Documentation

How to Serve Private Media via Signed Amazon CloudFront URLs

In this guide you’ll learn how to configure Amazon CloudFront and WP Offload Media to enable signed expiring CloudFront URLs for offloaded Media Library items that should have restricted access.

You typically want to restrict access to offloaded Media Library items that are downloadable Product Files for WooCommerce or Easy Digital Downloads, or perhaps to ensure media URLs available on members-only pages can not be used outside of the site. We generally call these kinds of files “private” to distinguish them from public media such as images that you usually want to be freely seen on the site.

By setting up WP Offload Media to deliver private media via signed Amazon CloudFront URLs you get all the benefits of improved worldwide delivery speeds of your media via the CDN with your own domain, while keeping the files relatively secure. You can read more about signed expiring URLs in our How to Restrict Access to Offloaded Media doc.

This doc assumes you have already set up WP Offload Media to offload the Media Library to Amazon S3 and deliver those files via Amazon CloudFront by following the CloudFront Setup for Media Offloaded to Amazon S3 guide.

You can set up WP Offload Media to sign Amazon CloudFront URLs that use either a default CloudFront domain (cloudfront.net) or a custom domain (recommended). This guide uses a custom domain, but there is no difference to the steps when using a default CloudFront domain.

For added security it is recommended that you have followed our advice and enabled Block All Public Access to Bucket when setting up CloudFront as the delivery provider.

This article covers the following steps:

  1. Create an Amazon CloudFront Key Pair
  2. Create a New Amazon CloudFront Behavior for Private Media
  3. Configure WP Offload Media to Deliver Private Media via Signed Amazon CloudFront URLs

Create an Amazon CloudFront Key Pair

By default, WP Offload Media signs private offloaded media files using the same Access Key ID and Secret Access Key credentials that are used to access the Amazon S3 bucket. These signed URLs use raw Amazon S3 URLs (e.g. https://ianmjones-sandwichcity.s3.eu-west-2.amazonaws.com/…).

To create signed Amazon CloudFront URLs that use the domain assigned to the distribution, Amazon CloudFront requires its own set of credentials that it can securely deploy to its edge servers to validate each request. These credentials are called a “CloudFront key pair”, and are created via the Your Security Credentials AWS Console page.

Log into the AWS Console and navigate to the Your Security Credentials page via the My Security Credentials menu option found after clicking your account name at the top right of any AWS Console page.

OME Signed CloudFront Setup - My Security Credentials menu option

On the Your Security Credentials page you’ll see a list of different types of credentials that can be configured. Click the “CloudFront key pairs” option to expand it.

OME Signed CloudFront Setup - Your Security Credentials page showing existing CloudFront key pairs

In the above screenshot you can see that we already have a CloudFront key pair set up on our account, but chances are you will not. If you do already have one or maybe two CloudFront key pairs set up, please be aware that you can only have a maximum of two CloudFront key pairs active at any one time. As such, if you already have a key pair set up you may need to contact another member of your team to either retrieve the associated private key file you’ll later need in this guide, or confirm that it is ok to create a new key pair.

To create a new CloudFront key pair, click the Create New Key Pair button, which should show you a “Create Key Pair” dialog box.

OME Signed CloudFront Setup - Your Security Credentials page showing Create Key Pair dialog

IMPORTANT: You must now download the private key file by clicking the Download Private Key File button. This file is needed by WP Offload Media so that it can sign CloudFront URLs, and this dialog box is the only time you’ll have an opportunity to download that file. I repeat, download that private key file now.

When you download the Private Key File it should have a filename that starts with “pk-“, followed by a bunch of uppercase letters and numbers, with a “.pem” extension. In our example the file we downloaded was named pk-APKAIAITPDGU2W7RWF7Q.pem, but yours will have a different set of letters and numbers in the middle part.

WP Offload Media does not need the Public Key File, so there’s no need to download that, and unlike the required Private Key File you can download the public one later anyway.

Once you’ve downloaded the Private Key File, you can close the “Create Key Pair” dialog. You should now see your new CloudFront key pair in the list.

OME Signed CloudFront Setup - Your Security Credentials page showing new CloudFront key pair

You can now see the Access Key ID for the new CloudFront key pair, you will need that later. However, you should notice that the Access Key ID matches the middle part of the downloaded Private Key File’s name, which is handy.

Create a New Amazon CloudFront Behavior for Private Media

We can now configure Amazon CloudFront to restrict access to certain files so that they can only be viewed or downloaded by a signed URL that WP Offload Media will generate.

At present you should have a CloudFront distribution set up that is happily delivering offloaded Media Library items on publicly accessible URLs. What we want to do now is have CloudFront designate a certain path prefix as “private” and require signed URLs in order to access them. We do this by adding a new Behavior to the CloudFront distribution.

Later we’ll configure WP Offload Media to move all private objects to the new private path.
Ensure you’re in the Distributions section of the AWS Console’s CloudFront page, click the ID of the CloudFront distribution that you’re using with WP Offload Media on your WordPress site.

OME Signed CloudFront Setup - Select existing CloudFront distribution

Click on the Behaviors tab, and then the Create Behavior button.

OME Signed CloudFront Setup - View Behaviors tab for CloudFront distribution

Enter a relative Path Pattern that matches how you wish the path of all private objects to start. The path should not start with a “/”, but should end with “/*” to indicate that all files in the path pattern are subject to the Behavior.

