使用者上傳過大檔案或惡意檔案,會佔用OSS大量的儲存空間和頻寬資源,甚至導致OSS的網域名稱在某些環境下被封鎖。OSS不直接提供限制上傳檔案類型和大小的功能,但您可以藉助服務端產生簽名時指定檔案類型及大小,或在用戶端自行編寫攔截邏輯來實現。
服務端產生Post簽名和PostPolicy
對於需要限制上傳檔案屬性的情境,您可以在服務端產生PostObject所需的Post簽名、PostPolicy等資訊,然後用戶端可以憑藉這些資訊,在一定的限制下不依賴OSS SDK直接上傳檔案。您可以藉助服務端產生的PostPolicy限制用戶端上傳的檔案,例如限制檔案大小、檔案類型。此方案適用於通過HTML表單上傳的方式上傳檔案。需要注意的是,此方案不支援基於分區上傳大檔案、基於分區斷點續傳的情境。更多資訊,請參見PostObject。
範例程式碼
服務端範例程式碼
服務端產生Post簽名和Post Policy等資訊的範例程式碼如下:
說明
當前代碼支援一鍵部署,您可以直接在Function ComputeFC中一鍵部署本代碼。oss-upload-post-signature-app
Python
import os
from hashlib import sha1 as sha
import json
import base64
import hmac
import datetime
import time
# 配置環境變數OSS_ACCESS_KEY_ID。
access_key_id = os.environ.get('OSS_ACCESS_KEY_ID')
# 配置環境變數OSS_ACCESS_KEY_SECRET。
access_key_secret = os.environ.get('OSS_ACCESS_KEY_SECRET')
# 將<YOUR_BUCKET>替換為Bucket名稱。
bucket = '<YOUR_BUCKET>'
# host的格式為bucketname.endpoint。將<YOUR_BUCKET>替換為Bucket名稱。將<YOUR_ENDPOINT>替換為OSS Endpoint,例如oss-cn-hangzhou.aliyuncs.com。
host = 'https://<YOUR_BUCKET>.<YOUR_ENDPOINT>'
# 指定上傳到OSS的檔案首碼。
upload_dir = 'user-dir-prefix/'
# 指定到期時間,單位為秒。
expire_time = 3600
def generate_expiration(seconds):
"""
通過指定有效時間長度(秒)產生到期時間。
:param seconds: 有效時間長度(秒)。
:return: ISO8601 時間字串,如:"2014-12-01T12:00:00.000Z"。
"""
now = int(time.time())
expiration_time = now + seconds
gmt = datetime.datetime.utcfromtimestamp(expiration_time).isoformat()
gmt += 'Z'
return gmt
def generate_signature(access_key_secret, expiration, conditions, policy_extra_props=None):
"""
產生簽名字串Signature。
:param access_key_secret: 有許可權訪問目標Bucket的AccessKeySecret。
:param expiration: 簽名到期時間,按照ISO8601標準表示,並需要使用UTC時間,格式為yyyy-MM-ddTHH:mm:ssZ。樣本值:"2014-12-01T12:00:00.000Z"。
:param conditions: 策略條件,用於限制上傳表單時允許設定的值。
:param policy_extra_props: 額外的policy參數,後續如果policy新增參數支援,可以在通過dict傳入額外的參數。
:return: signature,簽名字串。
"""
policy_dict = {
'expiration': expiration,
'conditions': conditions
}
if policy_extra_props is not None:
policy_dict.update(policy_extra_props)
policy = json.dumps(policy_dict).strip()
policy_encode = base64.b64encode(policy.encode())
h = hmac.new(access_key_secret.encode(), policy_encode, sha)
sign_result = base64.b64encode(h.digest()).strip()
return sign_result.decode()
def generate_upload_params():
policy = {
# 有效期間。
"expiration": generate_expiration(expire_time),
# 約束條件。
"conditions": [
# 未指定success_action_redirect時,上傳成功後的返回狀態代碼,預設為 204。
["eq", "$success_action_status", "200"],
# 表單域的值必須以指定首碼開始。例如指定key的值以user/user1開始,則可以寫為["starts-with", "$key", "user/user1"]。
["starts-with", "$key", upload_dir],
# 限制上傳Object的最小和最大允許大小,單位為位元組。
["content-length-range", 1, 1000000],
# 限制上傳的檔案為指定的圖片類型
["in", "$content-type", ["image/jpg", "image/png"]]
]
}
signature = generate_signature(access_key_secret, policy.get('expiration'), policy.get('conditions'))
response = {
'policy': base64.b64encode(json.dumps(policy).encode('utf-8')).decode(),
'ossAccessKeyId': access_key_id,
'signature': signature,
'host': host,
'dir': upload_dir
# 可以在這裡再自行追加其他參數
}
return json.dumps(response)
Java
package com.aliyun.sample;
import com.aliyun.oss.ClientException;
import com.aliyun.oss.OSS;
import com.aliyun.oss.OSSException;
import com.aliyun.oss.common.utils.BinaryUtil;
import com.aliyun.oss.model.MatchMode;
import com.aliyun.oss.model.PolicyConditions;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.codehaus.jettison.json.JSONObject;
import java.util.Date;
@Controller
public class PostSignatureController {
@Autowired
private OSS ossClient;
@Autowired
private OssConfig ossConfig;
@GetMapping("/get_post_signature_for_oss_upload")
@ResponseBody
public String generatePostSignature() {
JSONObject response = new JSONObject();
try {
long expireEndTime = System.currentTimeMillis() + ossConfig.getExpireTime() * 1000;
Date expiration = new Date(expireEndTime);
PolicyConditions policyConds = new PolicyConditions();
