I have a origin in Cloudfront: mybucket.s3.amazonaws.com/path
And a behavior that use this origin to serve *.jpg.
I also have a default Behavior serving a static web site from another origin (another bucket).
Both behaviours is set to HTTP and HTTPS.
SSL works fine for the website.
However, when i try to browse a image directly only http works.
http://www.example.com/image.jpg does work
But the same URL with https just render the website (as if the behaviour was not triggered).
Do I need to configure something on the S3 side?
Related
I have a single page application (made with angular), which I am serving by pointing cloudfront to an S3 bucket. This is working well.
However, I want to run the backend of my website via the same domain - What I've done is added another origin to my cloudfront distribution which points to elastic beanstalk where the django app is running.
Then, I configured behaviors so that the Path Pattern /apiv1/* is handled by django. This doesn't work and I'm getting a 403 forbidden error when trying to access my endpoints.
The behavior I'm looking for is as follows:
/ should point to index.html and load static files (this currently works)
/apiv1/... should point to django. For example, to access a login endpoint I would have website.come/apiv1/api/login (as a pose to localhost/api/login on my machine).
Is this possible?
If anyone is doing something similar, here is a fix:
Add a subdomain - I added api.example.com which is a subdomain of example.com
Then, in Route 53, I configured api.example.com to point to elb via an alias and requested an ssl certificate for the subdomain! Note, YOU MUST use https when making requests hence the reason for the ssl certificate.
I simply changed the base url in my angular http requests and it works.
We are running a static website in S3 using CloudFront for distribution. CloudFront has an SSL Certificate assigned, so we are receiving HTTPS traffic and redirecting HTTP to HTTPS.
What I'm trying to determine is that does mean that TLS is enforced from CloudFront to the S3 Static Site?
If so, I am looking for a reference stating that - we need to have end to end encryption applied for compliance and I need to be able to verify/prove that this is in place.
Thanks !!!
does mean that TLS is enforced from CloudFront to the S3 Static Site?
No its not. Static S3 websites are HTTP only. Docs explain that:
If your Amazon S3 bucket is configured as a website endpoint, you can't configure CloudFront to use HTTPS to communicate with your origin because Amazon S3 doesn't support HTTPS connections in that configuration.
we need to have end to end encryption applied for compliance
For end-to-end ssl you have to setup setup origin access identity (OAI) for your CF. This means that the bucket can't be in website mode. Instead, it has to be configured for OAI access as explained in the docs. To enforce HTTPS between CF and S3 you must ensure that your "Viewer Protocol Policy to Redirect HTTP to HTTPS or HTTPS Only".
I'm using cloudfront to redirect a web app to a S3 bucket for some media content. As we trying to add HTTPS to our test environment, we wanted to add the https://app.foo.com origin to our cloudfront distribution. We've tried two different ways:
On the Create Origin tab, creating the second origin with the https
By editing the first working origin (in http) and adding a second origin header beneath the first one (in the origin settings tab).
None of these solutions seems to works, the app with http origin can access the bucket content. But the redirection with https does not work. I must precise that our authorizations on the bucket are ok, we can access the bucket content with the CloundFront link, and the CORS rules accept both http and https for the app. It looks like the https origin is not processed by ClondFront.
Thanks in advance
You need to understand what CloudFront is. It isn't "redirecting" users to an S3 bucket like you state in your question. It is loading, and caching the contents of the S3 bucket, and serving it to the user on request. An origin isn't a location for CloudFront to redirect users to. An Origin is a location for CloudFront to load resources from. In the context of http vs. https connections and CloudFront, you have the following decisions to make:
Will CloudFront communicate with the origin via http or https. This decision will not affect your users ability to load http or https resources in any way.
Will CloudFront serve both http and https content to your users, or will it redirect all http requests to https. This decision is not impacted by the origin configuration in any way.
The user's web browser is making an HTTP connection to a CloudFront server, and receiving the response from CloudFront. The user's web browser is never making a connection directly to S3.
You can't have two origins that only differ by http/https protocol. Both of those origins would be at the same path, and contain the same content. CloudFront only wants one of those origins, which it will connect to as needed to populate its cache.
I have an S3 bucket with which I want to use SSL. I also want to serve up index.html by default.
When accessed over http, my-bucket.s3-website-us-west-2.amazonaws.com/ serves up index.html. However, AWS doesn't maintain an SSL certificate for this subdomain so it cannot be accessed over SSL. AWS does maintain an SSL certificate for my-bucket.s3.amazonaws.com/ which does resolve, as expected. But, that domain doesn't serve up index.html by default (even though index.html is set as the index document).
