  • 生成的签名URL地址包含敏感信息,会暴露bucket名称和accesskey,带来安全隐患。

  • 生成的签名URL地址太长,影响用户体验。

  • 生成的地址有效时间内可以任意访问,无法做到比较严格的反盗链。


1. 用户数据上传到S3,并设置相应Object权限为"public-read",取得对应的对外访问URL。
2. 以之前生成的对外访问URL为基础,生成对应的短地址服务。
3. 客户端使用短地址进行访问,超出访问次数则无法访问。



1. Openresty安装



将下面的源码文件保存为 /usr/local/openresty/lualib/resty/url.luahttps://github.com/golgote/neturl/blob/master/lib/net/url.lua将下面的源码文件保存为 /usr/local/openresty/lualib/resty/redis_iresty.luahttps://gist.github.com/moonbingbing/9915c66346e8fddcefb5

3. RGW服务配置

root@demohost:/etc/openresty# cat /etc/ceph/ceph.conf...[client.radosgw.demo]     rgw dns name = s3.cephbook.com #S3 endpoint对应的域名     rgw frontends = "civetweb port=7480"     host = demohost     keyring = /etc/ceph/ceph.client.radosgw.keyring     log file = /home/ceph/log/radosgw.log

4. Openresty配置

root@demohost:/etc/openresty# cat /etc/openresty/nginx.conf...server {        listen       80;        server_name  ceph.vip; #短地址主机头设置        location = /url { #生成短地址入口             content_by_lua_file /etc/openresty/url.lua;         }         location / { #提供短地址对应的数据访问             proxy_http_version 1.1;             proxy_set_header Host $host;             access_by_lua_file /etc/openresty/access.lua;             proxy_pass; #对应后端的radosgw服务入口         }     }


root@demohost:/etc/openresty# cat url.lualocal request_method = ngx.var.request_methodlocal url_ = require "resty.url" #对应之前的url库local redis = require "resty.redis_iresty" #对应之前的redis_iresty库local s3_endpoint = "s3.cephbook.com" #这里设置只允许生成与S3 endpoint相关的短地址local endpoint = s3_endpoint .. "$"local charset = {}for i = 48,  57 do table.insert(charset, string.char(i)) endfor i = 65,  90 do table.insert(charset, string.char(i)) endfor i = 97, 122 do table.insert(charset, string.char(i)) endfunction string.random(length)  local urandom = assert(io.open('/dev/urandom','rb'))  local a, b, c, d = urandom:read(4):byte(1,4)  urandom:close()  local seed = a*0x1000000 + b*0x10000 + c *0x100 + d  math.randomseed(seed)  if length > 0 then    return string.random(length - 1) .. charset[math.random(1, #charset)]  else    return ""  endendfunction genera_url(red,url_id,host,path)    -- counts表示短地址最大访问次数,current表示当前次数    ok, err = red:hmset(url_id,'host',host,'uri',path,'counts',3,'current',1)    if not ok then        ngx.status = ngx.HTTP_METHOD_NOT_IMPLEMENTED        ngx.say("failed to hmset: ", err)        return ngx.exit(ngx.HTTP_METHOD_NOT_IMPLEMENTED)    end    -- 设置短地址记录最多能够在redis里面存储的时长,避免资源耗尽    ok, err = red:expire(url_id,3600)     if not ok then        ngx.status = ngx.HTTP_METHOD_NOT_IMPLEMENTED        ngx.say("failed to set expire: ", err)        return ngx.exit(ngx.HTTP_METHOD_NOT_IMPLEMENTED)    endendfunction get_info_by_id(red,url_id)    ok, err = red:hgetall(url_id)    if not ok then        ngx.status = ngx.HTTP_SERVICE_UNAVAILABLE        ngx.say("failed to getall : ", err)        return ngx.exit(ngx.HTTP_SERVICE_UNAVAILABLE)    end    local h = red:array_to_hash(ok)    return hendif request_method == "POST" then    ngx.req.read_body()    local data = ngx.req.get_body_data()    local u = url_.parse(data)    local hostname_check, hostname_err = ngx.re.match(u.host,endpoint)    if not hostname_check then        ngx.status = ngx.HTTP_BAD_REQUEST        ngx.say("not a available s3_endpoint")        ngx.exit(ngx.HTTP_BAD_REQUEST)    end    if u.host then        if string.len(u.path) > 1  then            local url_id = string.random(7)            local red = redis:new()            genera_url(red,url_id,u.host,u.path)            local h = get_info_by_id(red,url_id)            ngx.status = ngx.HTTP_CREATED            ngx.say("ShortURL: ",ngx.var.scheme,"://",ngx.var.host,"/",url_id)            ngx.say("host: ", h.host)            ngx.say("uri: ", h.uri)            ngx.say("counts: ", h.counts)            ngx.say("current: ", h.current)            ngx.exit(ngx.HTTP_CREATED)        else            ngx.status = ngx.HTTP_BAD_REQUEST            ngx.say("path err")            ngx.exit(ngx.HTTP_BAD_REQUEST)        end    else        ngx.status = ngx.HTTP_BAD_REQUEST        ngx.say("not a available url")        ngx.exit(ngx.HTTP_BAD_REQUEST)    endend


