我将使用Cloudflare作为我的S3网站存储桶的代理,以确保用户无法直接使用存储桶URL访问网站。
我已经设置了一个S3存储桶用于静态网站托管,并使用自定义域名:
www.mydomain.com
并上传了我的index.html
文件。我拥有一个
CNAME
记录与www.mydomain.com
->www.mydomain.com.s3-website-us-west-1.amazonaws.com
和启用了CloudflareProxy
。
问题: 我正在尝试应用一个存储桶策略来拒绝
访问我的网站存储桶,除非请求源自一系列Cloudflare IP地址。我正在遵循官方AWS文档进行操作,但每次尝试访问我的网站时,都会出现Forbidden 403 Access Denied
错误。
这是我的存储桶策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudflareGetObject",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::ACCOUNT_ID:user/Administrator",
"arn:aws:iam::ACCOUNT_ID:root"
]
},
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::www.mydomain.com/*",
"arn:aws:s3:::www.mydomain.com"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"2c0f:f248::/32",
"2a06:98c0::/29",
"2803:f800::/32",
"2606:4700::/32",
"2405:b500::/32",
"2405:8100::/32",
"2400:cb00::/32",
"198.41.128.0/17",
"197.234.240.0/22",
"190.93.240.0/20",
"188.114.96.0/20",
"173.245.48.0/20",
"172.64.0.0/13",
"162.158.0.0/15",
"141.101.64.0/18",
"131.0.72.0/22",
"108.162.192.0/18",
"104.16.0.0/12",
"103.31.4.0/22",
"103.22.200.0/22",
"103.21.244.0/22"
]
}
}
}
]
}