Prevent Direct Link Download/Allow Access To Files Set Domain
Hello. Using an htaccess file on an apache hosted website, exampledomain.com, we can prevent direct link download of files and the embedding of any files within other sites.
We would like to move those files to Linode object storage and only allow the same privileges for the Linode obcjectstorage files to exampldomain.com - we are not sure how to accomplish this.
Can someone give us detailed instructions on how to achieve this?
5 Replies
One solution might be signed URLs.
This is an Amazon S3 feature that is supported by Linode Object Storage. You can keep the files private so they can’t be downloaded directly from the bucket.
Your website the generates a signed URL which can also be time limited, so it is only valid for 5 minutes, for example, just enough time for the browser to fetch your page and the user to click on the link.
Alternatively you might be able to add a bucket policy to limit by referrer header, which I guess is what you’re doing in Apache now. I say might because I don’t know how much of S3’s bucket policies Linode Object Storage supports.
Bucket policy examples - see the “Restricting access to a specific HTTP referer” section.
Then see:
How to Enact Access Control Lists and Bucket Policies with Linode Object Storage
to learn how to apply a bucket policy with Linode.
Thank you. I went through the links you gave and a few more. I then tried to add a json file and it failed. I tested a regular file, also, and it failed too with an error that is no such bucket. Is there something I'm missing?
See below. I'm masking the bucket with xxxxxx.
When I put in a request for info, as follows, I get back:
s3cmd info s3://xxxxxx.us-east-1.linodeobjects.com
s3://xxxxxx.us-east-1.linodeobjects.com/ (bucket):
Location: us-east-1
Payer: BucketOwner
Expiration Rule: none
Policy: none CORS: none
ACL: none
It appears it exists. Please note my bucket is set to private. I've also upload files to the bucket via the browser and Cyberduck.
However, when I try to upload a file via the same s3cmd tool, I get the bucket does not exist. My file's location in this command is being masked with 'local-location'.
s3cmd --mime-type=application/json put /local-location/use-policy.json s3://xxxxxx.us-east-1.linodeobjects.com
upload: '/local-location/use-policy.json' -> 's3://xxxxxx.us-east-1.linodeobjects.com/use-policy.json' [1 of 1]
298 of 298 100% in 0s 962.90 B/s done
ERROR: S3 error: 404 (NoSuchBucket)
I'm really not sure what I'm doing wrong. I'm trying to get to upload the small json file/app into the bucket (I think it's just supposed to be put there as a json app?) to see if I can use https headers rule you mention to only allow access via a particular website to the bucket, a we mentioned.
From what I remember the last time I used s3cmd, you don’t need the fully qualified name of the bucket.
As long as your endpoint is set to us-east-1.linodeobjects.com, your bucket can be referred to as s3://my-bucket-name.
Check this guide out to get s3cmd running with Linode Object Storage, and the syntax to upload a file.
Okay. That worked. Thank you!!!
I added the policy as described, changing the attributes to the site. I get this back, "Cannot load media or it is not supported for your device.", when trying to view it on the web page. The settings on my bucket via the administrator panel online is set to Private. Is this correct, or is there some other setting?
I should say, I uploaded the file use-policy.json into the bucket. I'm thinking one or both of two things. There is some other way to create a json file for bucket policies than just creating a json file and uploading. And/or, I need to set the bucket to accept this policy. The tools available at Amazon S3 don't seem to exist with Linode's object storage.
I need guidance to make sure:
1) I create the json policy/file correctly, including wherever it needs to be.
2) That the bucket recognizes this policy and there aren't any other settings in the bucket that need to be changed. Currently, the bucket is set to Private.