Home

Kulwinder Atwal

Forum Replies Created

Viewing 3 posts - 1 through 3 (of 3 total)
Apr 2, 2018 at 5:25 am in reply to: WPDM – Amazon s3 #72818

Kulwinder Atwal
Member

The code tags removed all white space.

Defined constants file:

/etc/aws_secrets/site.secrets.php
<?php
define(‘AWS_CLOUDFRONT_ACCESS_KEY_ID’,’*************’);
define(‘AWS_CLOUDFRONT_KEY_PATH’ , ‘/etc/aws_secrets/cloudfront_privk.pem’);
define(‘MY_DOMAIN’ , ‘.example.com’);
define(‘AWS_CLOUDFRONT_USER_DOWNLOADS’,’***********.cloudfront.net’);
define(‘AWS_USER_ACCESS_KEY_ID’,’****************’);
define(‘AWS_USER_SECRET_ACCESS_KEY’,’********************************’);
define(‘AWS_REGION’,’us-west-2′);
?>

// Add to the end of functions.php in your WordPress theme
add_action(‘init’, ‘setMyCookies’);

function setCloudFrontCookies(){

/*
* We’re on app.example.com or http://www.example.com, files are on S3.
* We need to send requests to files.example.com, becuase browsers will not
* accept cookies for S3 or xxxxxxx.cloudfront.net sent from example.com
*
* Therefore, we will set cookies for .example.com,
* so that they’re sent to the CloudFront subdomain files.example.com.
*
*
* User request needs to go like this:
*
*
* User visits *.example.com (our site)
* After authenticating user, our site *.example.com sets cookies for
* .example.com and redirects to files.example.com
* DNS sends request to cloudfront. Cloudfront gets files from S3.
*
* Step: 1
*
* Set Route 53 (DNS) CNAME record for files.example.com that points to our
* cloudfront distribution: xxxxxxx.cloudfront.net.
* Now requests sent to files.example.com from our site will go to cloudfront.
*
* Step: 2
* In our cloudfront xxxxxxx.cloudfront.net add CNAME files.example.com
* Now xxxxxxx.cloudfront.net will respond to requests sent to files.example.com
*/

// Settings
//
// Location of all defined constants used below
require_once (‘/etc/aws_secrets/site.secrets.php’);
//
// AWS SDK User
// Create an IAM user with cloudfront all access for use by the SDK
$user_access_key_id = AWS_USER_ACCESS_KEY_ID;
$user_secret_access_key = AWS_USER_SECRET_ACCESS_KEY;

// AWS Cloudfront Access Key ID
// NOT a regular IAM user.
// In your root account look for “My Security Credentials”.
// Or, from here:
// https://console.aws.amazon.com/iam/home#/security_credential
// Look for Your Security Credentials,Cloudfront Key Pairs, Access Key ID
$key_pair_id = AWS_CLOUDFRONT_ACCESS_KEY_ID;
// The private key .pem file associated with this Access Key ID.
$private_key = AWS_CLOUDFRONT_KEY_PATH;

// Region is a subset of the availbiity zone
// If availbility zone = us-west-2b, then region is us-west-2
$region = AWS_REGION;

// MY_DOMAIN = .example.com
$my_domain = MY_DOMAIN;

// http*:// permits both https and http.
// You can add a restriction in your Distribution Behavior to redirect all http to https.
// Then this code is portable across distributions.
$cloudfront_base_url = ‘http*://’ . $my_domain . ‘/’;

// Path to cookie protected content.
// Change * to your path after the base url http*://.example.com/
//http*://.example.com/$cookie_path
$cookie_path = ‘*’;

// Full URL for cookie protected content
$allowed_resource = $cloudfront_base_url . $cookie_path;

// Cloudfront requires all policies to expire
// This is the policy level expires
$policy_expires_after = (86400 * 7); // 1 week

// Set your own $expires at the cookie level to zero to make it a session cookie.
// Easier to debug a session cookie.
// And users do not need to be told to clear their cookies to get a new policy,
// if you change the cookie policy.
// Users will get the new policy on login.
$expires = 0;

// Initialize AWS SDK for PHP
$site_path = get_home_path();
$aws_path = ‘vendor/autoload.php’;
$aws_package_path = $site_path . $aws_path;
require_once $aws_package_path;

