I have a site example.com that lives on S3. I have set up HTTP -> HTTPS forwarding successfully for this site.
I also have a subdomain, blog.example.me that also lives on S3, which I want to enable SSL with. Right now, it only supports HTTP. I am using Route 53 for routing and Cloudfront as a CDN.
I have looked for documentation on this issue, but have yet to find something that works. Do I have to create a new certificate, or can I use the same cert that example.com uses? If I can use the same certificate, which piece of AWS should I start with?
For the certificate it depends if its a wildcard certificate that covers the whole domain example of a wildcard certificate would be *.example.com the you can use the same certificate for your sub domain(s)
A typical hosted secured site with S3 and Cloudfront would follow the following steps
Create an S3 Bucket
Bucket name - your domain name
Select your bucket, go to Properties -> Static Website Hosting, then Enable
Website Hosting
Grant public read access to allow cloudfront to read from your bucket.
Get SSL certficate/ Use existing if applies
AWS provides free SSL certificates, which work with browsers that support SNI. You can import your own SSL certificate.
CloudFront configuration
Create a new Web distribution. Under Origin Settings, use the Endpoint
you copied from your S3 bucket’s static hosting setup. Many other
guides instruct this without explaining why — this is because if you
have redirect rules configured with your S3 bucket and you specify the
internal AWS S3 resource, the redirects will no longer work.
Therefore, you must specify the website endpoint domain to ensure
redirection functionality works.
Under Default Cache Behavior Settings, it’s worth selecting Redirect
HTTP to HTTPS and narrowing down the Allowed HTTP Methods — for a
static website, GET and HEAD will do.
Under cloudfront distribution settings configure:
Set your domain names under Alternate Domain Names (yourdomain.com,
and optionally, www.yourdomain.com)
Configure SSL by selecting Custom SSL Certificate, then choosing the
certificate generated or imported in to Certificate Manager.
Finally, specify the Default Root Object. This should match your S3
bucket’s Index Document, usually index.html. This is simply where all
requests are redirected to when a client requests your website URL
without a path
Route 53 configuration:
Head over to hosted zones
Select the hosted zone for the domain or subdomain you wish to use
Create a record for your site: select Alias and in the dropdown you should see your cloudfront distribution, select it as your alias target and save it.
For more detailed info check: https://medium.com/#willmorgan/moving-a-static-website-to-aws-s3-cloudfront-with-https-1fdd95563106
Related
So I created two buckets in S3. One with my domain name xxx.ninja and the other with the www. subdomain. The www one I redirected to the first. Then I created a domain in Route 53. And because I wanted https on my site I created a cloudfront distribution with redirect http -> https.
The s3 bucket url works just fine, but the site URL does not. I think I may have set it up incorrectly.
In AWS CloudFront I created my distribution and used the cloudfront default SSL cert. I choose redirect http -> https. And I pasted in my s3 website URL.
Then I copied the domain name and went to Route 53. After I created my domain I open its hosted zone and added an A record with the alias of the cloudfront domain name.
But the URL doesn't work. I get a 403 CloudFront error in the browser.
Thoughts?
IF you're using the default CloudFront SSL this indicates to me that you're not using a custom hostname (which would deny access to the CloudFront distribution).
You will need to add additional names to your CloudFront distribution (specifying every hostname that will have a DNS record resolving to the CloudFront distribution). In addition you will need to generate an SSL in ACM (which is free), this must be in region us-east-1.
More information on how to add a custom domain to your CloudFront distribution is available here.
I have a domain, let's say foo.bar.com, which I want to use to serve files in an Amazon S3 bucket. According to https://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html, the bucket name has to be foo.bar.com and the URL foo.bar.com.s3.amazonaws.com for the CNAME record for foo.bar.com (pointing to foo.bar.com.s3.amazonaws.com) to work.
Unfortunately, Amazon's SSL cert doesn't support foo.bar.com.s3.amazonaws.com (I mean, why would it, I guess), so I can't serve my files like this over SSL, I get an SSL warning/error. I can use plain HTTP but I get Mixed Content warnings in Chrome since the main site is over SSL.
How should this issue be dealt with?
The only way to have both a Custom domain name and SSL on a bucket is to use CloudFront in conjunction with S3.
Create an SSL cert for your domain foo.example.com in Amazon Certificate Manager (ACM) in the us-east-1 region, regardless of your bucket's region. (The us-east-1 region is the region where CloudFront and ACM are interconnected.)
