Login/Register
AWS S3 get images via Proxy - PHP
Asked Answered
Solved phpamazon-s3aws-sdkaws-php-sdk
P

1

14

I have a bucket at S3 where i have uploaded the images. Now i am fetching the images using AWS - SDK. Now i want to bypass the image via Proxy 

$client = new Aws\S3\S3Client([
            'version'     => 'latest',
            'region'      => 'us-east-1',
            'debug'       => TRUE, // enable debug info
            'stats'       => TRUE, // enable stats
            '@http'  => [
            'proxy' => 'http://192.168.16.1:10'
            ],
            'credentials' => [
                'key'    => base64_decode(KEY),
                'secret' => base64_decode(SECRET)
            ]
        ]);

Here is my bucket settings and when i did wireshark it still showing AWS ip address in request.

Can anybody tell me how to bypass S3 images with proxy.

Perceptible answered 3/1, 2018 at 3:44 Comment(13)
" I don't want make CSS and images publically accessable. " then how can a browser use them? every sites css\images\js have to be accessible by the users browser for a website to workTalent
if they want to access directly via s3 url , i don't want to allow them to access that image. How about Private imagesPerceptible
I want to allow the access s3 all content via "dev.example.co" onlyPerceptible
a browser requests a CSS file just like an HTML file, they don't do it via a domain. HTTP is a stateless protocol, each request is unique and separate.Talent
i agree with you, but i am trying to achieve this. So only user can get access via that website ..Perceptible
you cant, thats not how the web worksTalent
"private" content can be accessed directly from S3 two ways; either by 1) a server process with client secret credentials belonging to the bucket owner, or 2) directly by a browser which gets an access request cryptographically signed by a your server with client key credentials. The latter is performed using javascript requests (typically asynchronous XMLHTTPRequest) first to your server for signature and then to S3 for content.Revelry
Can't we access using bucket policy ?Perceptible
@HituBansal you can, but don't confuse this configuration for actually securing this content. All this does is make hotlinking more difficult. Anyone with only a minor level of skill can easily bypass this and download your objects... this just makes it hard for other sites to steal your bandwidth by linking to your content without your permission. The problem here seems to be that the requests don't conform to what you expect. Check the request headers, error console in the browser, and S3 access logs, and report on what you find.Duello
Unclear, what you are asking. Where in the chain of client-server-s3 do you suppose to insert proxy?Fu
@Fu right in the middle of it "server" if your controlling the server you can do anything on it including set up a proxy script use your brain and think before you state it unclear you even went on to say where insert a proxy after saying "client - server - s3" well right there where you pointed out the middle hardware under control of the OP.Premonitory
@MartinBarker I don't state it, I doubt it. Your answer still doesn't highlight the sense.Fu
@Fu Well go away as you clearly have no understanding of how the S3 class in the AWS API works. nor how a basic download and reserve proxy works...Premonitory
P
4

If I understand you correctly you want to set up a reserve proxy for your images E.G your system downloads the images send to the browser so it can render them, and you don't want users to know your path / you don't want public read access on your bucket.

If that is the case you can use the following code to download the file via 

$result = $client->getObject(array(
    'Bucket' => $bucket,
    'Key'    => $keyname
));

header("Content-Type: {$result['ContentType']}");
echo $result['Body'];

this could then be set up on a specific URL with the key as a parameter or if your bucket is correctly secured you could just use the key name via GET E.G URL image.php?key=some/key/on/aws.jpg and use $keyname = $_GET['key'] inside your file.

If you're using a MySQL table to use a lookup it would be $id = $_GET['id']; and create a function that protects against SQL Injection and returns the key column then use that for your $keyname an example table would be $keyname and that can be set by a mapping database table E.G

CREATE TABLE `proxy_map`(
   `id` INT(11) NOT NULL PRIMARY KEY,
   `key` TEXT NOT NULL
)

If you want to limit it so only this specific site can use it you can use a referrer check 

$url = parse_url($_SERVER['HTTP_REFERER'] , PHP_URL_HOST);
if($url !== $_SERVER[HTTP_HOST]){ // assuming that the images are only loaded on the same site as this php script
    http_response_code(404);
    echo "<h1>File Not Found</h1><p>Sorry the file you were looking for could not be found</p>";
}

If you wish to allow the images from a set of sites E.G you have a subdomain setup you can use.

$url = parse_url($_SERVER['HTTP_REFERER'] , PHP_URL_HOST);
$allowedDomains = array(
    $_SERVER[HTTP_HOST],
    "www.example.com"
);
if(!in_array($url, $allowdDomains))
Premonitory answered 19/1, 2018 at 20:45 Comment(2)
Yes, but what is the purpose of 'proxy' => '192.168.16.1:10' in above code..Perceptible
@HituBansal That is for the Outbound connection from the server so it's going via an external internet proxy, like most corporate networks. E.G I can use a switch router to connect to the internet or I can Sit a machine on that internet connection via a modem. that machine then acts as a DHCP Server to another network card and so it's own internal network, that means things on the DHCP network can't access the internet until I start a proxy on the machine that serves to DHCP network using that servers internet connection that's how a proxy is supposed to work. go read on what a proxy server isPremonitory

© 2022 - 2024 — McMap. All rights reserved.