policyConds.addConditionItem(PolicyConditions.COND_CONTENT_LENGTH_RANGE, 0, 1048576000);
policyConds.addConditionItem(MatchMode.StartWith, PolicyConditions.COND_KEY, ossConfig.getDir());
String postPolicy = ossClient.generatePostPolicy(expiration, policyConds);
byte[] binaryData = postPolicy.getBytes("utf-8");
String encodedPolicy = BinaryUtil.toBase64String(binaryData);
String postSignature = ossClient.calculatePostSignature(postPolicy);
response.put("ossAccessKeyId", ossConfig.getAccessKeyId());
response.put("policy", encodedPolicy);
response.put("signature", postSignature);
response.put("dir", ossConfig.getDir());
response.put("host", ossConfig.getHost());
} catch (OSSException oe) {
System.out.println("Caught an OSSException, which means your request made it to OSS, "
+ "but was rejected with an error response for some reason.");
System.out.println("HTTP Status Code: " + oe.getRawResponseError());
System.out.println("Error Message: " + oe.getErrorMessage());
System.out.println("Error Code: " + oe.getErrorCode());
System.out.println("Request ID: " + oe.getRequestId());
System.out.println("Host ID: " + oe.getHostId());
} catch (ClientException ce) {
System.out.println("Caught an ClientException, which means the client encountered "
+ "a serious internal problem while trying to communicate with OSS, "
+ "such as not being able to access the network.");
System.out.println("Error Message: " + ce.getMessage());
} catch (Exception e) {
System.out.println("Caught an unexpected exception: " + e.getMessage());
}
return response.toString();
}
}Go
package main
import (
"crypto/hmac"
"crypto/sha1"
"encoding/base64"
"encoding/json"
"fmt"
"io"
"net/http"
"os"
"time"
)
var (
// 配置環境變數OSS_ACCESS_KEY_ID。
accessKeyId = os.Getenv("OSS_ACCESS_KEY_ID")
// 配置環境變數OSS_ACCESS_KEY_SECRET。
accessKeySecret = os.Getenv("OSS_ACCESS_KEY_SECRET")
// host的格式為bucketname.endpoint。將${your-bucket}替換為Bucket名稱。將${your-endpoint}替換為OSS Endpoint,例如oss-cn-hangzhou.aliyuncs.com。
host = "http://${your-bucket}.${your-endpoint}"
// 指定上傳到OSS的檔案首碼。
uploadDir = "user-dir-prefix/"
// 指定到期時間,單位為秒。
expireTime = int64(3600)
)
type ConfigStruct struct {
Expiration string `json:"expiration"`
Conditions [][]interface{} `json:"conditions"`
}
type PolicyToken struct {
AccessKeyId string `json:"ossAccessKeyId"`
Host string `json:"host"`
Signature string `json:"signature"`
Policy string `json:"policy"`
Directory string `json:"dir"`
}
func getGMTISO8601(expireEnd int64) string {
return time.Unix(expireEnd, 0).UTC().Format("2006-01-02T15:04:05Z")
}
func getPolicyToken() string {
now := time.Now().Unix()
expireEnd := now + expireTime
tokenExpire := getGMTISO8601(expireEnd)
var config ConfigStruct
config.Expiration = tokenExpire
// 添加檔案首碼限制
config.Conditions = append(config.Conditions, []interface{}{"starts-with", "$key", uploadDir})
// 添加檔案大小限制,例如1KB到10MB
minSize := int64(1024)
maxSize := int64(10 * 1024 * 1024)
config.Conditions = append(config.Conditions, []interface{}{"content-length-range", minSize, maxSize})
result, err := json.Marshal(config)
if err != nil {
fmt.Println("callback json err:", err)
return ""
}
encodedResult := base64.StdEncoding.EncodeToString(result)
h := hmac.New(sha1.New, []byte(accessKeySecret))
io.WriteString(h, encodedResult)
signedStr := base64.StdEncoding.EncodeToString(h.Sum(nil))
policyToken := PolicyToken{
AccessKeyId: accessKeyId,
Host: host,
Signature: signedStr,
Policy: encodedResult,
Directory: uploadDir,
}
response, err := json.Marshal(policyToken)
if err != nil {
fmt.Println("json err:", err)
return ""
}
return string(response)
}
func handler(w http.ResponseWriter, r *http.Request) {
if r.URL.Path == "/" {
http.ServeFile(w, r, "templates/index.html")
return
} else if r.URL.Path == "/get_post_signature_for_oss_upload" {