Create a CloudFront distribution:
if you want the S3 web site hosting features, including index documents and redirect rules, type the bucket's web site hosting endpoint hostname as the origin domain name (do not select the bucket from the list), or
if you want to use CloudFront signed cookies or signed URLs, do select the bucket from the drop-down list.
Associate your new ACM cert with the distribution, and add foo.example.com as an Alternate Domain Name for the distribution.
Point the DNS record to the assigned dzczcexample.cloudfront.net hostname.
Note also that unlike S3 static hosting used by itself, this configuration does not require that the bucket name match the domain name, since CloudFront rewrites the requests before sending them to the bucket.
I have set up a multi tenant application which should be available to clients via a subdomain (e.g. https://client1.example.at). Requests to *.example.at are routed to a load balancer via Route 53. The load balancer has an AWS signed wildcard certificate (e.g. supporting example.at and *.example.at). From this side, everything is working as expected and I can access https://client1.example.at, https://client2.example.at, etc.
Based on this setup, I wanted to route specific request without subdomain (except www) such as https://www.example.at or https://example.at to a bucket (which is also named www.example.com) and not to the load balancer (I just want to serve a static site for requests to the "main domain"). It works but I can only access www.example.at and example.at without using HTTPS. My setup can be seen below:
I then found out that I have to use Cloudfront in order to use HTTPS for a custom domain with S3 buckets (if that is correct?). Now I have a few questions:
Is it necessary to use Cloudfront to serve content from my S3 bucket for www.example.at and example.at via HTTPS?
If Cloudfront is necessary then I have to request a new certificate for www.example.at and example.at in region US EAST according to the official AWS docs. Is it possible to create two certificates for the same domain with AWS certificate manager or can I get some conflicts with this setup?
Is it ok to use *.example.at as A type record with alias to the load balancer at all?
Generally speaking, is my Route 53 setup valid at all?
I wanted to route specific request without subdomain (except www) such as https://www.example.com or https://example.com to a bucket (which is also named www.example.com)
Each of those "domains" must route to a different bucket unless you are using a proxy (which reroutes the hostname passed from the browser) in front of S3, the domain name must match the bucket name. If they don't then your requests are going to a bucket matching the DNS name you routed from, the routing has nothing to do with the hostname of the S3 bucket endpoint.
In other words, let's say your hostname was www.example.com, and you set the CNAME to example.com.s3.amazonaws.com (or you could use the website endpoint, it doesn't matter for this example).
When a request hits the DNS name www.example.com it then is sent to the S3 server which is behind the S3 hostname. That request from the browser is for hostname "www.example.com", the actual CNAME referenced which pointed to the S3 endpoint is irrelevant because S3 never knows what actual CNAME was used to by your browser to connect to S3. So S3 will attempt to pull the requested object from the www.example.com bucket.
URL -> S3 Bucket
https://www.example.com -> s3://www.example.com
https://example.com -> s3://example.com
It works but I can only access www.example.at and example.at without using HTTPS.
CNAME DNS routing like this when using SSL to an S3 bucket does not work. The reason for this is that the S3 wild card certificates are 1 level deep (*.s3.amazonaws.com) so your bucket www.example.com.s3.amazonaws.com will fail to match it because it has 2 extra levels above the wild card. So your browser rejects the certificate as invalid for the hostname.
To accomplish this you must use a proxy of some sort in front of S3 with your own certificates for the domain in question.
Is it necessary to use Cloudfront to serve content from my S3 bucket for www.example.at and example.at via HTTPS?
CloudFront is an excellent option for addressing the HTTPS with CNAME routed DNS to an S3 bucket issue we just mentioned.
If Cloudfront is necessary then I have to request a new certificate for www.example.at and example.at in region US EAST according to the official AWS docs. Is it possible to create two certificates for the same domain with AWS certificate manager or can I get some conflicts with this setup?
I can't answer that one, I can only suggest you try and find out what happens. If it doesn't work then it's not an option. It shouldn't take much time to figure this one out.
Is it ok to use *.example.at as A type record with alias to the load balancer at all?
To clarify, an A Record can only ever be an IP address, an A Alias is similar to a CNAME (but is Route53 specific).
I highly recommend CNAMES (or ALIASES, they are similar). Pointing directly at one of S3's A-Records is a bad idea because you don't know if or when that IP will be removed from service. By referencing the hostname with a CNAME/ALIAS you don't have to worry about that. Unless you can be 100% sure that the IP will remain available then you shouldn't reference it.
