如何仅将Cloudfront访问限制为我的域？

此解决方案不会阻止任何人下载您的内容并将其上传到他们自己的网站，但是它确实阻止了其他网站将其热链接到您的内容

This solution does not prevent anyone from downloading your content and the uploading it to their own site, but it does prevent other sites from hot-linking to your content.

创建 Lambda @ Edge 查看器请求触发器。这样一来，您就可以在检查缓存之前检查请求，并允许处理继续进行或返回生成的响应。

Create a Lambda@Edge Viewer Request trigger. This allows you to inspect the request before the cache is checked, and either allow processing to continue or to return a generated response.

'use strict';

exports.handler = (event, context, callback) => {

  // extract the request object
  const request = event.Records[0].cf.request;

  // extract the HTTP `Referer` header if present
  // otherwise an empty string to simplify the matching logic
  const referer = (request.headers['referer'] || [ { value: '' } ])[0].value;

  // verify that the referring page is yours
  // replace example.com with your domain
  // add other conditions with logical or ||
  if(referer.startsWith('https://example.com/') ||
     referer.startsWith('http://example.com/'))
  {
    // return control to CloudFront and allow the request to continue normally
    return callback(null,request);
  }

  // if we get here, the referring page is not yours.
  // generate a 403 Forbidden response
  // you can customize the body, but the size is limited to ~40 KB

  return callback(null, {
    status: '403',
    body: 'Access denied.',
    headers: {
      'cache-control': [{ key: 'Cache-Control', value: 'private, no-cache, no-store, max-age=0' }],
      'content-type': [{ key: 'Content-Type', value: 'text/plain' }],
    }
  });
};