Is there a solution to this problem that does not require CloudFront (which is currently set up) or flexible SSL with CloudFlare? I'm trying to reduce the cost without sacrificing security.
When using the "Static Website Hosting" option for hosting websites from S3, only HTTP can be used. HTTPS is not supported. This is done using the my-bucket.s3-website-* URL.
The my-bucket.s3.amazonaws.com endpoint is not an endpoint for serving up a website. It's simply an endpoint for the S3 API. This is why it supports HTTPS. So you can GET, POST, etc. to this endpoint when you're authenticated (or as anonymous if public ACLs are configured).
But it's not a website endpoint and won't serve index.html or the 404 page automatically.
To act as a website and use SSL, you must use a fronting service such as CloudFront.
I have a domain formulagrid.com.
I am using AWS S3 to host it as a static website. My problem was that I wanted to redirect the www subdomain to the bare domain like so:
https://www.formulagrid.com -> https://formulagrid.com
http://www.formulagrid.com -> https://formulagrid.com
Amazon provides URL redirecting from S3 bucket to S3 bucket if both are setup for static website hosting.
So what I had to do was set up two buckets:
formulagrid.com - actual website
www.formulagrid.com - exists solely to redirect to the actual website
This works perfectly fine if you're operating only over HTTP, but S3 has absolutely no support for HTTPS.
The way that one can use HTTPS to connect to an S3 static website is by setting up a CloudFront distribution in front of an S3 bucket. CloudFront, however, while it does provide HTTPS, mainly exists to function as a CDN.
Initially, I had a single CloudFront distribution setup in front of the S3 bucket holding the actual site. Everything seemed operational: the site was distributed over the CDN, it had HTTPS, and HTTP redirected to HTTPS.
There was one exception.
https://www.formulagrid.com was a completely broken page
After trying to find the source of the error for a while, I realized it's because it wasn't going through the CDN, and trying to access S3 over HTTPS doesn't work.
Finally, what I ended up having to do was provision another distribution to sit in front of the www S3 bucket so it was accessible over HTTPS. This is where my concerns come in because, like I mentioned earlier, CloudFront's main purpose is to be a CDN.
It doesn't make any sense to me to have a CDN sit in front of a url that just redirects to another. Also it brings up the question of whether I would be double charged for every request that hits the www subdomain because it'd hit the other CloudFront distribution after being redirected.
This is frustrating because I'm trying to do a "serverless" architecture using Lambda, and having to provision an EC2 instance just to do url rewriting isn't something I want to do unless it's my last resort.
The solution would be trivial if Amazon offered any form of URL rewriting or if CloudFront itself did redirecting, but neither of these exist as far as I know (let me know if they do).
I'm new to AWS so I'm hoping someone with more experience can point me in the right direction.
You're thinking too narrowly -- there's nothing wrong with this setup.
The solution would be trivial if Amazon offered any form of URL rewriting
They do -- the empty bucket.
S3 has absolutely no support for HTTPS.
Not for web site hosted buckets, no... but CloudFront does.
CloudFront is not just a CDN. It's also an SSL offloader, Host: header rewriter, path prepender, geolocator, georestrictor, secure content gateway, http to https redirector, error page customizer, root page substituter, web application firewall, origin header injector, dynamic content gzipper, path-based multi-origin http request router, viewer platform identifier, DDoS mitigator, zone apex alias target... so don't get too hung up on "CDN" or on the fact that you're stacking one service in front of another -- CloudFront was designed, in large part, to complement S3. They each specialize in certain facets of storage and delivery.
So, you did it right... most of it, anyway... Create a bucket, configure it for web site hosting, set it to redirect all requests to another site (the non-www) and put a CloudFront distribution in front of it -- using the web site endpoint URL for with bucket in CloudFront, not the one from the drop-down list -- configured with high TTLs so that CloudFront will send a minimal number of requests to S3 then put your (free!) SSL certificate from Amazon Certificate Manager. HTTPS alternate domain routing: solved. No servers, no troubleshooting, and cheap. The only charges are the usage -- there is no background recurring charge as there would be with servers.
Extra credit: configure the redirecting CloudFront distribution for the cheapest rate tier. Redirects from more expensive locations will either be routed to a cheaper edge location or -- at CloudFront's option -- may be served out of a higher cost location but billed at the lower rate.
Note that most of the time, CloudFront should serve the redirects from S3 from it's cache... and when you configure a bucket to redirect all requests to another hostname, the redirect is a 301 permanent redirect -- which browsers are supposed to cache, themselves.