I have an S3 bucket with which I want to use SSL. I also want to serve up index.html by default.
When accessed over http, my-bucket.s3-website-us-west-2.amazonaws.com/ serves up index.html. However, AWS doesn't maintain an SSL certificate for this subdomain so it cannot be accessed over SSL. AWS does maintain an SSL certificate for my-bucket.s3.amazonaws.com/ which does resolve, as expected. But, that domain doesn't serve up index.html by default (even though index.html is set as the index document).
Is there a solution to this problem that does not require CloudFront (which is currently set up) or flexible SSL with CloudFlare? I'm trying to reduce the cost without sacrificing security.
When using the "Static Website Hosting" option for hosting websites from S3, only HTTP can be used. HTTPS is not supported. This is done using the my-bucket.s3-website-* URL.
The my-bucket.s3.amazonaws.com endpoint is not an endpoint for serving up a website. It's simply an endpoint for the S3 API. This is why it supports HTTPS. So you can GET, POST, etc. to this endpoint when you're authenticated (or as anonymous if public ACLs are configured).
But it's not a website endpoint and won't serve index.html or the 404 page automatically.
To act as a website and use SSL, you must use a fronting service such as CloudFront.
Related
I'm moving my domain names from CloudFlare's DNS to AWS Route53 and in some cases I'm using CloudFlare's redirects for project that are dead so that their domains go to a page in another domain, so https://projectx.com goes to https://example.com/projectx-is-no-more.
I want to replicate this in AWS and what I found so far is this:
Set up an S3 bucket with the redirect to the desired URL, https://example.com/projectx-is-no-more
Set up CloudFront for the domain, projectx.com
Generate the TLS cert for projectx.com and add it to CloudFront so it can serve both https and http.
Set up Route53 to resolve the domain name to CloudFront.
I set it up, it's working, I'm even using CDK so I'm not doing it manually. But I'm wondering if there's a way of setting up these redirects that requires less moving pieces. It sounds like such a redirect would be a common enough problem that maybe Route53 or CloudFront would have a shortcut. Are there any?
Update: using only S3 doesn't work because S3 cannot serve https://projectx.com. S3 has no method by which it can respond to HTTPS request for arbitrary domains, there's no way of adding a TLS certificate (and keys) for another domain.
I checked for information and see only three possible solutions:
Set up CloudFront + S3 *
Set up Application Load Balancer
Set up API Gateway + Lambda (mock integration may be used instead of Lambda, that should reduce service cost)
Use GitHub pages with custom domain
※ S3 support only HTTP traffic so we need to add CloudFront for HTTPS:
Amazon S3 does not support HTTPS access to the website. If you want to use HTTPS, you can use Amazon CloudFront to serve a static website hosted on Amazon S3.
In my opinion the ②nd way is super easy to set up but running 24/7 ALB is little bit expensive. In other way Lambda and API Gateway price depending on requests count. CloudFront seems to be cheaper than ALB too.
So the better solution is depending on how many requests you have
The ④th solution is depends on GitHub platform (wider than AWS only scope), but it is absolutely free and support custom domain and Let's Encrypt certificates out of the box.
You just need to create repository with static index.html file that will do redirects
You can do it without including CloudFront.
What you need to do is create S3 bucket projectx.com. In Properties go to Static website hosting. Enable static website hosting and choose Redirect as a hosting type (add the redirection URL).
You will still need to set up Route53, but you will now add alias to this projectx.com bucket, instead of going to CloudFront
My mobile app consists of a dynamic portion on heroku (foo.herokuapp.com) which serves up our API and web views for some content we expose to users who don't have the app installed. There is also of course a static landing page (http://foo.co) which is hosted on S3.
Currently, I have DNS setup to resolve foo.co to our S3 instance. And S3 has routing rules to redirect our dynamic content (http://foo.co/some_dynamic_data/1234/) to our heroku servers.
Given it's a 3XX redirect, this results in a pretty ugly experience for the user since their browser bar is now going to reflect our heroku backend.
Question:
Is there an easy proxy service I can deploy that has special routing rules to route dynamic content to heroku and static content to S3 so that I can point foo.co DNS to the proxy and not have to expose the backend to users via redirects?
