I have my website Angular based hosted in AWS S3 bucket fronted by cloud front for SSL and caching etc.My URL's and route 53 entries point to CloudFront.
If I have to invoke a websocket [may be imagine its a publicly accessible websocket], wont it work ; i read cloud front doesn't support WebSockets?
I am invoking websockets from S3;Cloudfront is just infront of it.Does that help or this wont work at all?
As of 2018-11, CloudFront now supports WebSocket:
https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-cloudfront-announces-support-for-the-websocket-protocol/
Amazon CloudFront doesn't support WebSockets at the moment so you cannot proxy WebSocket connections through CloudFront.
If you have EC2 instances running in your backend, use the Application Load Balancer which also allows adding AWS Issued SSL certificates and connect through WebSockets.
The Protocol upgrade should be from the Origin, in your case if your Origin is doing that, CloudFront should work with websocket.
Related
In our project we have been hosting a NuxtJS site on Amazon's ECS using docker repositories. We are now looking into using CloudFront mainly because we want to distribute content worldwide and also use it's compression mechanism.
Has anyone worked with a similar scenario before? Is is possible to host dynamic content on an ECS container and serve it through CloudFront?
I have worked on a similar scenario; running Nuxt in a lambda behind CloudFront. For that scenario you need to connect your nuxt lambda with API Gateway, then add the API Gateway as an Origin in CloudFront. If you want all requests on domain.com/app to hit Nuxt, you then set a CloudFront behaviour to forward all requests to /app/* to the API Gateway Origin you just added.
So unsure whether you need to front your EC2 with API Gateway, or if you can directly add EC2 as a CloudFront Origin, but look for info on using EC2 as a cloudfront origin and you should be fine.
I have a node.js server I would like to deploy to AWS. My main site is example.com while the node server is on api.example.com
I am only using one EC2 instance (no load balancing) because I am only building an MVP and don't want to make things complicated.
I used Amazon Certificate Manager to register my domain name and I need to register api.example.com to also use https.
I right now have to put a CloudFront in front of my EC2 instance just so that I can use the ACM. This seems a little overkill since I don't need any of the caching benefits.
Is there any other way to do this?
You have 3 options:
Use CloudFront with SSL certificate from Amazon which doesn't bring any benefits for API that won't benefit from caching
Use Elastic Load Balancer with SSL certificate from Amazon. Load balancer will mantain HTTPS connection with client and communicate via HTTP with your EC2 server. You can follow this tutorial https://hackernoon.com/getting-a-free-ssl-certificate-on-aws-a-how-to-guide-6ef29e576d22
Or you can set up your certificate at EC2 instance directly. Here is how to do this with Nginx for example https://www.digicert.com/csr-ssl-installation/nginx-openssl.htm
EDIT: I have just realized that you could probably also use AWS API Gateway to point to your EC2 server API GateWay to server in ec2
I'm curious whether is possible to load a web page via AWS lambda functions.
I mean, I would like to open a webpage like www.something.com/home which makes a request to the AWS lambda function which will open/get resources from www.i-would-like-to-hide-this-url.com/home, but the URL should remain www.something.com/home.
So can I use AWS as a proxy for the case above?
Yes you can do it with CloudFront using custom Origin. It will work as a reverse proxy for your customers.
A custom origin is an HTTP server, for example, a web server. The HTTP server can be an Amazon Elastic Compute Cloud (Amazon EC2) instance or an HTTP server that you manage privately. An Amazon S3 origin configured as a website endpoint is also considered a custom origin.
When you use a custom origin that is your own HTTP server, you specify the DNS name of the server, along with the HTTP and HTTPS ports and the protocol that you want CloudFront to use when fetching objects from your origin.
Using Amazon EC2 or Other Custom Origins
Or you can do it with ELB and a reverse proxy on EC2. But in this case you will be responsible for this reverse proxy.
Maybe it is even possible to do it with lambda if you code the "reverse proxy" solution, but I guess it is not exaclty recommended.
Typically you host the static assets (html/js/css/img) in S3, you front Lambda with API Gateway, and your web page makes HTTP/Rest requests to API Gateway which forwards them to your Lambda. Lambda itself does not typically serve the static assets. If you need SSL then you add CloudFront. Example here.
I'm new with AWS WAF and get stuck with setting up it for application that hosts on some dedicated server. I didn't find any information how to set up it without migration to aws servers, but I found that WAF integrated with CloudFront. But anyway I found only few information that explain how to integrate this CDN with my web application. So, the main question is:
Is it possible to use AWS WAF with application that hosted on some dedicated server? And if it possible - can you provide some guides and/or docs for setting up?
Yes, you can use WAF with a server outside AWS.
WAF works with CloudFront, and CloudFront does not require the origin server to be in the AWS ecosystem.
When you create a distribution, you specify where CloudFront sends requests for the files. CloudFront supports using several AWS resources as origins. For example, you can specify an Amazon S3 bucket or a MediaStore container, a MediaPackage channel, or a custom origin, such as an Amazon EC2 instance or your own HTTP web server. (emphasis added)
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCustomOrigins.html
Configuring CloudFront to work with your external server is no different than configuring it to work with a server in EC2. Your DNS entry (e.g. www.example.com) changes to point to CloudFront, and CloudFront connects to your server using a new name that you create (e.g. origin.example.com). CloudFront proxies requests through to your server, unless the edge location handling the a given request happens to have access to a copy of the same resource that it cached while handling a previous request for the same page -- that's how CloudFront gets your content, by caching it as it handles requests that are passing through. (You don't pre-load any content into CloudFront.) If CloudFront has a cached copy, your server sees nothing, and CloudFront returns the object to the browser from its cache. But CloudFront isn't strictly a CDN, even though they market it that way. It is a global network of reverse proxies and high-reliability/low-latency transport.
You'll want to take steps to ensure that the web server rejected requests that didn't come through CloudFront. See Using Custom Headers to Restrict Access to Your Content on a Custom Origin as well as the list of CloudFront IP Addresses which you could use on your web server's firewall.
Once you have your site working through CloudFront, all you do is activate WAF on the distribution. CloudFront is very tightly integrated with WAF so that is a very simple change, once you have your WAF rules set up.
I need to set an Amazon Domain as a custom domain for a Heroku app. I found the next tutorial https://devcenter.heroku.com/articles/route-53 but it doesn't work if the app needs https requests. The first idea was to set up the SSL Certificate in Heroku, but the SSL Amazon Domain manager doesn't allow to download the certificate, so the SSL need to be managed by AWS.
What is the best way to add Amazon SSL to a Heroku app?
The best option I found was to create an AWS CloudFront and configure it like Karan describes in his answer but with some add-ons:
Create a certificate from AWS Certificate Manager and approve it.
Create a CloudFront distribution with the Origin Domain Name as your Heroku URL such as myapp.herokuapp.com and the custom SSL certificate as the one you created from the AWS Cert Manager.
While creating the distribution, make sure that you have the TTL as 0, else all the responses will be cached
If you don't complete this step probably you will get an error like this:
This distribution is not configured to allow the HTTP request method that was used for the request. The distribution supports only cachable requests.
Follow the guide I mention in the question [https://devcenter.heroku.com/articles/route-53][4]
Amazon created SSL certificates only work with supported Amazon services such as Elastic Load Balancers, CloudFront distributions and API Gateway.
The easiest method to use Amazon SSL certificates is to add a load balancer. Another method is to enable CloudFront.
AWS Certificate Manager