root@demohost:/etc/openresty# cat /etc/openresty/access.lualocal redis = require "resty.redis_iresty"local red = redis:new()local uri =  ngx.var.urilocal url_id = string.sub(uri,2,string.len(uri))res, err = red:hgetall(url_id)if not res then    ngx.exit(ngx.HTTP_NOT_FOUND)else    local h = red:array_to_hash(res)    -- 超出访问次数则拒绝访问,如果考虑资源占用可以自己加上删除对应redis记录操作    if h.counts < h.current then        ngx.status = ngx.HTTP_GONE        ngx.say("current=",h.current," > counts=",h.counts)        ngx.exit(ngx.HTTP_GONE)    end    ngx.req.set_header("host", h.host)    ngx.req.set_uri(h.uri, false)    ok, err = red:hincrby(url_id,'current',1)    if not ok then        ngx.status = ngx.HTTP_METHOD_NOT_IMPLEMENTED        ngx.say("incrby key failed: ", err)        ngx.exit(ngx.HTTP_METHOD_NOT_IMPLEMENTED)        return    endend


5. 使用流程



root@demohost:/tmp# s3cmd put myfile s3://demo --acl-public'myfile' -> 's3://demo/myfile'  [1 of 1] 21577 of 21577   100% in    0s   227.71 kB/s  done'myfile' -> 's3://demo/myfile'  [1 of 1] 21577 of 21577   100% in    0s   203.11 kB/s  donePublic URL of the object is: http://demo.s3.cephbook.com/myfile
root@demohost:/tmp# curl ceph.vip/url  -d "http://demo.s3.cephbook.com/myfile" -v* Hostname was NOT found in DNS cache* Connected to ceph.vip  port 80 (#0)> POST /url HTTP/1.1> User-Agent: curl/7.38.0> Host: ceph.vip> Accept: */*> Content-Length: 29> Content-Type: application/x-www-form-urlencoded>* upload completely sent off: 29 out of 29 bytes< HTTP/1.1 201 Created* Server openresty/ is not blacklisted< Server: openresty/< Date: Wed, 15 Nov 2017 09:56:14 GMT< Content-Type: application/octet-stream< Transfer-Encoding: chunked< Connection: keep-alive
#访问3次root@demohost:/tmp# curl http://ceph.vip/Vo3t5Ex -v...root@demohost:/tmp# curl http://ceph.vip/Vo3t5Ex -v...root@demohost:/tmp# curl http://ceph.vip/Vo3t5Ex -v...#第四次以后就不能访问了root@demohost:/tmp# curl http://ceph.vip/Vo3t5Ex -v* Hostname was NOT found in DNS cache*   Trying ceph.vip...* Connected to ceph.vip (ceph.vip) port 80 (#0)> GET /Vo3t5Ex HTTP/1.1> User-Agent: curl/7.38.0> Host: ceph.vip> Accept: */*>< HTTP/1.1 410 Gone* Server openresty/ is not blacklisted< Server: openresty/< Date: Wed, 15 Nov 2017 10:00:46 GMT< Content-Type: application/octet-stream< Transfer-Encoding: chunked< Connection: keep-alive counts=3* Connection #0 to host ceph.vip left intact
