Amazon S3 via HTTPS


#1

Hi, I have a site using S3 and SSL and it seems that most of the Omeka helper functions return a non-HTTPS file path, which causes mixed-content warnings. I don’t have direct access to the AWS account, but is this something that needs to be configured at the account level or is there some way to specify SSL in config.ini or elsewhere in Omeka?

Thanks – E

file_display_url($file,'fullsize'); // http://s3.amazonaws.com%2Fmybucket%2Ffullsize%2Fexample.jpg
$file->getWebPath('fullsize'); // http://s3.amazonaws.com%2Fmybucket%2Ffullsize%2Fexample.jpg 

#2

You can specify endpoint in the S3 part of config.ini as an adapter option… specifying the https URL, like https://s3.amazonaws.com should do the trick.


#3

Hi @jflatnes, it seems that just adding HTTPS to the front of the storage.adapterOptions.endpoint URL doesn’t work. I’ve been in touch with the account admin who is looking at configuring SSL via Cloudfront. I don’t have access to look at the account options, but if you have ideas about how to proceed, I’ll pass them on. Thanks – E


#4

It doesn’t work meaning it doesn’t fix the problem, or it causes some other problem?


#5

I’ve tried a couple variations on the custom endpoint, which all cause errors on file upload/delete.

Adding https://[bucket].s3-website-us-east-1.amazonaws.com as the custom endpoint…

Zend_Http_Client_Adapter_Exception
Unable to Connect to ssl://[bucket][bucket].s3-website-us-east-1.amazonaws.com:443. 
Error #110: Connection timed out

Adding https://s3-website-us-east-1.amazonaws.com as the custom endpoint…

Zend_Http_Client_Adapter_Exception
Unable to Connect to ssl://[bucket].s3-website-us-east-1.amazonaws.com:443. 
Error #110: Connection timed out

Adding https://amazonaws.com as the custom endpoint …

Zend_Http_Client_Adapter_Exception
Unable to Connect to ssl://lorain.local.history.amazonaws.com:443. 
Error #0: php_network_getaddresses: getaddrinfo failed: Name or service not known

#6

Have you tried https://s3.amazonaws.com ? And of course making sure that you can make outgoing SSL connections generally, as a firewall/configuration matter. Usually that’s not an issue, though.


#7

Same issue.

storage.adapterOptions.endpoint = "https://s3.amazonaws.com"
Zend_Http_Client_Adapter_Exception
Unable to Connect to ssl://[bucket].s3.amazonaws.com:443.
Error #0:

Right now, I’m waiting for the account admin to have a look at this recommendation in hopes it will help…

Be sure to update the DNS for your domain to a CNAME record that points to the CloudFront distribution’s provided domain. You can find your distribution’s domain name in the CloudFront console.
https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-https-requests-s3/

Does RRCHNM have – or know of – any SSL + S3 sites whose admin I might contact for more info about account configurations?


#8

Was the error really just Error #0: ? Or was there some more text there? You might just have an issue with the SSL setup on that server for making outgoing connections. An “error #0” with nothing else is a pretty typical symptom of that kind of problem; often the cause is that PHP just doesn’t know where the SSL certificates are located (fixable with a php.ini setting openssl.cafile or openssl.capath).

Anyway, S3 itself will let you access the files through HTTPS just fine so it’s really just a matter of getting the adapter to emit HTTPS URLs. Changing the endpoint will change the emitted URLs since they’re created by using the endpoint as a basis, but as you’ve seen that also changes how the connection is made for uploading and deleting files.

As a workaround you could just force the URL generated to be HTTPS by changing the uri line in Omeka_Storage_Adapter_ZendS3::getUri():

$uri = 'https:' . substr("$endpoint/$object", 5);

You could also do that in a plugin by just extending the ZendS3 adapter, overriding just getUri() and doing a similar substr-and-prepend to the uri you’d get from calling parent::getUri().


#9

Thanks John, I changed line 161 in

/libraries/Omeka/Storage/Adapter/ZendS3.php

$uri = 'https:' . substr("$endpoint/$object", 5);

This will do for now, though it does add some maintenance overhead.

If I submitted a pull request that adds a storage.adapterOptions.force_ssl constant in config.ini, is that something that is likely to be accepted?


#10

Probably… although for a solution going into the core we’d probably need to be a little more clever about it. Minimally, we’d need to account for an endpoint that’s already https (even though that didn’t work in your case).


#11

Ok, I’ve created a pull request that I think should work.