42.     }
  44.     /**
  45.      * Convert an S3 URI to a normal HTTPS URI that expires.
  46.      *
  47.      * @param s3Uri S3 URI (e.g. s3://bucketname/ArchieTest/フェニックス.jpg)
  48.      * @return https URI
  49.      */
  50.     @SneakyThrows
  51.     public URI getExpiringUri(final URI s3Uri) {
  53.         final GetObjectRequest getObjectRequest =
  54.             GetObjectRequest.builder()
  55.                 .bucket(s3Uri.getHost())
  56.                 .key(s3Uri.getPath().substring(1))
  57.                 .overrideConfiguration(builder -> builder.signer(awsSigner))
  58.                 .build();
  60.         final Region bucketRegion = bucketRegionMap.computeIfAbsent(s3Uri.getHost(),
  61.             bucketName -> {
  62.                 final GetBucketLocationRequest getBucketLocationRequest = GetBucketLocationRequest.builder()
  63.                     .bucket(bucketName)
  64.                     .build();
  66.                 return Region.of(s3Client.getBucketLocation(getBucketLocationRequest).locationConstraint().toString());
  67.             });
  69.         final GetObjectPresignRequest getObjectPresignRequest = GetObjectPresignRequest.builder()
  70.             .signatureDuration(Duration.ofSeconds(0)) // required, but ignored
  71.             .getObjectRequest(getObjectRequest)
  72.             .build();
  74.         return presignerMap.computeIfAbsent(bucketRegion, this::buildPresignerForRegion).presignGetObject(getObjectPresignRequest).url().toURI();
  76.     }

对于上面注入的CustomAwsSigner。关键的区别是我抛出了一个不支持的操作异常。

  1. import org.jetbrains.annotations.TestOnly;
  2. import org.springframework.beans.factory.annotation.Value;
  3. import org.springframework.stereotype.Component;
  4. import software.amazon.awssdk.auth.signer.AwsS3V4Signer;
  5. import software.amazon.awssdk.auth.signer.AwsSignerExecutionAttribute;
  6. import software.amazon.awssdk.auth.signer.params.Aws4PresignerParams;
  7. import software.amazon.awssdk.core.interceptor.ExecutionAttributes;
  8. import software.amazon.awssdk.core.signer.Presigner;
  9. import software.amazon.awssdk.core.signer.Signer;
  10. import software.amazon.awssdk.http.SdkHttpFullRequest;
  12. import java.time.Clock;
  13. import java.time.Instant;
  14. import java.time.ZoneId;
  15. import java.time.ZonedDateTime;
  16. import java.time.temporal.ChronoField;
  17. import java.time.temporal.ChronoUnit;
  19. /**
  20.  * This is a custom signer where the expiration is preset to a 5 minute block within an hour.
  21.  * This must only be used for presigning.
  22.  */
  23. @Component
  24. public class CustomAwsSigner implements Signer, Presigner {
  25.     private final AwsS3V4Signer theSigner = AwsS3V4Signer.create();
  27.     /**
  28.      * This is the clip time for the expiration.  This should be divisible into 60.
  29.      */
  30.     @Value("${aws.s3.clipTimeInMinutes:5}")
  31.     private long clipTimeInMinutes;
  33.     @Value("${aws.s3.expirationInSeconds:3600}")
  34.     private long expirationInSeconds;
  36.     /**
  37.      * Computes the base time as the processing time to the floor of nearest clip block.
  38.      *
  39.      * @param processingDateTime processing date time
  40.      * @return base time
  41.      */
  42.     @TestOnly
  43.     public ZonedDateTime computeBaseTime(final ZonedDateTime processingDateTime) {
  45.         return processingDateTime
  46.             .truncatedTo(ChronoUnit.MINUTES)
  47.             .with(temporal -> temporal.with(ChronoField.MINUTE_OF_HOUR, temporal.get(ChronoField.MINUTE_OF_HOUR) / clipTimeInMinutes * clipTimeInMinutes));
  49.     }
  51.     @Override
  52.     public SdkHttpFullRequest presign(final SdkHttpFullRequest request, final ExecutionAttributes executionAttributes) {
  54.         final Instant baselineInstant = computeBaseTime(ZonedDateTime.now()).toInstant();
  56.         final Aws4PresignerParams signingParams = Aws4PresignerParams.builder()
  57.             .awsCredentials(executionAttributes.getAttribute(AwsSignerExecutionAttribute.AWS_CREDENTIALS))
  58.             .signingName(executionAttributes.getAttribute(AwsSignerExecutionAttribute.SERVICE_SIGNING_NAME))
  59.             .signingRegion(executionAttributes.getAttribute(AwsSignerExecutionAttribute.SIGNING_REGION))
  60.             .signingClockOverride(Clock.fixed(baselineInstant, ZoneId.of("UTC")))
  61.             .expirationTime(baselineInstant.plus(expirationInSeconds, ChronoUnit.SECONDS))
  62.             .build();
  63.         return theSigner.presign(request, signingParams);
  65.     }
  67.     @Override
  68.     public SdkHttpFullRequest sign(final SdkHttpFullRequest request, final ExecutionAttributes executionAttributes) {
  70.         throw new UnsupportedOperationException("this class is only used for presigning");
  72.     }
  73. }
展开查看全部
赞(0)分享  回复(0)举报  2023-10-15
bvjveswy

bvjveswy5#

如果有人在使用golang预签名具有缓存可能性的URL时遇到困难,您可以创建一个自定义的签名处理程序,并将命名的处理程序与您自己的交换,以更改签名时间并使时间桶的URL相同:

  1. import (
  2.     "time"
  4.     "github.com/aws/aws-sdk-go/aws/request"
  5.     v4 "github.com/aws/aws-sdk-go/aws/signer/v4"
  6. )
  8. // Will create same url if in the same 15 minutes time bucket
  9. const presignPeriod = 15 * time.Minute
  11. // TimeInterface implements an interface that
  12. // has the a time variable (Now) and a function
  13. // to retrieve the time variable
  14. type TimeInterface struct {
  15.     Now time.Time
  16. }
  18. func (t *TimeInterface) NowFunc() time.Time {
  19.     return t.Now
  20. }
  22. // getSignTime function returns the signing time
  23. // (initial time) for the time bucket
  24. func getSignTime() time.Time {
  25.     now := time.Now().UTC()
  26.     signTime := now.Round(presignPeriod)
  27.     if signTime.After(now) {
  28.         signTime.Add(-presignPeriod)
  29.     }
  31.     return signTime
  32. }
  34. // CustomSignSDKRequest Implements a custom aws signing
  35. // handler that sets signing time on buckets of 
  36. // <presignPeriod> minutes.
  37. // It is used so browsers can cache the result of the
  38. // url for get requests, instead of downloading the resource everytime.
  39. func CustomSignSDKRequest(req *request.Request) {
  40.     t := TimeInterface{
  41.         Now: getSignTime(),
  42.     }
  43.     v4.SignSDKRequestWithCurrentTime(req, t.NowFunc)
  44. }
展开查看全部
赞(0)分享  回复(0)举报  2023-10-15
nnsrf1az

nnsrf1az6#

将解决方案从弗朗西斯科的解决方案扩展到golang v2,沿着这条线的东西可能会起作用:

  1. import (
  2.     "context"
  3.     "log"
  4.     "net/http"
  5.     "time"
  7.     "github.com/aws/aws-sdk-go-v2/aws"
  8.     v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
  9.     "github.com/aws/aws-sdk-go-v2/service/s3"
  10. )
  12. // Lifted from https://stackoverflow.com/a/70249671
  14. // Will create same url if in the same 15 minutes time bucket
  15. const presignPeriod = 15 * time.Minute
  17. // getSignTime function returns the signing time
  18. // (initial time) for the time bucket
  19. func getSignTime() time.Time {
  20.     now := time.Now().UTC()
  21.     signTime := now.Round(presignPeriod)
  22.     if signTime.After(now) {
  23.         signTime = signTime.Add(-presignPeriod)
  24.     }
  25.     return signTime
  26. }
  28. // HTTPPresignerV4 is a wrapper around the v4.Signer that implements the
  29. // PresignHTTP method.
  30. type HTTPPresignerV4 struct {
  31.     signer v4.Signer
  32. }
  34. func (client *HTTPPresignerV4) PresignHTTP(ctx context.Context, credentials aws.Credentials, r *http.Request,
  35.     payloadHash string, service string, region string, signingTime time.Time,
  36.     optFns ...func(*v4.SignerOptions),
  37. ) (url string, signedHeader http.Header, err error) {
  38.     // Get the signing time
  39.     signTime := getSignTime()
  41.     // Sign the request
  42.     signedUrl, signedHeaders, err := client.signer.PresignHTTP(context.Background(), credentials, r, payloadHash, service, region, signTime)
  44.     if err != nil {
  45.         log.Printf("Failed to sign URL: %v", err)
  46.         return "", nil, err
  47.     }
  49.     // Return the URL
  50.     return signedUrl, signedHeaders, nil
  51. }
  53. type S3PresignClient struct {
  54.     PresignClient *s3.PresignClient
  55.     Bucket        string
  56. }
  58. func (client *S3PresignClient) GetPresignedUrl(key string) (string, error) {
  59.     // Create the request
  60.     signedRequest, err := client.PresignClient.PresignGetObject(context.TODO(), &s3.GetObjectInput{
  61.         Bucket: aws.String(client.Bucket),
  62.         Key:    aws.String(key),
  63.     })
  65.     if err != nil {
  66.         log.Printf("Failed to create presigned URL request: %v", err)
  67.         return "", err
  68.     }
  70.     if err != nil {
  71.         log.Printf("Failed to sign URL: %v", err)
  72.         return "", err
  73.     }
  75.     // Return the URL
  76.     return signedRequest.URL, nil
  77. }
  79. // Create a new PresignClient
  80. func NewPresignClient(config aws.Config, bucket string) *S3PresignClient {
  81.     // Here we create a presigning client that has the signingTime set to the
  82.     // beginning of the time bucket. This is so that we can reuse the same
  83.     // presigned URL for the same time bucket. This is useful to being able to
  84.     // generate the same url for the same time bucket and allow some caching of
  85.     // the presigned URL.
  87.     s3Client := s3.NewFromConfig(config)
  88.     presignClient := s3.NewPresignClient(s3Client, func(o *s3.PresignOptions) {
  89.         o.Presigner = &HTTPPresignerV4{
  90.             signer: *v4.NewSigner(),
  91.         }
  92.     })
  94.     return &S3PresignClient{
  95.         PresignClient: presignClient,
  96.         Bucket:        bucket,
  97.     }
  98. }
展开查看全部
赞(0)分享  回复(0)举报  2023-10-15
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com