policyToken := getPolicyToken()
w.Header().Set("Content-Type", "application/json")
w.Write([]byte(policyToken))
return
}
http.NotFound(w, r)
}
func main() {
http.HandleFunc("/", handler)
http.ListenAndServe(":8080", nil)
}
PHP
<?php
function gmt_iso8601($time)
{
return str_replace('+00:00', '.000Z', gmdate('c', $time));
}
// 從環境變數中擷取訪問憑證。運行本範例程式碼之前,請確保已設定環境變數ALIBABA_CLOUD_ACCESS_KEY_ID和ALIBABA_CLOUD_ACCESS_KEY_SECRET。
$accessKeyId = getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
$accessKeySecret = getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
// $host的格式為<YOUR-BUCKET>.<YOUR-ENDPOINT>',請替換為您的真實資訊。
$host = 'http://<YOUR-BUCKET>.<YOUR-ENDPOINT>';
// 使用者上傳檔案時指定的首碼。
$dir = 'user-dir-prefix/';
$now = time();
//設定該policy逾時時間是10s. 即這個policy過了這個有效時間,將不能訪問。
$expire = 30;
$end = $now + $expire;
$expiration = gmt_iso8601($end);
//最大檔案大小.使用者可以自己設定。
$condition = array(0 => 'content-length-range', 1 => 0, 2 => 1048576000);
$conditions[] = $condition;
// 表示使用者上傳的資料,必須是以$dir開始,不然上傳會失敗,這一步不是必須項,只是為了安全起見,防止使用者通過policy上傳到別人的目錄。
$start = array(0 => 'starts-with', 1 => '$key', 2 => $dir);
$conditions[] = $start;
$arr = array('expiration' => $expiration, 'conditions' => $conditions);
$policy = json_encode($arr);
$base64_policy = base64_encode($policy);
$string_to_sign = $base64_policy;
$signature = base64_encode(hash_hmac('sha1', $string_to_sign, $accessKeySecret, true));
$response = array();
$response['ossAccessKeyId'] = $accessKeyId;
$response['host'] = $host;
$response['policy'] = $base64_policy;
$response['signature'] = $signature;
$response['dir'] = $dir;
echo json_encode($response);
Node.js
const express = require("express");
const { Buffer } = require("buffer");
const OSS = require("ali-oss");
const app = express();
const path = require("path");
const config = {
// 配置環境變數ALIBABA_CLOUD_ACCESS_KEY_ID。
accessKeyId: process.env.ALIBABA_CLOUD_ACCESS_KEY_ID,
// 配置環境變數ALIBABA_CLOUD_ACCESS_KEY_SECRET。
accessKeySecret: process.env.ALIBABA_CLOUD_ACCESS_KEY_SECRET,
// 將<YOUR-BUCKET>替換為Bucket名稱。
bucket: "<YOUR-BUCKET>",
// 指定上傳到OSS的檔案首碼。
dir: "prefix/",
};
app.use(express.static(path.join(__dirname, "templates")));
app.get("/get_post_signature_for_oss_upload", async (req, res) => {
const client = new OSS(config);
const date = new Date();
// 設定簽名的有效期間,單位為秒。
date.setSeconds(date.getSeconds() + 3600);
const policy = {
expiration: date.toISOString(),
conditions: [
// 設定上傳檔案的大小限制。
["content-length-range", 0, 1048576000],
// 限制可上傳的Bucket。
{ bucket: client.options.bucket },
],
};
const formData = await client.calculatePostSignature(policy);
const host = `http://${config.bucket}.${
(await client.getBucketLocation()).location
}.aliyuncs.com`.toString();
const params = {
policy: formData.policy,
signature: formData.Signature,
ossAccessKeyId: formData.OSSAccessKeyId,
host,
dir: config.dir,
};
res.json(params);
});
app.get(/^(.+)*\.(html|js)$/i, async (req, res) => {
res.sendFile(path.join(__dirname, "./templates", req.originalUrl));
});
app.listen(8000, () => {
console.log("http://127.0.0.1:8000");
});
Ruby
require 'sinatra'
require 'base64'
require 'open-uri'
require 'cgi'
require 'openssl'
require 'json'
require 'sinatra/reloader'
require 'sinatra/content_for'
# 設定public檔案夾路徑為當前檔案夾下的templates檔案夾
set :public_folder, File.dirname(__FILE__) + '/templates'
# 配置環境變數ALIBABA_CLOUD_ACCESS_KEY_ID。
$access_key_id = ENV['ALIBABA_CLOUD_ACCESS_ID']
# 配置環境變數ALIBABA_CLOUD_ACCESS_KEY_SECRET。
$access_key_secret = ENV['ALIBABA_CLOUD_ACCESS_SECRET']
# $host的格式為<bucketname>.<endpoint>,請替換為您的真實資訊。
$host = 'http://<bucketname>.<endpoint>';
# 使用者上傳檔案時指定的首碼。
$upload_dir = 'user-dir-prefix/'
# 到期時間,單位為秒。
$expire_time = 30
$server_ip = "0.0.0.0"
$server_port = 8000
if ARGV.length == 1
$server_port = ARGV[0]
elsif ARGV.length == 2
