Membership 3 and the Amazon CloudFront CDN

I love what you've done with Membership 3. I used to get sad and distant eyes when I talked about the three plugin suites that WPMU didn't do well on. Espresso Events, Jigoshop, and Magic Members were still required in my professional portfolio. I'm pretty sure I can cross the membership sites off of the list.

Here's my question though - because it wasn't totally clear from the run through I just did on my trusty local WAMP server.

What is your level of integration/support for AWS CloudFront or S3? I generally use CloudFront as a pull-type CDN through W3TC. I know that Magic Members has some level of support for remote content protection. What is your setup?

Thanks,
Ian

  • Kimberly

    Hey Ian!

    Membership offers download and URL group protection. How are you using Cloudfront, s3 with the site? Are you using your own URL for your distribution? Your own server or Amazon for everything?

    There is no built in support specifically for those. I will ask Barry to Comment here, perhaps there is something we can add that would be helpful on a broad scale or he knows something I have missed here.

    Thanks!

    Kimberly

  • Imperative Ideas

    I saw that last night while converting a client from Wishlist to Members 3. Talk about a smoother integration. It reminds me of moving my clients from Getshopped to Jigoshop. There isn't even a comparison.

    I've done a lot of work on this the last several hours so bear with me as I run you through how this system will operate -

    The Cloudfront integration I'm using is usually plugin based, though it doesn't have to be.

    As an aside - a WPMU implementation of a caching plugin would be a most welcome development. W3 Total Cache and SuperCache support pull-type CDN deployment but have that hallmark "you'd best be a developer if you're doing this" sort of complexity to them.

    Once a site is deployed to a CDN, either manually or via caching plugin, the result is that requests to the WP media library are redirected to the CDN address using the same folder structure. I have a W3TC plugin using Amazon CloudFront at PITME.com (excuse the bad theme I inherited, we're in the middle of redesigning it). You'll note that all of the assets are minified and redirected to Cloudfront, unless you are an admin, in which case you would see the local copy because it's impossible to trouble shoot or modify a site on a multi-minute delay.

    Where this comes into play for Members 3 is in the case of hotlinking by other sites. Cloudfront does offer built-in protection against inbound links not originating from the hosted URL but it isn't set up by default. That can be changed but the methodology is a little complex for the average user:

    http://www.bucketexplorer.com/documentation/cloudfront--how-to-manage-private-content-for-amazon-cloudfront-distribution.html

    And that's using a 3rd party program to ease it along. Doing it manually is an exercise in earning gray hairs for 99.9% of the internet.

    What Members 3 needs is the ability to protect a CDN bucket, if one is detected. How that is achieved is the tricky part.

    Do you offer to protect a bucket after asking for the API keys and bucket name? Or does it make more sense to develop a minify & cache plugin at WPMU, which plugs into Members with seamless integration. Or do you do both?

    What Members needs is a way to easily set up content protection in an Amazon bucket - or at the very least to warn users "hey, we see you're on a CDN. Unles you are using AWS, you may not be able to protect your content from hot linking"

    Right now if a user has a CDN set up, it is likely to completely invalidate content protection on PDFs, videos, and other images - unless it has been explicitly set up as a private bucket.

    Most users don't know this. I can work around it but my I'd wager the average WPMU subscriber can't.

    So yeah - that's my integration and the hoops I'll have to leap through in order to make everything fast.

    Is it worth doing?

    Yes. By re-compressing a few images and setting up W3TC on a CloudFront CDN, I reduced pitme.com's load time from 19 seconds to around 9 seconds without even taking them off of GoDaddy's abysmal hosting plan.

    This is something that Member sites need to account for, even if it means WPMU gets to develop a cleaner implementation of W3TC for its members.

  • Imperative Ideas

    This is a much better URL for understanding how to protect a Cloudfront distribution

    http://docs.amazonwebservices.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html

    You should be able to automate that with the right script.

    That is to say... this looks like an even larger pain in the ass than I expected it to be. Using an s3 origin bucket is much more static than doing a simple Pull based distribution.

    You essentially have to create exceptions for private file types - dump those files into a secured S3 bucket - then use that as an origin for the CDN pull. Gross.

  • Imperative Ideas

    @Dan

    If the Members 3 protection isn't enough then place the following code in an .htaccess file inside of your uploads folder:

    RewriteEngine On
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?site\.com/ [NC]
    RewriteCond %{REQUEST_URI} !hotlink\.(gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx|mp4|mov) [NC]
    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
    RewriteRule .*\.(gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx|mp4|mov)$ http://site.com/ [NC]

    Where http://(www\.)?site\.com/ and site.com are your own URL.

    That basically says "Do not serve any of the following extensions (list) to a browser that does not have a cookie from our website's domain"

    A determined hacker could fake the cookie but the point of security isn't to make content impossible to steal; it's to avoid being a soft target. Someone who desperately wants to steal your content will find a way to do so.

    With this code in place your files will be impossible to hotlink at the .htaccess level while your site is coded for members only access at the script level.

  • Dan Keldsen

    @Ian - thanks for the additional security tightening. Very useful, and as an ex-paranoid security guy, absolutely agree.

    On the Amazon front, I'm looking for an alternative to Digital Access Pass with the S3MediaVault and secured Flowplayer (video player) option - as a potential solution.

    It's more expensive that the current membership cost I have with WPMUDEV, but is a bit more straightforward in securing while wiring up to Amazon.

    Any comparisons (for anyone reading) between these solutions?

    Thanks,
    Dan

  • Imperative Ideas

    CMS systems with assets in the clout haven't totally caught up to the standards of DIY servers.

    To be honest, the best solution is probably just hosting your data on two cloud servers (EC2 or someone like 619cloud.com) then running a mixed .htaccess and script solution. Unless you are pushing more than 30,000 visitors a day and scaling fast, you'll probably find the 619 option more appealing (at $60/mo) than Amazon or Rackspace offerings.

    I mean we can dither all day long with "if only I could do this with Amazon" but in the end if you go deep and do 100% cloud it gives you the scalable CPU, the backend pipeline, and the security all rolled up in one package.

  • Imperative Ideas

    First, Amazon CloudFront now supports delivery of dynamic content that is customized or personalized using HTTP cookies. To use this feature, you specify whether you want Amazon CloudFront to forward some or all of your cookies to your custom origin server. Amazon CloudFront then considers the forwarded cookie values when identifying a unique object in its cache. This way, your end users get both the benefit of content that is personalized just for them with a cookie and the performance benefits of Amazon CloudFront.

    To learn more about Amazon CloudFront and these new features, please visit the detail page for the service.

  • Imperative Ideas

    W3TC has support for paywall sites in their development pipeline but they don't see it being an immediate priority. Like most developers who run on customer support subscriptions instead of software sales, they will advance it to the current queue for about $1000.

    Basically we agreed that if i could Kickstart the thing for a grand, that would make it an immediate priority. Here's the exact reply:

    Thanks for clarifying, I follow.

    The cookie would need to be variable and set by the AWS API for this to work and what you're describing is on the roadmap (although we don't currently have an ETA).

    The way we usually handle cases like this is allowing customers to fund the development (specifically, the prioritization of feature development) and in this case, we're looking at $1,000.

    Is this of interest?

    This is something I may pursue independently. It's not a ton of money if I can get 50-100 membership sites interested in crowd-funding CDN support for the most popular WP caching plugin on the market.

    For the moment, however, it would have to be programmed by the site developer

    In a follow up email we agreed that a crowd-funded lump sum payment would be the most efficient way to get this done in the short term.

    That also tells WPMU what this sort of caching plugin is worth :wink:

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.