$sdk_params =
[
‘region’ ► $region,
‘version’ ► ‘latest’,
‘credentials’ ► new \Aws\Credentials\Credentials
(
$user_access_key_id,
$user_secret_access_key
)
];
$sdk = new \Aws\Sdk($sdk_params);
$cloudfront = $sdk->createCloudFront();

// Setup CloudFront cookie #1: CloudFront-Key-Pair-Id
$cookies = [ ];
$cookies[ ‘CloudFront-Key-Pair-Id’ ] = $key_pair_id;

// Setup CloudFront cookie #2: CloudFront-Policy
$raw_policy =
[
‘Statement’ ►
[
[
‘Resource’ ► $allowed_resource,
‘Condition’ ►
[
‘DateLessThan’ ►
[
‘AWS:EpochTime’ ► (time() + $policy_expires_after)
]
]
]
]
];

$policy = json_encode($raw_policy);
$cookies[ ‘CloudFront-Policy’ ] = base64_encode($policy);

// CloudFront cookie #3: CloudFront-Signature
$url_signing_params =
[
‘url’ ► $allowed_resource,
‘policy’ ► $policy,
‘key_pair_id’ ► $key_pair_id,
‘private_key’ ► $private_key
];

$signed_url = $cloudfront->getSignedUrl($url_signing_params);
// We just need the “Signature” query string part of the signed URL
parse_str(parse_url($signed_url, PHP_URL_QUERY), $signed_url_arr);
$signature = $signed_url_arr[ ‘Signature’ ];
$cookies[‘CloudFront-Signature’] = $signature;

// Set cookies
foreach ($cookies as $cookie_name ► $cookie_value)
{
setcookie($cookie_name, $cookie_value, $expires, $cookie_path, $my_domain);
}

}

function setMyCookies() {
setCloudFrontCookies();
}

Apr 2, 2018 at 5:24 am in reply to: WPDM – Amazon s3 #72817

Kulwinder Atwal
Member

I can see my buckets, but clicking on them does nothing. I see the red “Loading…” and then nothing.

Btw, I have mounted my S3 buckets inside my server at /mnt/s3/ using the aws s3fs fuse filesystem package.
So, I can see, copy, delete, my files and directories just like any local file.

For example, downloads are at:
/mnt/s3/userdownloads/

What I am hoping would get developed in this plugin would be Cloudfront together with S3, so that Cloudfront will serve my protected content.

What I have working is that I copy private user-specific content to:

/mnt/s3/userdownloads/private_content/username

The url is then userdownloads.example.com/private_content/username/

This content is protected by signed cookies.

Here is the code that I have working that does all this.

I hope it can be integrated with the WPDM package permissions.

Defined constants file, change for your site, and set your own $cookie_path as desired:


/etc/aws_secrets/site.secrets.php
<?php
define('AWS_CLOUDFRONT_ACCESS_KEY_ID','*************');
define('AWS_CLOUDFRONT_KEY_PATH' , '/etc/aws_secrets/cloudfront_privk.pem');
define('MY_DOMAIN' , '.example.com');
define('AWS_CLOUDFRONT_USER_DOWNLOADS','***********.cloudfront.net');
define('AWS_USER_ACCESS_KEY_ID','****************');
define('AWS_USER_SECRET_ACCESS_KEY','********************************');
define('AWS_REGION','us-west-2');
?>

// Add to the end of functions.php in your WordPress theme
add_action('init', 'setMyCookies');

function setCloudFrontCookies(){

    /*
     * We're on app.example.com or www.example.com, files are on S3.
     * We need to send requests to files.example.com, because browsers will not
     * accept cookies for S3 or xxxxxxx.cloudfront.net sent from example.com
     *
     * Therefore, we will set cookies for .example.com,
     * so that they're sent to the CloudFront subdomain files.example.com.
     *
     * 
     * User request needs to go like this:
     *
     *
     * User visits *.example.com (our site)
     * After authenticating user, our site *.example.com sets cookies for
     *  .example.com and redirects to files.example.com
     * DNS sends request to cloudfront.  Cloudfront gets files from S3.
     *
     * Step: 1
     *
     * Set Route 53 (DNS) CNAME record for files.example.com that points to our
     * cloudfront distribution: xxxxxxx.cloudfront.net. 
     * Now requests sent to files.example.com from our site will go to cloudfront.
     *
     * Step: 2
     * In our cloudfront xxxxxxx.cloudfront.net add CNAME files.example.com
     * Now xxxxxxx.cloudfront.net will respond to requests sent to files.example.com
    */
   