$server_ip = ARGV[0]
$server_port = ARGV[1]
end
puts "App server is running on: http://#{$server_ip}:#{$server_port}"
def hash_to_jason(source_hash)
jason_string = source_hash.to_json;
jason_string.gsub!("\":[", "\": [")
jason_string.gsub!("\",\"", "\", \"")
jason_string.gsub!("],\"", "], \"")
jason_string.gsub!("\":\"", "\": \"")
jason_string
end
def get_token()
expire_syncpoint = Time.now.to_i + $expire_time
expire = Time.at(expire_syncpoint).utc.iso8601()
response.headers['expire'] = expire
policy_dict = {}
condition_arrary = Array.new
array_item = Array.new
array_item.push('starts-with')
array_item.push('$key')
array_item.push($upload_dir)
condition_arrary.push(array_item)
policy_dict["conditions"] = condition_arrary
policy_dict["expiration"] = expire
policy = hash_to_jason(policy_dict)
policy_encode = Base64.strict_encode64(policy).chomp;
h = OpenSSL::HMAC.digest('sha1', $access_key_secret, policy_encode)
hs = Digest::MD5.hexdigest(h)
sign_result = Base64.strict_encode64(h).strip()
token_dict = {}
token_dict['ossAccessKeyId'] = $access_key_id
token_dict['host'] = $host
token_dict['policy'] = policy_encode
token_dict['signature'] = sign_result
token_dict['expire'] = expire_syncpoint
token_dict['dir'] = $upload_dir
result = hash_to_jason(token_dict)
result
end
set :bind, $server_ip
set :port, $server_port
get '/get_post_signature_for_oss_upload' do
token = get_token()
puts "Token: #{token}"
token
end
get '/*' do
puts "********************* GET "
send_file File.join(settings.public_folder, 'index.html')
end
end
if ARGV.length == 1
$server_port = ARGV[0]
elsif ARGV.length == 2
$server_ip = ARGV[0]
$server_port = ARGV[1]
end
$server_ip = "0.0.0.0"
$server_port = 8000
puts "App server is running on: http://#{$server_ip}:#{$server_port}"
set :bind, $server_ip
set :port, $server_port
get '/get_sts_token_for_oss_upload' do
token = get_sts_token_for_oss_upload()
response = {
"AccessKeyId" => token["Credentials"]["AccessKeyId"],
"AccessKeySecret" => token["Credentials"]["AccessKeySecret"],
"SecurityToken" => token["Credentials"]["SecurityToken"]
}
response.to_json
end
get '/*' do
puts "********************* GET "
send_file File.join(settings.public_folder, 'index.html')
end
C#
using Microsoft.AspNetCore.Builder;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.AspNetCore.Http;
using System.IO;
using System.Collections.Generic;
using System;
using System.Globalization;
using System.Text;
using System.Security.Cryptography;
using Newtonsoft.Json;
using Microsoft.AspNetCore.Http.Extensions;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Logging;
namespace YourNamespace
{
public class Program
{
private ILogger<Program> _logger;
// 配置環境變數ALIBABA_CLOUD_ACCESS_KEY_ID。
public string AccessKeyId { get; set; } = Environment.GetEnvironmentVariable("ALIBABA_CLOUD_ACCESS_KEY_ID");
// 配置環境變數ALIBABA_CLOUD_ACCESS_KEY_SECRET。
public string AccessKeySecret { get; set; } = Environment.GetEnvironmentVariable("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
// host的格式為bucketname.endpoint。將<YOUR-BUCKET>替換為Bucket名稱。將<YOUR-ENDPOINT>替換為OSS Endpoint,例如oss-cn-hangzhou.aliyuncs.com。
public string Host { get; set; } = "<YOUR-BUCKET>.<YOUR-ENDPOINT>";
// 指定上傳到OSS的檔案首碼。
public string UploadDir { get; set; } = "user-dir-prefix/";
// 指定到期時間,單位為秒。
public int ExpireTime { get; set; } = 3600;
public class PolicyConfig
{
public string expiration { get; set; }
public List<List<object>> conditions { get; set; }
}
public class PolicyToken
{
public string Accessid { get; set; }
public string Policy { get; set; }
public string Signature { get; set; }
public string Dir { get; set; }
public string Host { get; set; }
public string Expire { get; set; }
}
public static void Main(string[] args)
{
var builder = WebApplication.CreateBuilder(args);
