troisiemejoueur/cloudfront-signed-urls
Composer 安装命令:
composer require troisiemejoueur/cloudfront-signed-urls
包简介
Create AWS Cloudfront Signed Urls for S3 Craft CMS storage
README 文档
README
Cloudfront Signed URLs for Craft CMS
This plugin provides AWS Cloudfront Signed URLs in Twig templates.
Requirements
This plugin requires Craft CMS 3.x
Installation
To install the plugin, follow these instructions.
-
Open your terminal and go to your Craft project:
cd /path/to/project -
Then tell Composer to load the plugin:
composer require troisiemejoueur/cloudfront-signed-urls -
In the Control Panel, go to Settings → Plugins and click the “Install” button for Cloudfront Signed URLs.
Overview
This plugin adds a Twig function to sign URLs from an AWS Cloudfront distribution. The common usage is for a restricted section for logged-in users only.
In order to use this plugin, we assume that you already worked with AWS and that you know how to create a bucket, a Cloudfront distribution and an IAM access for the CMS. If not, you can read the documentation of the first-party plugin AWS S3 plugin from Pixel & Tonic and this article from Andrew Welch.
Please, do not open issues for AWS configuration problems or questions that are not related to this plugin.
How it works
You upload your assets to a non-public S3 bucket with a Cloudfront distribution with the Restrict Viewer Access setting to Yes. When you create URLs in your templates, these URLs are signed with a random key.
These URLs are created on page load and expires after the duration that you entered.
Documentation for Cloudfront Signed URLs
Configuration file
The plugin comes with a config.php file that defines some sensible defaults.
If you want to set your own values, you should create a cloudfront-signed-urls.php file in your Craft config directory. The contents of this file will be merged with the plugin defaults. You only need to specify the values of the settings you want to override.
keyPairId
keyPairId is where you define the value of the Key-Pair-Id field from your public–private key pair.
See AWS documentation for creating public–private key pair.
cloudfrontDistributionUrl
cloudfrontDistributionUrl is where you define the base URL for your signed URLs. If you want to manage the base URL on a per-file basis, do not add this setting to your config file. If you are using a subfolder, you can append it to this URL. Trailing slash are not required.
profile
profile is where you define the profile of your Cloudfront client. default is the default value.
version
version is where you define the version of your Cloudfront client. 2020-05-31 is the default value.
region
region is where you define the regional endpoint for your Cloudfront client. ca-central-1 is the default value, you probably need to change it based on your project.
defaultExpires
defaultExpires is where you define in seconds the expiry delay for your signed URLs if not configured as an argument when using the Twig function. This is a fallback value. The default value is 3600 (60 minutes).
The expiry time is calculated like this: now time + defaultExpires.
Note: You can use values from your ENV file for all the configuration settings. Example: App::env('YOUR_VARIABLE_NAME')
Example cloudfront-signed-urls.php Config File
<?php
use craft\helpers\App;
return [
'keyPairId' => App::env('SIGNED_URLS_KEYPAIR'),
'cloudfrontDistributionUrl' => 'https://my-distribution.cloudfront.net',
'profile' => 'default',
'version' => '2020-05-31',
'region' => 'ca-central-1',
'defaultExpires' => 4200
];
Private Key (.pem file)
In order to sign your URLs, AWS needs to access the private key (the private_key.pem file).
See AWS documentation for creating public–private key pair.
When you install this plugin, a cloudfront-signed-urls folder will be created in your Craft CMS project storage folder. You'll need to copy your private_key.pem file in this folder.
Note: When uninstalling the plugin, this folder (and your private key) will be deleted.
This .pem file cannot be added as an .env variable.
Usage in Twig
Basic usage with filename and an expiry delay of 300 seconds.
{% set myAssetUrl = myAssetTest.folderPath ~ myAssetTest.filename %}
{{ signUrl(myAssetUrl, 300) }}
Usage without expiry delay - it will use your fallback config value or the default one.
{% set myAssetUrl = myAssetTest.folderPath ~ myAssetTest.filename %}
{{ signUrl(myAssetUrl) }}
Usage with a complete URL - this use case only works if you did not provide a value to the cloudfrontDistributionUrl setting in your config file.
{% set myAssetUrl = 'https://my-distribution-url.cloudfront.net' ~ myAssetTest.folderPath ~ myAssetTest.filename %}
{{ signUrl(myAssetUrl, 300) }}
S3 storage and Craft CMS Control Panel
AWS
- Create a non-public S3 bucket on AWS (and an IAM user with a programmatically access for your Craft CMS).
- Create a Cloudfront distribution with the
Restrict Viewer Accesssetting toYes.
Control Panel
- Install the AWS S3 plugin from Pixel & Tonic.
- Create a new filesystem in the Control Panel (settings/filesystems) with the Amazon S3 Filesystem Type.
- Turn off the lightswith for
Filesystem in this volume have public URLs. - Add your S3 bucket credentials, subfolder and settings.
- Let empty the
CloudFront Distribution IDandCloudFront Path Prefixfields. - Create a new volume (settings/assets) and choose your Private filesystem for
Asset Filesystem
Note: When a user (mostly the admin) is logged in the Control Panel, he will be able to open / view the assets by clicking the download button, but he will not be able to preview them (as the assets have no public URLs).
Template restricted zone -> Example
- Create your templates based on which user group is logged in (or any condition that you want).
- Show assets with the Twig function.
- No one from the "web" will be able to view the files. The URL will expire after the duration that you entered. A user can copy and share the URL to another, but that's the only way to share / access a signed URL.
Brought to you from Canada by 3e joueur
troisiemejoueur/cloudfront-signed-urls 适用场景与选型建议
troisiemejoueur/cloudfront-signed-urls 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 3.51k 次下载、GitHub Stars 达 0, 最近一次更新时间为 2022 年 02 月 22 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「assets」 「cms」 「aws」 「private assets」 「Craft」 「craftcms」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 troisiemejoueur/cloudfront-signed-urls 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 troisiemejoueur/cloudfront-signed-urls 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 troisiemejoueur/cloudfront-signed-urls 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Asset Management for PHP
Caching and compression for Twig assets (JavaScript and CSS).
GraphQL authentication for your headless Craft CMS applications.
This package includes a script and fail2ban configuration that allows you to use fail2ban when utilizing AWS elastic load balancer (ELB) and an apache webserver.
Set Links with a specific language parameter
Elastic Driver for Laravel Scout
统计信息
- 总下载量: 3.51k
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 14
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2022-02-22