How do I prevent hotlinking on Amazon S3 without using signed URLs?

N

7

23

Is there any way I can prevent hotlinking on Amazon S3 without using signed URLs?

Nonconformity answered 4/6, 2009 at 6:12 Comment(0)

C

12

By setting up the right S3 bucket policy, you can add referral policy to prevent the hotlink.

http://s3browser.com/working-with-amazon-s3-bucket-policies.php

Capparidaceous answered 20/9, 2011 at 21:12 Comment(1)

Please post an answer here, rather than linking to an answer. – Ashkhabad 21/2, 2013 at 14:2

A

27

You need a bucket policy that both allows referrers from your domain(s) and denies referrers who are not from your domains. I've found that images can be hotlinked if you don't include the explicit denial - many guides and examples just give the allow policy and don't mention the deny part.

Here's my policy, just change BUCKET-NAME and YOUR-WEBSITE to your own details:

{
  "Version": "2008-10-17",
  "Id": "",
  "Statement": [
    {
      "Sid": "Allow in my domains",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::BUCKET-NAME/*",
      "Condition": {
        "StringLike": {
          "aws:Referer": [
            "http://www.YOUR-WEBSITE.com/*"
          ]
        }
      }
    },
    {
      "Sid": "Deny access if referer is not my sites",
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::BUCKET-NAME/*",
      "Condition": {
        "StringNotLike": {
          "aws:Referer": [
            "http://www.YOUR-WEBSITE.com/*"
          ]
        }
      }
    }
  ]
}

Ashkhabad answered 10/2, 2013 at 12:54 Comment(3)

Thanks for this. This really helped me and worked well. My only suggestion is that perhaps you also just add an entry for "YOUR-WEBSITE.com*" to the answer just to cover all bases as that's where my hiccups were. Cheers for the perfect script though. – Isaak 17/9, 2013 at 17:20

This works great but how do I allow empty referrers? When linking to images via CSS the referrer is empty and images are not displaying. – Deciare 3/11, 2016 at 20:17

Perfect! You saved me – Bewray 18/1, 2017 at 18:33

C

12

By setting up the right S3 bucket policy, you can add referral policy to prevent the hotlink.

http://s3browser.com/working-with-amazon-s3-bucket-policies.php

Capparidaceous answered 20/9, 2011 at 21:12 Comment(1)

Please post an answer here, rather than linking to an answer. – Ashkhabad 21/2, 2013 at 14:2

D

4

It's in their official docs

Change examplebucket to your bucket name, and example.com to your domain.

"Version":"2012-10-17",
"Id":"http referer policy example",
"Statement":[
  {
    "Sid":"Allow get requests originating from www.example.com and example.com.",
    "Effect":"Allow",
    "Principal":"*",
    "Action":"s3:GetObject",
    "Resource":"arn:aws:s3:::examplebucket/*",
    "Condition":{
      "StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
    }
  }
]
}

Demibastion answered 16/9, 2016 at 2:55 Comment(0)

F

3

I use Apache RewriteMap to remap relative links to select file extensions -- *.jpg, *.gif, *swf, *.fla to Cloudfront. Basically makes the url of your images present as relative links to your site. It doesn't prevent discovery of the S3/cloudfront url totally, just adds a layer of difficulty for the would be thief.

Might be worth a try, apply the hotlink restrictions via htaccess with the above method in place. I haven't tried it myself.

Folketing answered 8/8, 2009 at 7:39 Comment(4)

Huh? Doesn't that mean that every image request has to go to your server before it can go to the CloudFront server? If so, doesn't that defeat the point of using a CDN? (It wouldn't for really big files like video, but for images?) – Portray 12/9, 2009 at 5:20

The request will hit your web server and the browser is told where it should go to fetch the file, but the browser's history is never updated with the actual URL to the CDN. This is essentially the same trick behind "routes" in most front end controller frameworks, but in this case the request is never forwarded to the application server, only Apache. – Loferski 7/11, 2009 at 22:17

@Claude, if instead of browser, download-managers are used, or something like curl / wget is used, won't the redirect be transparent, and thus be a way to enable hotlinking ? – Degrading 4/11, 2011 at 13:57

@icarus74 Sorry for the late reply. Sure, any tool capable of browsing and understanding HTTP codes should be able to follow the redirect to the CDN in effect negating the effect of the rule suggested by maddie. The best course of action is to protect your CDN from unwanted requests by setting bucket policies as suggested by Robert Mao's link above. – Loferski 27/12, 2011 at 22:22

A

1

There's a good tutorial here. Make sure to check out the comments, since there's a whitespace character in the website's code that causes the solution not to work.

Almedaalmeeta answered 20/6, 2011 at 0:10 Comment(0)

O

0

Hotlinking is one of the reasons Amazon created Cloudfront. Cloudfront is much much faster to. I did a writeup on it you can look at here.

http://blog.sat.iit.edu/2011/12/amazon-aws-s3-vs-cloudwatch-performance-grudgematch/

edit: S3 and Cloudfront both use the same type of bucket policy to make sure the request comes from the correct url. Cloudfront is still faster though.

Option answered 29/12, 2011 at 16:50 Comment(1)

Cloudfront doesn't prevent hotlinking or respect S3 policies – Ashkhabad 10/2, 2013 at 12:37

N

-2

Not really. You could run an EC2 instance and proxy through that.

Necroscopy answered 4/6, 2009 at 6:17 Comment(1)

uhhhhh. no. that defeats the purpose of a CDN. – Attribution 25/3, 2014 at 16:58

Recommended topics

Hot tags