var app = builder.Build();
builder.Logging.AddConsole();
var logger = builder.Services.BuildServiceProvider().GetRequiredService<ILogger<Program>>();
app.UseStaticFiles();
app.MapGet("/", async (context) =>
{
var filePath = Path.Combine(Directory.GetCurrentDirectory(), "templates/index.html");
var htmlContent = await File.ReadAllTextAsync(filePath);
await context.Response.WriteAsync(htmlContent);
logger.LogInformation("GET request to root path");
});
app.MapGet("/get_post_signature_for_oss_upload", async (context) =>
{
var program = new Program(logger);
var token = program.GetPolicyToken();
logger.LogInformation($"Token: {token}");
context.Response.ContentType = "application/json";
await context.Response.WriteAsync(token);
});
app.Run();
}
public Program(ILogger<Program> logger)
{
_logger = logger;
}
private string ToUnixTime(DateTime dateTime)
{
return ((DateTimeOffset)dateTime).ToUnixTimeSeconds().ToString();
}
private string GetPolicyToken()
{
var expireDateTime = DateTime.Now.AddSeconds(ExpireTime);
var config = new PolicyConfig
{
expiration = FormatIso8601Date(expireDateTime),
conditions = new List<List<object>>()
};
config.conditions.Add(new List<object>
{
"content-length-range", 0, 1048576000
});
var policy = JsonConvert.SerializeObject(config);
var policyBase64 = EncodeBase64("utf-8", policy);
var signature = ComputeSignature(AccessKeySecret, policyBase64);
var policyToken = new PolicyToken
{
Accessid = AccessKeyId,
Host = Host,
Policy = policyBase64,
Signature = signature,
Expire = ToUnixTime(expireDateTime),
Dir = UploadDir
};
return JsonConvert.SerializeObject(policyToken);
}
private string FormatIso8601Date(DateTime dtime)
{
return dtime.ToUniversalTime().ToString("yyyy-MM-dd'T'HH:mm:ss.fff'Z'",
CultureInfo.CurrentCulture);
}
private string EncodeBase64(string codeType, string code)
{
string encode = "";
byte[] bytes = Encoding.GetEncoding(codeType).GetBytes(code);
try
{
encode = Convert.ToBase64String(bytes);
}
catch
{
encode = code;
}
return encode;
}
private string ComputeSignature(string key, string data)
{
using (var algorithm = new HMACSHA1(Encoding.UTF8.GetBytes(key)))
{
return Convert.ToBase64String(algorithm.ComputeHash(Encoding.UTF8.GetBytes(data)));
}
}
}
}
用戶端範例程式碼
Web端使用Post簽名和Post Policy等資訊上傳檔案到OSS的範例程式碼如下:
const form = document.querySelector("form");
const fileInput = document.querySelector("#file");
form.addEventListener("submit", (event) => {
event.preventDefault();
const file = fileInput.files[0];
if (!fileInput.files[0]) {
alert('請選擇要上傳的檔案');
return;
}
const filename = fileInput.files[0].name;
fetch("/get_post_signature_for_oss_upload", { method: "GET" })
.then((response) => {
if (!response.ok) {
throw new Error("擷取簽名失敗");
}
return response.json();
})
.then((data) => {
const formData = new FormData();
formData.append("name", filename);
formData.append("policy", data.policy);
formData.append("OSSAccessKeyId", data.ossAccessKeyId);
formData.append("success_action_status", "200");
formData.append("signature", data.signature);
formData.append("key", data.dir + filename);
formData.append("file", file);
return fetch(data.host, { method: "POST", body: formData });
})
.then((response) => {
if (response.ok) {
console.log("上傳成功");
alert("檔案已上傳");
} else {
console.log("上傳失敗", response);
alert("上傳失敗,請稍後再試");
}
})
.catch((error) => {
console.error("發生錯誤:", error);
});
});服務端產生簽名URL
產生簽名URL時,不支援指定content-length-range,因此不適用於限制上傳檔案大小的情境。對於要限制上傳檔案類型的情境,您可以在服務端產生簽名URL時,強制指定content-type,用戶端憑藉簽名URL上傳檔案時,必須上傳指定類型的檔案。更多資訊,請參見簽名版本1。
範例程式碼
服務端範例程式碼
服務端產生簽名URL的範例程式碼如下:
說明
當前代碼支援一鍵部署,您可以直接在Function ComputeFC中一鍵部署本代碼。oss-upload-presigned-url-app
Python
import oss2
from oss2.credentials import EnvironmentVariableCredentialsProvider
# 從環境變數中擷取訪問憑證。運行本範例程式碼之前,請確保已設定環境變數OSS_ACCESS_KEY_ID和OSS_ACCESS_KEY_SECRET。
auth = oss2.ProviderAuth(EnvironmentVariableCredentialsProvider())