CloudFront.
And don't say, "but I thought that was a CDN." That's how it's marketed, but it's also a reverse proxying HTTP request router that can choose the backend based on the request path. The caching capability can be used, or it can be disabled if you don't need/want/understand it.
Create a distribution with two origins (that's what CloudFront calls your backend servers) -- one for the bucket and one for the API endpoint.
Configure your example.com hostname as an alternative hostname in the distribution settings.
Create path behaviors to choose which path patterns route to which origin. If there's an obvious choice for one of them to be the default, catching every path that's otherwise unconfigured, point the default behavior to that particular origin.
Point the DNS hostname to the CloudFront distribution.
Optional: have some SSL on your site with a free certificate from Amazon Certificate Manager, which is integrated with CloudFront.
I have a domain formulagrid.com.
I am using AWS S3 to host it as a static website. My problem was that I wanted to redirect the www subdomain to the bare domain like so:
https://www.formulagrid.com -> https://formulagrid.com
http://www.formulagrid.com -> https://formulagrid.com
Amazon provides URL redirecting from S3 bucket to S3 bucket if both are setup for static website hosting.
So what I had to do was set up two buckets:
formulagrid.com - actual website
www.formulagrid.com - exists solely to redirect to the actual website
This works perfectly fine if you're operating only over HTTP, but S3 has absolutely no support for HTTPS.
The way that one can use HTTPS to connect to an S3 static website is by setting up a CloudFront distribution in front of an S3 bucket. CloudFront, however, while it does provide HTTPS, mainly exists to function as a CDN.
Initially, I had a single CloudFront distribution setup in front of the S3 bucket holding the actual site. Everything seemed operational: the site was distributed over the CDN, it had HTTPS, and HTTP redirected to HTTPS.
There was one exception.
https://www.formulagrid.com was a completely broken page
After trying to find the source of the error for a while, I realized it's because it wasn't going through the CDN, and trying to access S3 over HTTPS doesn't work.
Finally, what I ended up having to do was provision another distribution to sit in front of the www S3 bucket so it was accessible over HTTPS. This is where my concerns come in because, like I mentioned earlier, CloudFront's main purpose is to be a CDN.
It doesn't make any sense to me to have a CDN sit in front of a url that just redirects to another. Also it brings up the question of whether I would be double charged for every request that hits the www subdomain because it'd hit the other CloudFront distribution after being redirected.
This is frustrating because I'm trying to do a "serverless" architecture using Lambda, and having to provision an EC2 instance just to do url rewriting isn't something I want to do unless it's my last resort.
The solution would be trivial if Amazon offered any form of URL rewriting or if CloudFront itself did redirecting, but neither of these exist as far as I know (let me know if they do).
I'm new to AWS so I'm hoping someone with more experience can point me in the right direction.
You're thinking too narrowly -- there's nothing wrong with this setup.
The solution would be trivial if Amazon offered any form of URL rewriting
They do -- the empty bucket.
S3 has absolutely no support for HTTPS.
Not for web site hosted buckets, no... but CloudFront does.
CloudFront is not just a CDN. It's also an SSL offloader, Host: header rewriter, path prepender, geolocator, georestrictor, secure content gateway, http to https redirector, error page customizer, root page substituter, web application firewall, origin header injector, dynamic content gzipper, path-based multi-origin http request router, viewer platform identifier, DDoS mitigator, zone apex alias target... so don't get too hung up on "CDN" or on the fact that you're stacking one service in front of another -- CloudFront was designed, in large part, to complement S3. They each specialize in certain facets of storage and delivery.
So, you did it right... most of it, anyway... Create a bucket, configure it for web site hosting, set it to redirect all requests to another site (the non-www) and put a CloudFront distribution in front of it -- using the web site endpoint URL for with bucket in CloudFront, not the one from the drop-down list -- configured with high TTLs so that CloudFront will send a minimal number of requests to S3 then put your (free!) SSL certificate from Amazon Certificate Manager. HTTPS alternate domain routing: solved. No servers, no troubleshooting, and cheap. The only charges are the usage -- there is no background recurring charge as there would be with servers.
