模板名稱
ACS-OSS-PutBucketReferer 設定儲存空間防盜鏈
模板描述
設定儲存空間防盜鏈
模板類型
自動化
所有者
Alibaba Cloud
輸入參數
參數名稱 | 描述 | 類型 | 是否必填 | 預設值 | 約束 |
bucketName | OSS bucket 名稱 | String | 是 | ||
regionId | 地區ID | String | 否 | {{ ACS::RegionId }} | |
allowEmptyReferer | 指定是否允許Referer欄位為空白的請求訪問 | String | 否 | true | |
refererList | 儲存Referer訪問白名單的網址 | List | 否 | [] | |
OOSAssumeRole | OOS扮演的RAM角色 | String | 否 | "" |
輸出參數
參數名稱 | 描述 | 類型 |
refererInfo | Json |
執行此模板需要的權限原則
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetBucketReferer",
"oss:PutBucketReferer"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
詳情
模板內容
FormatVersion: OOS-2019-06-01
Description:
en: Put the bucket referer
zh-cn: 設定儲存空間防盜鏈
name-en: ACS-OSS-PutBucketReferer
name-zh-cn: 設定儲存空間防盜鏈
categories:
- security
Parameters:
regionId:
Type: String
Label:
en: RegionId
zh-cn: 地區ID
AssociationProperty: RegionId
Default: '{{ ACS::RegionId }}'
bucketName:
Label:
en: BucketName
zh-cn: OSS bucket 名稱
Type: String
allowEmptyReferer:
Description:
en: Specify whether to allow access to requests whose Referer field is empty
zh-cn: 指定是否允許Referer欄位為空白的請求訪問
Type: String
Default: 'true'
AllowedValues:
- 'true'
- 'false'
refererList:
Description:
en: for example:[http://www.aliyun.com, https://www.aliyun.com]
zh-cn: 例如:[http://www.aliyun.com, https://www.aliyun.com]
Label:
en: Save Referer Access Whitelist URL
zh-cn: 儲存Referer訪問白名單的網址
Type: List
Default: []
OOSAssumeRole:
Label:
en: OOSAssumeRole
zh-cn: OOS扮演的RAM角色
Type: String
Default: ''
RamRole: '{{ OOSAssumeRole }}'
Tasks:
- Name: convertXmlParameters
Action: 'ACS::ECS::SMCConversionConstantByJqScript'
Description:
en: Automatically make bucket referer configuration
zh-cn: 自動產生儲存空間防盜鏈規則
Properties:
parameter: '{{ refererList }}'
jqScript:
- '. [] | split("[") | join("") | split("]") | join("") | split("\"") | join("") |split(",") | map(. | .="<Referer>"+.+"</Referer>") as $item| $item | join("") as $itemList | "<RefererConfiguration><AllowEmptyReferer>{{ allowEmptyReferer }}</AllowEmptyReferer><RefererList>"+$itemList+"</RefererList>" as $refererList |$refererList'
- .
Outputs:
xmlValues:
Type: String
ValueSelector: firstValue
- Name: putBucketReferer
Action: 'ACS::ExecuteAPI'
Description:
en: 'Enable the bucket referer'
zh-cn: 開啟儲存空間防盜鏈
Properties:
Service: OSS
API: PutBucketReferer
Method: PUT
URI: '?referer'
Headers:
Content-MD5: ""
Content-Type: application/xml
Parameters:
BucketName: '{{ bucketName }}'
RegionId: '{{ regionId }}'
Body: '<?xml version="1.0" encoding="UTF-8"?>{{ convertXmlParameters.xmlValues }}</RefererConfiguration>'
- Name: waitBucketRefererNoRefererList
Action: 'ACS::WaitFor'
Description:
en: Wait for the bucket referer modification to complete when referer is allowed to be empty
zh-cn: 等待儲存空間防盜鏈允許為空白時修改完成
When:
'Fn::Equals':
- '{{ refererList }}'
- []
OnSuccess: 'ACS::END'
Properties:
Service: OSS
API: GetBucketReferer
Method: GET
URI: '?referer'
Headers: {}
Parameters:
BucketName: '{{ bucketName }}'
RegionId: '{{ regionId }}'
DesiredValues:
- '{{ allowEmptyReferer }}'
PropertySelector: '.RefererConfiguration.AllowEmptyReferer'
- Name: waitBucketReferer
Action: 'ACS::WaitFor'
Description:
en: Wait for the bucket referer modification to complete
zh-cn: 等待儲存空間防盜鏈修改完成
Properties:
Service: OSS
API: GetBucketReferer
Method: GET
URI: '?referer'
Headers: {}
Parameters:
BucketName: '{{ bucketName }}'
RegionId: '{{ regionId }}'
NotDesiredValues: '{{ refererList }}'
PropertySelector: '.RefererConfiguration.RefererList.Referer-{{ refererList }}'
Outputs:
refererInfo:
Type: Json
Value:
bucketName: '{{ bucketName }}'
allowEmptyReferer: '{{ allowEmptyReferer }}'
refererList: '{{ refererList }}'