Custom URL Signer
Introduction
Custom media URL regeneration may be added for greater security and permission control.
Is this the right document for you?
- This is an optional feature. Baseline generation is reasonably secure for many cases. If you are just looking for a baseline connection you can ignore this.
- See individual connection pages for storage permission requirements, this document is only for custom URL signer related information.
Warnings
Performance
Using a custom signer may impact end user performance.
If you are experience performance issues and believe it's not from the signer, please see Optimize
AWS
S3 Connections can receive a custom URL signer service.
- By default we do a GET request to the provided URL in the connection configuration.
- If the installation has OAUTH2 enabled, it will send the JWT in the Authorization header. Otherwise it will send the session ID cookie.
![Screenshot from 2022-07-25 10-17-15.png 1200](https://files.readme.io/7baa8f7-Screenshot_from_2022-07-25_10-17-15.png)
The parameters of the bucket name and path name are appended in the following order:
'{url_signer_service_base_url}/{bucket_name}/?key={blob_name_encoded}'
blob_name_encoded
corresponds to the full s3 key
of the blob and is url-encoded.
API Reference
Signed URL Caching and Expiry Times
There are 2 Env variables you can use to modify the cache time renewal:
SIGNED_URL_CACHE_MINIMUM_SECONDS_VALID
: Controls how many seconds we want to keep the cached URL's cached in a valid state. (Must be less than your Storage provider URL expiry time)SIGNED_URL_CACHE_NEW_OFFSET_SECONDS_VALID
: Controls how many seconds we want a new URL to be valid after being regenerated.
For example if I set SIGNED_URL_CACHE_MINIMUM_DAYS_VALID
to 18,000 (5 days) and SIGNED_URL_CACHE_NEW_OFFSET_DAYS_VALID
to 21,600 (6 days). I will guarantee that my urls will be re-generated 1 day before expiry. This can help when generating JSON exports to have a big enough buffer of time to work with the signed URLs generated on the JSON export before they expire.
This also means that we need to configure SIGNED_URL_CACHE_MINIMUM_SECONDS_VALID
to always be greater than SIGNED_URL_CACHE_NEW_OFFSET_SECONDS_VALID
. Otherwise the urls will be regenerated always and there will be no actual cache in place.
Updated over 1 year ago