I have a PHP+Symfony web app behind Varnish with sites assets (i.e. images, video) stored in an S3 bucket. I want to restrict access to these assets using an s3 bucket policy by referrer. The policy I applied to the bucket is (with identifying info removed):
{
"Version": "2012-10-17",
"Id": "http referrer policy example",
"Statement": [
{
"Sid": "Allow get & put requests referred by test.com.",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::mybucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://www.test.com/*",
"https://test.com/*"
]
}
}
},
{
"Sid": "Explicit deny to ensure requests are allowed only from specific referrer.",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::mybucket/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"https://www.test.com/*",
"https://test.com/*"
]
}
}
}
]
}
I've compared my policy against multiple SO and other forum posts and it seems correct. If I apply this policy to my bucket, requests for each asset on any page of my site appears broken with response status 403 Forbidden:
Request URL:http://mybucket.s3-eu-west-1.amazonaws.com/site-assets/img/film-icon.svg
Request Method:GET
Status Code:403 Forbidden
Remote Address:54.231.131.120:80
Referrer Policy:no-referrer-when-downgrade
If I remove the policy it works again. So the policy is taking effect, its just not allowing my own domain (in this sample code, test.com) access to the assets but its defined as "allow" in the bucket policy.
In case it is relevant, my web app is using KnpGaufrette as a filesystem which is configured to use s3 and this in turn is being used by LiipImagineBundle to handle any image processing where needed. My server also has Varnish 4 installed in front of the web server to provide caching (I have tried clearing varnish cache, restarting varnish and apache after applying the policy in case).
If you can help, that would be great.