# 將<YOUR_ENDPOINT>替換為Bucket所在地區對應的Endpoint。以華東1(杭州)為例,Endpoint填寫為https://oss-cn-hangzhou.aliyuncs.com。
# 將<YOUR_BUCKET>替換為Bucket名稱。
bucket = oss2.Bucket(auth, '<YOUR_ENDPOINT>', '<YOUR_BUCKET>')
# 指定到期時間,單位秒。
expire_time = 3600
# 填寫Object完整路徑,例如exampledir/exampleobject.png。Object完整路徑中不能包含Bucket名稱。
object_name = 'exampledir/exampleobject.png'
def generate_presigned_url():
# 指定Header。
headers = dict()
# 指定Content-Type。
headers['Content-Type'] = 'image/png'
# 指定儲存類型。
# headers["x-oss-storage-class"] = "Standard"
# 產生簽名URL時,OSS預設會對Object完整路徑中的正斜線(/)進行轉義,從而導致產生的簽名URL無法直接使用。
# 設定slash_safe為True,OSS不會對Object完整路徑中的正斜線(/)進行轉義,此時產生的簽名URL可以直接使用。
url = bucket.sign_url('PUT', object_name, expire_time, slash_safe=True, headers=headers)
return url
Java
import com.aliyun.oss.OSS;
import com.aliyun.oss.OSSClientBuilder;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Bean;
import com.aliyun.oss.HttpMethod;
import com.aliyun.oss.model.GeneratePresignedUrlRequest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import java.net.URL;
import java.util.Date;
import javax.annotation.PreDestroy;
@Configuration
public class OssConfig {
/**
* 將<your-endpoint>替換為OSS Endpoint,例如oss-cn-hangzhou.aliyuncs.com。
*/
private static final String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
/**
* 通過環境變數 ALIBABA_CLOUD_ACCESS_KEY_ID 設定 accessKeyId
*/
@Value("${ALIBABA_CLOUD_ACCESS_KEY_ID}")
private String accessKeyId;
/**
* 通過環境變數 ALIBABA_CLOUD_ACCESS_KEY_Secret 設定 accessKeySecret
*/
@Value("${ALIBABA_CLOUD_ACCESS_KEY_SECRET}")
private String accessKeySecret;
private OSS ossClient;
@Bean
public OSS getSssClient() {
ossClient = new OSSClientBuilder().build(endpoint, accessKeyId, accessKeySecret);
return ossClient;
}
@PreDestroy
public void onDestroy() {
ossClient.shutdown();
}
}
@Controller
public class PresignedURLController {
/**
* 將<your-bucket>替換為Bucket名稱。
* 指定上傳到OSS的檔案首碼。
* 將<your-object>替換為Object完整路徑,例如exampleobject.txt。Object完整路徑中不能包含Bucket名稱。
* 指定到期時間,單位為毫秒。
*/
private static final String BUCKET_NAME = "<your-bucket>";
private static final String OBJECT_NAME = "<your-object>";
private static final long EXPIRE_TIME = 3600 * 1000L;
@Autowired
private OSS ossClient;
@GetMapping("/get_presigned_url_for_oss_upload")
@ResponseBody
public String generatePresignedURL() {
try {
GeneratePresignedUrlRequest request = new GeneratePresignedUrlRequest(BUCKET_NAME, OBJECT_NAME, HttpMethod.PUT);
Date expiration = new Date(System.currentTimeMillis() + EXPIRE_TIME);
request.setExpiration(expiration);
request.setContentType("image/png");
URL signedUrl = ossClient.generatePresignedUrl(request);
return signedUrl.toString();
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
}Go
package main
import (
"fmt"
"net/http"
"os"
"github.com/aliyun/aliyun-oss-go-sdk/oss"
)
func getURL() string {
// yourEndpoint填寫Bucket對應的Endpoint,以華東1(杭州)為例,填寫為https://oss-cn-hangzhou.aliyuncs.com。其它Region請按實際情況填寫。
endpoint := "https://oss-cn-beijing.aliyuncs.com"
// 填寫Bucket名稱,例如examplebucket。
bucketName := "examplebucket"
// 填寫檔案完整路徑,例如exampledir/exampleobject.txt。檔案完整路徑中不能包含Bucket名稱。
objectName := "exampledir/exampleobject.txt"
// 從環境變數中擷取訪問憑證。運行本範例程式碼之前,請確保已設定環境變數ALIBABA_CLOUD_ACCESS_KEY_ID和ALIBABA_CLOUD_ACCESS_KEY_SECRET。
accessKeyID := os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_ID")
accessKeySecret := os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")
client, err := oss.New(endpoint, accessKeyID, accessKeySecret)
if err != nil {
fmt.Println("json err:", err)
}
bucket, err := client.Bucket(bucketName)
if err != nil {
fmt.Println("json err:", err)
}
options := []oss.Option{
oss.ContentType("image/png"),
}
signedURL, err := bucket.SignURL(objectName, oss.HTTPPut, 60, options...)
