Custom URL Signer

Introduction

Custom media URL regeneration may be added for greater security and permission control.

Is this the right document for you?

  • This is an optional feature. Baseline generation is reasonably secure for many cases. If you are just looking for a baseline connection you can ignore this.
  • See individual connection pages for storage permission requirements, this document is only for custom URL signer related information.

Warnings

🚧

Performance

Using a custom signer may impact end user performance.
If you are experience performance issues and believe it's not from the signer, please see Optimize

AWS

S3 Connections can receive a custom URL signer service.

  • By default we do a GET request to the provided URL in the connection configuration.
  • If the installation has OAUTH2 enabled, it will send the JWT in the Authorization header. Otherwise it will send the session ID cookie.
1200

The parameters of the bucket name and path name are appended in the following order:

'{url_signer_service_base_url}/{bucket_name}/?key={blob_name_encoded}'

blob_name_encoded corresponds to the full s3 key of the blob and is url-encoded.

API Reference

from_blob_path

Signed URL Caching and Expiry Times

There are 2 Env variables you can use to modify the cache time renewal:

  • SIGNED_URL_CACHE_MINIMUM_SECONDS_VALID: Controls how many seconds we want to keep the cached URL's cached in a valid state. (Must be less than your Storage provider URL expiry time)
  • SIGNED_URL_CACHE_NEW_OFFSET_SECONDS_VALID: Controls how many seconds we want a new URL to be valid after being regenerated.

For example if I set SIGNED_URL_CACHE_MINIMUM_DAYS_VALID to 18,000 (5 days) and SIGNED_URL_CACHE_NEW_OFFSET_DAYS_VALID to 21,600 (6 days). I will guarantee that my urls will be re-generated 1 day before expiry. This can help when generating JSON exports to have a big enough buffer of time to work with the signed URLs generated on the JSON export before they expire.

This also means that we need to configure SIGNED_URL_CACHE_MINIMUM_SECONDS_VALID to always be greater than SIGNED_URL_CACHE_NEW_OFFSET_SECONDS_VALID. Otherwise the urls will be regenerated always and there will be no actual cache in place.