Hosting a static site with AWS S3 is quite popular. Many of our clients opted to launch their beta or marketing site using S3. We ourselves hosted many demo sites on S3 as well. One of the recurring requests was to password protect a site, especially when it’s a pre-launch, beta, or demo site that should only be available to restricted viewers.
With a regular web hosting service that runs Apache or Nginx, you can easily password protect a site using HTTP Basic Authentication which is formally defined in RFC7617. AWS S3 doesn’t support HTTP Basic Authentication nor has any equivalent feature for it.
All is not lost. Xing Quan has figured out how to password protect an S3 site using a combination of permission setting and file redirection on S3. I was wondering how he got the insights to cleverly utilize those S3 features to achieve the effect of password protection. It turned out that Xing Quan was a PM at AWS S3 according to his profile.
An alternative is s3auth, a proxy service provided by Yegor Bugayenko. It basically sits in front of your S3 bucket and implements the native HTTP Basic Auth while passing data from the S3 bucket back to end-user browsers. Kudos to Yegor Bugayenko for providing the service for free. It doesn’t cost you anything to use it. However there are legal, privacy, security, and performance concerns that make it unsuitable for medium/large sites and corporate clients.
Xing Quan’s solution is more attractive because it can be implemented purely on S3 and can also be extended to play well with other AWS services like CloudFront. Most of our clients wanted to be self-contained within AWS to avoid corporate concerns mentioned above.
Huge credit goes to Xing Quan for the technique. Still, there are some limitations that makes it not applicable for all websites. We’ll look at this in 2 parts:
Updated 5/26/17: updated for S3 new Console UI.