if err != nil {
fmt.Println("json err:", err)
}
return signedURL
}
func handler(w http.ResponseWriter, r *http.Request) {
if r.URL.Path == "/" {
http.ServeFile(w, r, "templates/index.html")
return
} else if r.URL.Path == "/get_presigned_url_for_oss_upload" {
url := getURL()
fmt.Fprintf(w, "%s", url)
return
}
http.NotFound(w, r)
}
func main() {
http.HandleFunc("/", handler)
http.ListenAndServe(":8080", nil)
}
PHP
<?php
require_once __DIR__ . '/vendor/autoload.php';
use OSS\OssClient;
use OSS\Core\OssException;
use OSS\Http\RequestCore;
use OSS\Http\ResponseCore;
// 運行本範例程式碼之前,請確保已設定環境變數ALIBABA_CLOUD_ACCESS_KEY_ID和ALIBABA_CLOUD_ACCESS_KEY_SECRET。
$accessKeyId = getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
$accessKeySecret = getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
// yourEndpoint填寫Bucket所在地區對應的Endpoint。以華東1(杭州)為例,Endpoint填寫為https://oss-cn-hangzhou.aliyuncs.com。
$endpoint = "<YOUR-ENDPOINT>";
// 填寫Bucket名稱。
$bucket= "<YOUR-BUCKET>";
// 填寫不包含Bucket名稱在內的Object完整路徑。
$object = "test.png";
// 設定簽名URL的有效時間長度為3600秒。
$timeout = 3600;
try {
$ossClient = new OssClient($accessKeyId, $accessKeySecret, $endpoint, false);
// 產生簽名URL。
$signedUrl = $ossClient->signUrl($bucket, $object, $timeout, "PUT", array('Content-Type' => 'image/png'));
// 列印返回的資料
echo $signedUrl;
} catch (OssException $e) {
printf($e->getMessage() . "\n");
return;
}
Node.js
const express = require("express");
const { Buffer } = require("buffer");
const OSS = require("ali-oss");
const app = express();
const path = require("path");
const fs = require("fs");
const axios = require("axios");
const config = {
// <YOURREGION>填寫Bucket所在地區。以華東1(杭州)為例,Region填寫為oss-cn-hangzhou。
region: '<YOURREGION>',
// 配置環境變數ALIBABA_CLOUD_ACCESS_KEY_ID。
accessKeyId: process.env.ALIBABA_CLOUD_ACCESS_KEY_ID,
// 配置環境變數ALIBABA_CLOUD_ACCESS_KEY_SECRET。
accessKeySecret: process.env.ALIBABA_CLOUD_ACCESS_KEY_SECRET,
// 將<YOUR-BUCKET>替換為Bucket名稱。
bucket: "<YOUR-BUCKET>",
}
const object = "examplefile.png";
app.use(express.static(path.join(__dirname, "templates")));
app.get("/get_presigned_url_for_oss_upload", async (req, res) => {
const client = new OSS(config);
const url = client.signatureUrl(object, {
method: "PUT",
"Content-Type": "application/x-www-form-urlencoded",
});
res.send(url);
console.log(url);
});
app.listen(8000, () => {
console.log("http://127.0.0.1:8000");
});
Ruby
require 'sinatra'
require 'base64'
require 'open-uri'
require 'cgi'
require 'openssl'
require 'json'
require 'sinatra/reloader'
require 'sinatra/content_for'
require 'aliyun/oss'
include Aliyun::OSS
# 設定public檔案夾路徑為當前檔案夾下的templates檔案夾
set :public_folder, File.dirname(__FILE__) + '/templates'
# 配置環境變數ALIBABA_CLOUD_ACCESS_KEY_ID。
$access_key_id = ENV['ALIBABA_CLOUD_ACCESS_KEY_ID']
# 配置環境變數ALIBABA_CLOUD_ACCESS_SECRET。
$access_key_secret = ENV['ALIBABA_CLOUD_ACCESS_KEY_SECRET']
# 填寫Object完整路徑,例如exampledir/exampleobject.png。Object完整路徑中不能包含Bucket名稱。
object_key = 'exampledir/exampleobject.png'
def get_presigned_url(client, object_key)
# 將<YOUR-BUCKET>替換為Bucket名稱。
bucket = client.get_bucket('<YOUR-BUCKET>')
# 產生簽名URL,並指定URL有效時間為1小時(3600秒)。
bucket.object_url(object_key, 3600)
end
client = Aliyun::OSS::Client.new(
# 將<YOUR-ENDPOINT>替換為Bucket所在地區對應的Endpoint。以華東1(杭州)為例,Endpoint填寫為https://oss-cn-hangzhou.aliyuncs.com。
endpoint: '<YOUR-ENDPOINT>',
# 從環境變數中擷取訪問憑證。運行本範例程式碼之前,請確保已設定環境變數OSS_ACCESS_KEY_ID和OSS_ACCESS_KEY_SECRET。
access_key_id: $access_key_id,
access_key_secret: $access_key_secret
)
if ARGV.length == 1
$server_port = ARGV[0]
elsif ARGV.length == 2
$server_ip = ARGV[0]
$server_port = ARGV[1]
end
$server_ip = "0.0.0.0"
$server_port = 8000
puts "App server is running on: http://#{$server_ip}:#{$server_port}"
set :bind, $server_ip
set :port, $server_port
get '/get_presigned_url_for_oss_upload' do
url = get_presigned_url(client, object_key.to_s)
puts "Token: #{url}"
url
end
get '/*' do
puts "********************* GET "
send_file File.join(settings.public_folder, 'index.html')
end
C#
using Microsoft.AspNetCore.Builder;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.AspNetCore.Http;