Generally speaking, is my Route 53 setup valid at all?
I don't see any issues with it, based on what you described it sounds like like things are working as expected.
If Cloudfront is necessary then I have to request a new certificate for www.example.at and example.at in region US EAST according to the official AWS docs. Is it possible to create two certificates for the same domain with AWS certificate manager or can I get some conflicts with this setup?
As suggested by #JoshuaBriefman I simply tried to create another certificate for the same domain in another region now and it worked. I could also use the certificate for the CloudFront distribution (additional certificate was created in US EAST) and all works now without any problems so far.
I try access to Amazon AWS S3 with https.
This link with http works: http://sc-st01.s3-website-eu-west-1.amazonaws.com/
But this not: https://sc-st01.s3-website-eu-west-1.amazonaws.com/
Is there any setting to enable it?
I use CNAME also but i think the problem is in access to https.
Thank you for any advice.
UPDATE: This refers to using S3 to host static web content.
If you are using your S3 bucket to host static web content, then HTTPS isn't supported. To quote the AWS doc, it says under the Test your website section:
Note
HTTPS access to the website is not supported.
Not very helpful. If you are interested in learning how S3 virtual hosting works, you can read more about it here.
To serve your static web content over HTTPS, you will need to set up an AWS CloudFront distribution, which is quite straight forward via the AWS Management Console. The only configurations that will require special attentions are:
Origin Domain Name: This should refer to the URI of your S3 bucket. In your case, it will be sc-st01.s3-website-eu-west-1.amazonaws.com
Viewer Protocol Policy: Default to HTTP and HTTPS Only
Alternate Domain Names (CNAMEs): CNAME you set up in your DNS.
SSL Certificate: Either Default CloudFront Certificate or Custom SSL Certificate if you have one. Note that setting up custom SSL certificate is more involved as it needs to be uploaded to the IAM.
Default Root Object: The default file you want to serve when your user visits your static web site.
Once you're done with setting up the configurations, it will usually take 5 to 10 minutes for the new distribution to be fully configured and set up. Refer the Status field on the CloudFront management dashboard for progress. When ready, you will see the new Domain Name of your distribution. You should be able to access the static web content in your S3 bucket (assuming that the permissions of the content is granted to Everyone) by navigating to the http: or https:// URL of your distribution Domain Name.
I will also recommend checking out the CloudFront pricing to ensure if you are aware of what is free, and what isn't.
I'm about to launch a static website using S3/Cloudfront. I don't need HTTPS for the site, but the current iteration of the website is served over HTTPS and has hundreds of links and indexed URLs that are HTTPS.
I've been searching for hours and can't find a way to redirect our HTTPS URLs to HTTP when only using S3/Cloudfront. Currently the HTTPS URL will refuse the connection instead of redirecting to the HTTP version of the page.
With no Apache it seems it is not possible to do this. Any hints?
Static website hosting on S3 does not support HTTPS unless you use the full domain path, i.e. example.com.s3-website-us-east-1.amazonaws.com. Since you want to keep your URL, you'll have to use a CloudFront distribution to handle SSL.
Upload your SSL certificate to CloudFront:
aws iam upload-server-certificate --server-certificate-name CertificateName --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file --path /cloudfront/path/ [1]
Create a cloudfront distribution and configure as so:
Origin Domain Name: your s3 bucket's public static website hosting endpoint (not the endpoint that CloudFront autocompletes)
Alternate Domain Names (CNAMEs): desired location for your website, e.g. example.com or www.example.com
SSL Certificate: Select the SSL certificate you uploaded in step 1.
Custom SSL Client Support: Unless you need compatibility for really old clients, select "Only Clients that support Server Name Indication" and save $600.
If you are redirecting https to s3 redirect, the origin domain should not be the autocomplete bucket, but the static redirect endpoint s3 gives you
Save your distribution. It should show Status "In Progress". It generally takes ~15 minutes before a distribution is "Deployed"; don't move on to step 4 until your distribution is "Deployed".
Verify the distribution works: navigate to the CloudFront distribution via the domain name in the list, e.g. "https//d111111abcdef8.cloudfront.net/". You should see your website.
Change your DNS records to point to the CloudFront distribution instead of the S3 bucket.
[1] if you have trouble adding your certificate to CloudFront check out this article for further information: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html#cnames-and-https-procedure