In our example we’re going to have WP Offload Media move all the private objects into new paths that start with “private/…”, so we’ll enter “private/*” as our Path Pattern. However, you could just as easily enter “downloads/*”, “store/*”, or even “secure/content/*”.

The key thing to remember is that WP Offload Media will be moving private objects into this new path prefix, with the rest of their normal bucket path appended. So the matching Path Pattern in the new CloudFront Behavior should be a relative folder path, with an “/*” appended. You should not use a filename pattern such as “private/*.zip” because WP Offload Media requires that all objects under the specified private path prefix be signed.

As we are entering a Path Pattern, you should also double-check that the Origin or Group Origin is the Amazon S3 bucket that you’re offloading media to with WP Offload Media.

Otherwise, the only other field that needs attention is the Restrict Viewer Access (Use Signed URLs or Signed Cookies) radio button. Select “Yes”, and ensure that the newly exposed Trusted Signers field has “Self” checked. That will ensure the Behavior requires Signed URLs that have been signed with a CloudFront key pair for any request whose path matches the Path Pattern.

Click the Create button to save the new Behavior.

OME Signed CloudFront Setup - Create Behavior page

You should now see your new Behavior first in the list, showing a Precedence of “0”, and all the expected details including Trusted Signers of “Self”.

OME Signed CloudFront Setup - View Behaviors tab for CloudFront distribution with new Behavior

Configure WP Offload Media to Deliver Private Media via Signed Amazon CloudFront URLs

While the updated Amazon CloudFront distribution deploys, you can set up WP Offload Media to use a matching private prefix for private media and sign their CloudFront URLs.

The first thing to do is add the CloudFront key pair’s Private Key File to the site’s server.

Through whatever means you have at your disposal, such as FTP or a file browser via your hosting provider’s control panel, upload the CloudFront key pair Private Key File to a private area of the server that is accessible to your WordPress site’s PHP processes, but is not accessible from the public internet.

Often you’ll be able to upload files to an area that is one folder up from the WordPress site’s root folder which is usually not accessible by the internet. For example, if your site’s wp-config.php file can be found at /var/www/example.com/htdocs/wp-config.php, then /var/www/example.com/ would likely be a safe place to put the Private Key File.

In our example, the site’s root folder is at /sites/www.sandwichcity.com/files/, so we’ll upload our Private Key File to /sites/www.sandwichcity.com/pk-APKAIAITPDGU2W7RWF7Q.pem. We’ll need to know this full absolute path when configuring WP Offload Media to use it.

Remember, the Private Key File is literally the key to access your private files being served via the CloudFront distribution. If someone gets hold of that file they can create their own signed CloudFront URLs to access your objects. So if you are not sure whether your Private Key File is going to be secret and safe from unwanted access, please consult with your server administrator or service provider.

Gandalf saying Keep it secret, keep it safe.

Log into your WordPress site’s admin dashboard and navigate to WP Offload Media’s settings page via the Settings menu.

In the Delivery section of the settings that are currently configured to deliver public media via Amazon CloudFront, click the switch to turn on Private Media.

OME Signed CloudFront Setup - WP Offload Media settings with Private Media switch highlighted

You should now see 3 new fields, CloudFront Key Pair Access Key ID, CloudFront Private Key File Path and Private Path.

In the CloudFront Key Pair Access Key ID field enter the “Access Key ID” that you saw when you created your CloudFront key pair.

For the CloudFront Private Key Path enter the full absolute path to the Private Key File you uploaded to the server. For our example we entered /sites/www.sandwichcity.com/pk-APKAIAITPDGU2W7RWF7Q.pem.

Finally, in the Private Path field you should enter the relative path that you set up the new CloudFront Behavior to match against, but do not include the “*” wildcard character. In our example we entered “private”, but we could also have entered “private/” (which is what it’ll actually be saved as in either case).

Click the Save Changes button to proceed.

OME Signed CloudFront Setup - WP Offload Media settings with Private Media settings entered

WP Offload Media now prompts you to move any already offloaded private media to the new private path. Say “Yes” unless you have some reason to keep your private objects where they are.

If you say “No” here then WP Offload Media will continue to serve already offloaded private media via signed S3 URLs instead. Only media made private after this point would then be served via signed CloudFront URLs as they will be placed in the expected private path.

OME Signed CloudFront Setup - WP Offload Media showing move private media prompt

If you took our recommendation and said “Yes” to moving private media into the new private path, then WP Offload Media will analyze every offloaded Media Library item to move any private files, including any thumbnail sizes that have been made private. This process happens in the background on the server, so you can close your browser or put your machine to sleep if you like.

OME Signed CloudFront Setup - WP Offload Media's move private objects tool in progress

At the completion of the move process, WP Offload Media will post a notice in the admin dashboard.

OME Signed CloudFront Setup - WP Offload Media finished moving private media files notices

You should now be able to see that private media is being served via signed CloudFront URLs that include the private path.

OME Signed CloudFront Setup - Media Library item served via CloudFront with private prefix in path

In the AWS Console you can see the private file has been moved.

OME Signed CloudFront Setup - AWS Console showing private object's key

Whereas the public files associated with the same Media Library item remain in the public path.

OME Signed CloudFront Setup - AWS Console showing public object's key