    // Settings
    //
    // Location of all defined constants used below
    require_once ('/etc/aws_secrets/site.secrets.php');
    //
    // AWS SDK User
    // Create an IAM user with cloudfront all access for use by the SDK
    $user_access_key_id = AWS_USER_ACCESS_KEY_ID;
    $user_secret_access_key = AWS_USER_SECRET_ACCESS_KEY;

    // AWS Cloudfront Access Key ID
    // NOT a regular IAM user. 
    // In your root account look for "My Security Credentials".
    // Or, from here:
    // https://console.aws.amazon.com/iam/home#/security_credential
    // Look for Your Security Credentials,Cloudfront Key Pairs, Access Key ID
    $key_pair_id = AWS_CLOUDFRONT_ACCESS_KEY_ID;
    // The private key .pem file associated with this Access Key ID.
    $private_key = AWS_CLOUDFRONT_KEY_PATH;
   
    // Region is a subset of the availbiity zone
    // If availbility zone = us-west-2b, then region is us-west-2
    $region = AWS_REGION;

    // MY_DOMAIN = .example.com
    $my_domain = MY_DOMAIN;
   
    // http*:// permits both https and http.
    // You can add a restriction in your Distribution Behavior to redirect all http to https.
    // Then this code is portable across distributions.
    $cloudfront_base_url = 'http*://' . $my_domain . '/';
   
    // Path to cookie protected content.
    // Change * to your path after the base url http*://.example.com/
    //http*://.example.com/$cookie_path
    $cookie_path = '*';
   
    // Full URL for cookie protected content
    $allowed_resource = $cloudfront_base_url . $cookie_path;

    // Cloudfront requires all policies to expire
    // This is the policy level expires
    $policy_expires_after = (86400 * 7); // 1 week

    // Set your own $expires at the cookie level to zero to make it a session cookie.
    // Easier to debug a session cookie. 
    // And users do not need to be told to clear their cookies to get a new policy,
    // if you change the cookie policy.
    // Users will get the new policy on login.
    $expires = 0;
   
    // Initialize AWS SDK for PHP
    $site_path = get_home_path();
    $aws_path = 'vendor/autoload.php';
    $aws_package_path = $site_path . $aws_path;
    require_once $aws_package_path;

    $sdk_params =
    [
        'region' ► $region,
        'version' ► 'latest',
        'credentials' ► new \Aws\Credentials\Credentials
        (
            $user_access_key_id,
            $user_secret_access_key
        )
    ];
    $sdk = new \Aws\Sdk($sdk_params);       
    $cloudfront = $sdk->createCloudFront();

    // Setup CloudFront cookie #1: CloudFront-Key-Pair-Id
    $cookies = [ ];
    $cookies[ 'CloudFront-Key-Pair-Id' ] = $key_pair_id;

    // Setup CloudFront cookie #2: CloudFront-Policy
    $raw_policy =
    [
       'Statement' ►
       [
          [
             'Resource' ► $allowed_resource,
             'Condition' ►
             [
                'DateLessThan' ►
                [
                    'AWS:EpochTime' ► (time() + $policy_expires_after)
                ]
             ]
          ]
       ]
    ];
   
    $policy = json_encode($raw_policy);
    $cookies[ 'CloudFront-Policy' ] = base64_encode($policy);

    // CloudFront cookie #3: CloudFront-Signature
    $url_signing_params =
    [
        'url' ► $allowed_resource,
        'policy' ► $policy,
        'key_pair_id' ► $key_pair_id,
        'private_key' ► $private_key
    ];

    $signed_url = $cloudfront->getSignedUrl($url_signing_params);
    // We just need the "Signature" query string part of the signed URL
    parse_str(parse_url($signed_url, PHP_URL_QUERY), $signed_url_arr);
    $signature = $signed_url_arr[ 'Signature' ];
    $cookies['CloudFront-Signature'] = $signature;

    // Set cookies
    foreach ($cookies as $cookie_name ► $cookie_value)
    {
        setcookie($cookie_name, $cookie_value, $expires, $cookie_path, $my_domain);
    }

}

function setMyCookies() {
    setCloudFrontCookies();
}
Mar 20, 2018 at 1:46 am in reply to: WPDM – Amazon s3 #71889

Kulwinder Atwal
Member
This reply has been marked as private.
Viewing 3 posts - 1 through 3 (of 3 total)