How to prevent unwanted http access to your origin in Cloudfront workflow

If you setup the CloudFront workflow, you may want to ensure that only CloudFront requests are able to access the given stream. Since you are in HTTP Origin Mode, you are working with a sessionless environment. Each request can be looked at and validated using the IVHostHTTPStreamerRequestValidator as follows:

	public class HTTPEventHandler implements IVHostHTTPStreamerRequestValidator{
		public boolean validateHTTPStreamerRequest(RtmpRequestMessage req,HostPort hp, String str) {
	                   if(!req.getUserAgent().equalsIgnoreCase("amazon cloudfront")){
	                	   try{ 
			                   req.setBody(ByteBuffer.wrap("".getBytes()));
			                   req.setContentLength(0);
	                	   }
	                	   catch(Exception ex){
	                		WMSLoggerFactory.getLogger(null).info("Exception: "+ex.getMessage());   
	                	   }
	                   }
	                   return true;
	        }
	}

As seen here, you can essentially hijack the request and zero out the content. This will inevitably cause the stream request to fail.


Comments are closed.