using System.IO;
using System;
using Microsoft.Extensions.Logging;
using Aliyun.OSS;
namespace YourNamespace
{
public class Program
{
private ILogger<Program> _logger;
// 配置環境變數ALIBABA_CLOUD_ACCESS_KEY_ID。
public string AccessKeyId { get; set; } = Environment.GetEnvironmentVariable("ALIBABA_CLOUD_ACCESS_KEY_ID");
// 配置環境變數ALIBABA_CLOUD_ACCESS_KEY_SECRET。
public string AccessKeySecret { get; set; } = Environment.GetEnvironmentVariable("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
// <YOUR-ENDPOINT>替換為Bucket所在地區對應的Endpoint。以華東1(杭州)為例,Endpoint填寫為https://oss-cn-hangzhou.aliyuncs.com。
private string EndPoint { get; set; } = "<YOUR-ENDPOINT>";
// 將<YOUR-BUCKET>替換為Bucket名稱。
private string BucketName { get; set; } = "<YOUR-BUCKET>";
private string ObjectName { get; set; } = "exampledir/exampleobject2.png";
public static void Main(string[] args)
{
var builder = WebApplication.CreateBuilder(args);
var app = builder.Build();
// 添加日誌
builder.Logging.AddConsole();
var logger = builder.Services.BuildServiceProvider().GetRequiredService<ILogger<Program>>();
app.UseStaticFiles(); // 添加這行以啟用靜態檔案中介軟體
app.MapGet("/", async (context) =>
{
var filePath = Path.Combine(Directory.GetCurrentDirectory(), "templates/index.html");
var htmlContent = await File.ReadAllTextAsync(filePath);
await context.Response.WriteAsync(htmlContent);
// 列印日誌
logger.LogInformation("GET request to root path");
});
app.MapGet("/get_presigned_url_for_oss_upload", async (context) =>
{
var program = new Program(logger);
var signedUrl = program.GetSignedUrl();
logger.LogInformation($"SignedUrl: {signedUrl}"); // 列印token的值
await context.Response.WriteAsync(signedUrl);
});
app.Run();
}
// 建構函式注入ILogger
public Program(ILogger<Program> logger)
{
_logger = logger;
}
private string GetSignedUrl()
{
// 建立OSSClient執行個體
var ossClient = new OssClient(EndPoint, AccessKeyId, AccessKeySecret);
// 產生簽名URL
var generatePresignedUriRequest = new GeneratePresignedUriRequest(BucketName, ObjectName, SignHttpMethod.Put)
{
Expiration = DateTime.Now.AddHours(1),
ContentType = "image/png"
};
var signedUrl = ossClient.GeneratePresignedUri(generatePresignedUriRequest);
return signedUrl.ToString();
}
}
}
用戶端範例程式碼
Web端使用簽名URL上傳檔案到OSS的範例程式碼如下:
const form = document.querySelector("form");
form.addEventListener("submit", (event) => {
event.preventDefault();
const fileInput = document.querySelector("#file");
const file = fileInput.files[0];
fetch("/get_presigned_url_for_oss_upload", { method: "GET" })
.then((response) => {
if (!response.ok) {
throw new Error("擷取預簽名URL失敗");
}
return response.text();
})
.then((url) => {
fetch(url, {
method: "PUT",
headers: new Headers({
"Content-Type": "image/png",
}),
body: file,
}).then((response) => {
if (!response.ok) {
throw new Error("檔案上傳到OSS失敗");
}
console.log(response);
alert("檔案已上傳");
});
})
.catch((error) => {
console.error("發生錯誤:", error);
alert(error.message);
});
});用戶端自行攔截
對於需要限制上傳檔案屬性的情境,您可以在用戶端上通過JavaScript代碼來實現。通過條件陳述式檢查檔案大小和檔案類型是否滿足要求,如果不滿足,則彈出警告或錯誤資訊,阻止上傳操作。需要注意的是,STS臨時訪問憑證不支援設定限制上傳檔案的大小及類型。因此,如果STS臨時訪問憑證被截取,惡意使用者可能會繞過用戶端限制,直接上傳惡意檔案到您的OSS。
範例程式碼
用戶端範例程式碼
使用<input type="file">元素的files屬性和accept屬性來檢查檔案大小和檔案類型是否符合要求的範例程式碼如下:
<!DOCTYPE html>
<html>
<head>
<title>檔案上傳</title>
<script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>
</head>
<body>
<input type="file" id="file-upload" accept="image/jpeg, image/png, application/pdf" />
<button onclick="uploadFile()">上傳</button>
<script>
function uploadFile() {
const fileInput = document.getElementById('file-upload');
const file = fileInput.files[0];
// 檔案大小限制(單位:位元組)
const maxFileSize = 1024 * 1024; // 1MB
// 允許的檔案類型
const allowedTypes = ['image/jpeg', 'image/png', 'application/pdf'];
if (file) {
// 檢查檔案大小
if (file.size > maxFileSize) {
alert('檔案大小超過限制。請上傳小於1MB的檔案。');
return;
}
// 檢查檔案類型
if (!allowedTypes.includes(file.type)) {
alert('不支援的檔案類型。請上傳JPEG、PNG或PDF檔案。');
return;
}
// 檔案驗證通過,可以進行上傳操作
// 這裡可以編寫具體的上傳邏輯
console.log('開始上傳檔案:', file.name);
// 上傳的代碼
} else {
alert('請選擇要上傳的檔案。');
}
}
</script>
</body>
</html>