Extra credit: configure the redirecting CloudFront distribution for the cheapest rate tier. Redirects from more expensive locations will either be routed to a cheaper edge location or -- at CloudFront's option -- may be served out of a higher cost location but billed at the lower rate.
Note that most of the time, CloudFront should serve the redirects from S3 from it's cache... and when you configure a bucket to redirect all requests to another hostname, the redirect is a 301 permanent redirect -- which browsers are supposed to cache, themselves.
I try access to Amazon AWS S3 with https.
This link with http works: http://sc-st01.s3-website-eu-west-1.amazonaws.com/
But this not: https://sc-st01.s3-website-eu-west-1.amazonaws.com/
Is there any setting to enable it?
I use CNAME also but i think the problem is in access to https.
Thank you for any advice.
UPDATE: This refers to using S3 to host static web content.
If you are using your S3 bucket to host static web content, then HTTPS isn't supported. To quote the AWS doc, it says under the Test your website section:
Note
HTTPS access to the website is not supported.
Not very helpful. If you are interested in learning how S3 virtual hosting works, you can read more about it here.
To serve your static web content over HTTPS, you will need to set up an AWS CloudFront distribution, which is quite straight forward via the AWS Management Console. The only configurations that will require special attentions are:
Origin Domain Name: This should refer to the URI of your S3 bucket. In your case, it will be sc-st01.s3-website-eu-west-1.amazonaws.com
Viewer Protocol Policy: Default to HTTP and HTTPS Only
Alternate Domain Names (CNAMEs): CNAME you set up in your DNS.
SSL Certificate: Either Default CloudFront Certificate or Custom SSL Certificate if you have one. Note that setting up custom SSL certificate is more involved as it needs to be uploaded to the IAM.
Default Root Object: The default file you want to serve when your user visits your static web site.
Once you're done with setting up the configurations, it will usually take 5 to 10 minutes for the new distribution to be fully configured and set up. Refer the Status field on the CloudFront management dashboard for progress. When ready, you will see the new Domain Name of your distribution. You should be able to access the static web content in your S3 bucket (assuming that the permissions of the content is granted to Everyone) by navigating to the http: or https:// URL of your distribution Domain Name.
I will also recommend checking out the CloudFront pricing to ensure if you are aware of what is free, and what isn't.
I'm about to launch a static website using S3/Cloudfront. I don't need HTTPS for the site, but the current iteration of the website is served over HTTPS and has hundreds of links and indexed URLs that are HTTPS.
I've been searching for hours and can't find a way to redirect our HTTPS URLs to HTTP when only using S3/Cloudfront. Currently the HTTPS URL will refuse the connection instead of redirecting to the HTTP version of the page.
With no Apache it seems it is not possible to do this. Any hints?
Static website hosting on S3 does not support HTTPS unless you use the full domain path, i.e. example.com.s3-website-us-east-1.amazonaws.com. Since you want to keep your URL, you'll have to use a CloudFront distribution to handle SSL.
Upload your SSL certificate to CloudFront:
aws iam upload-server-certificate --server-certificate-name CertificateName --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file --path /cloudfront/path/ [1]
Create a cloudfront distribution and configure as so:
Origin Domain Name: your s3 bucket's public static website hosting endpoint (not the endpoint that CloudFront autocompletes)
Alternate Domain Names (CNAMEs): desired location for your website, e.g. example.com or www.example.com
SSL Certificate: Select the SSL certificate you uploaded in step 1.
Custom SSL Client Support: Unless you need compatibility for really old clients, select "Only Clients that support Server Name Indication" and save $600.
If you are redirecting https to s3 redirect, the origin domain should not be the autocomplete bucket, but the static redirect endpoint s3 gives you
Save your distribution. It should show Status "In Progress". It generally takes ~15 minutes before a distribution is "Deployed"; don't move on to step 4 until your distribution is "Deployed".
Verify the distribution works: navigate to the CloudFront distribution via the domain name in the list, e.g. "https//d111111abcdef8.cloudfront.net/". You should see your website.
Change your DNS records to point to the CloudFront distribution instead of the S3 bucket.
[1] if you have trouble adding your certificate to CloudFront check out this article for further information: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html#cnames-and-https-procedure