Securing Videos on your Sites using AWS Elastic Transcoder and HLS — Part 3
Part 1 — A Summary
Part 2 — Configuring Amazon S3 and Amazon Elastic Transcoder
Part 3 — Configuring Amazon Cloudfront to serve secure content
Part 4 — Serving Secure Content to Users
In the previous blog post, we configured our S3 bucket and Elastic Transcoder Pipeline. We created a job that outputted our HLS files. We now need a way to serve this content to our users.
In this blog post we will be creating our own CDN using Amazon Cloudfront and we will be configuring it to suit our purpose.
Creating a Cloudfront Distribution
We will be creating a content distribution network using Amazon Cloudfront. We need to set the main origin of the distribution to our hls-medias bucket.
One of the important things to note here is we are restricting bucket access for the origin ID S3-hls-medias. This is a default behaviour we want for all assets on our bucket. We want all our content to be private unless we make them public ourselves.
Go to Amazon Cloudfront and create a web distribution with these settings.
Some of these options like whitelisting headers are required for bypassing CORS policies. Make sure you follow the instructions correctly.
This will setup a cloudfront distribution with origin as our bucket, and a default behavior which requires signed URLs to access items. Create the distribution with these settings.
Creating Signed URLs — Create CloudFront Key
We will not setup Signed URLs to access private content in our bucket.
Click on your name of the AWS Dashboard top right and select Security Credentials. On this page, generate your cloudfront key pair. You will be able to download two key pairs, the one starting with pk will be your private key. We will be using this private key to generate signed URLS.
You can refer to this great story on Medium to learn more about creating signed URLs : https://medium.com/roam-and-wander/using-cloudfront-signed-urls-to-serve-private-s3-content-e7c63ee271db
Modify Cloudfront for public access on specific URL pattern
Since we also need to access public items without using signed URLs, we need to modify some of its settings.
We will have to create a new behavior, but for that we will also have to create a new origin. We will be keeping the new origin as the same bucket hls-medias.
Click on the CF distribution and select Origins and Origin Groups and create a new origin. Make sure to give it a different Origin ID and not to restrict bucket access.
Save it and then click on Behaviors. Remember we used the names output-gothic2m and output-gothic64k in our output names while creating the job? This config will ensure they dont require signed URLs to access.
After setting the path pattern to /HLS/output*, every request which follows this path pattern wont be requiring signed URLs.
Create a new behavior with these settings.
Important : Choose No in Restricting Viewer Access option.
After doing this step, all requests in the format https://<domain>/HLS/output* will be considered not to use signed URLs. This is important since our media files are going to be public.
That’s it for this post guys, the next post is going to be the last one. In the last post, we will be configuring our get_secure_key action and finally start serving content.
References:
Using Cloudfront Signed URLs to serve private S3 content — https://medium.com/roam-and-wander/using-cloudfront-signed-urls-to-serve-private-s3-content-e7c63ee271db
