Amazon cloudformation 云面+;S3和x2B;HTTPS模板也服务于不需要的HTTP
我有一个Cloudformation模板,用于通过Cloudfront通过HTTPS提供S3内容(见末尾的堆栈) 它在HTTPS上运行良好-Amazon cloudformation 云面+;S3和x2B;HTTPS模板也服务于不需要的HTTP,amazon-cloudformation,amazon-cloudfront,Amazon Cloudformation,Amazon Cloudfront,我有一个Cloudformation模板,用于通过Cloudfront通过HTTPS提供S3内容(见末尾的堆栈) 它在HTTPS上运行良好- (env) justin@justin-XPS-13-9360:~/work/gists/ae46e471eb0e10e877731d787a9fbc2a$ curl -iv https://cloudfront-https-demo.s3-eu-west-1.amazonaws.com/index.json * Trying 52.218.90.64
(env) justin@justin-XPS-13-9360:~/work/gists/ae46e471eb0e10e877731d787a9fbc2a$ curl -iv https://cloudfront-https-demo.s3-eu-west-1.amazonaws.com/index.json
* Trying 52.218.90.64...
* TCP_NODELAY set
* Connected to cloudfront-https-demo.s3-eu-west-1.amazonaws.com (52.218.90.64) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=Washington; L=Seattle; O=Amazon.com, Inc.; CN=*.s3-eu-west-1.amazonaws.com
* start date: Aug 4 00:00:00 2020 GMT
* expire date: Aug 9 12:00:00 2021 GMT
* subjectAltName: host "cloudfront-https-demo.s3-eu-west-1.amazonaws.com" matched cert's "*.s3-eu-west-1.amazonaws.com"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert Baltimore CA-2 G2
* SSL certificate verify ok.
> GET /index.json HTTP/1.1
> Host: cloudfront-https-demo.s3-eu-west-1.amazonaws.com
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< x-amz-id-2: zVJ4idiIpuyIJIDvXIXbykQe9Po1YebyXEnYMLPkQydhwPLBpkypQfas3vCKuMIfd2cv+yISoqo=
x-amz-id-2: zVJ4idiIpuyIJIDvXIXbykQe9Po1YebyXEnYMLPkQydhwPLBpkypQfas3vCKuMIfd2cv+yISoqo=
< x-amz-request-id: 3E4B1B22DB6EE25D
x-amz-request-id: 3E4B1B22DB6EE25D
< Date: Tue, 25 Aug 2020 19:32:49 GMT
Date: Tue, 25 Aug 2020 19:32:49 GMT
< Last-Modified: Tue, 25 Aug 2020 15:42:18 GMT
Last-Modified: Tue, 25 Aug 2020 15:42:18 GMT
< ETag: "50521abab7a013be83ee00ded3f9f424"
ETag: "50521abab7a013be83ee00ded3f9f424"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Type: application/json
Content-Type: application/json
< Content-Length: 19
Content-Length: 19
< Server: AmazonS3
Server: AmazonS3
<
{"hello": "world"}
* Connection #0 to host cloudfront-https-demo.s3-eu-west-1.amazonaws.com left intact
我需要对模板做什么才能关闭纯HTTP/只保留HTTPS
---
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
AppName:
Type: String
Resources:
CloudFrontOAI:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: access-identity-passport-front.s3.amazonaws.com
SiteCloudFrontDist:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Enabled: true
DefaultRootObject: index.json
Origins:
- DomainName:
Fn::Sub:
- ${app_name}.s3.amazonaws.com
- app_name:
Ref: AppName
Id:
Fn::Sub:
- ${app_name}-site-cf-origin
- app_name:
Ref: AppName
S3OriginConfig:
OriginAccessIdentity:
Fn::Sub:
- origin-access-identity/cloudfront/${oai}
- oai:
Ref: CloudFrontOAI
DefaultCacheBehavior:
AllowedMethods:
- HEAD
- GET
- OPTIONS
ForwardedValues:
QueryString: false
TargetOriginId:
Fn::Sub:
- ${app_name}-site-cf-origin
- app_name:
Ref: AppName
ViewerProtocolPolicy: https-only
ViewerCertificate:
CloudFrontDefaultCertificate: true
SiteBucket:
Type: AWS::S3::Bucket
Properties:
BucketName:
Ref: AppName # NB same as app for URL convenience
SiteBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: SiteBucket
PolicyDocument:
Statement:
- Action: s3:GetObject
Effect: Allow
Principal: '*'
Resource:
Fn::Sub:
- arn:aws:s3:::${bucket_name}/*
- bucket_name:
Ref: SiteBucket
Version: '2012-10-17'
在这两种情况下,您都在使用域:
cloudfront-https-demo.s3-eu-west-1.amazonaws.com
这不是一个CloudFront域,它具有,例如:
d111111abcdef8.cloudfront.net
在我看来,您正在使用表单的url:
https://<bucket name>.s3-<AWS Region>.amazonaws.com/<object name>
https://.s3-:
使用Amazon S3 URL验证您的内容是否可公开访问,但请记住,当您准备使用CloudFront分发内容时,这不是您将使用的URL
在这两种情况下,您都在使用域:
cloudfront-https-demo.s3-eu-west-1.amazonaws.com
这不是一个CloudFront域,它具有,例如:
d111111abcdef8.cloudfront.net
在我看来,您正在使用表单的url:
https://<bucket name>.s3-<AWS Region>.amazonaws.com/<object name>
https://.s3-:
使用Amazon S3 URL验证您的内容是否可公开访问,但请记住,当您准备使用CloudFront分发内容时,这不是您将使用的URL
需要修改bucket策略以禁用非安全连接-
{
"Version": "2012-10-17",
"Id": "ExamplePolicy",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket_name/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}
需要修改bucket策略以禁用非安全连接-
{
"Version": "2012-10-17",
"Id": "ExamplePolicy",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket_name/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}
抱歉,这一点与HTTPS和/或HTTP端点在指定域下是否可用无关name@Justin谢谢你让我知道。但您的回答在问题询问的上下文中是不正确的,这是关于CloudFront的https only
选项的。在beast,当您询问为什么https-only
不起作用时,您的问题具有误导性。您提供的bucket策略不是答案。答案是您根本没有使用CloudFront。那么,为什么还要在你的问题中包含它呢?CloudFront是绝对使用的,它在模板中被明确使用和引用。正确的答案是,除了https-only
声明之外,还必须扩展BucketPolicy以包含“安全”条件。但是我要到明天才能回答这个问题。@Justin在你的问题中,你是冰壶https://cloudfront-https-demo.s3-eu-west-1.amazonaws.com/index.json
。这不是cloudfront端点。正如我在问题中所解释的,cloudfront端点是不同的。但不管怎样,我很高兴你找到了一个“解决方案”。但该端点被列为cloudfront域,不是吗?您认为我应该卷曲您建议的cloudfront域吗?很抱歉,这一点与指定域下是否存在HTTPS和/或HTTP端点无关name@Justin谢谢你让我知道。但您的回答在问题询问的上下文中是不正确的,这是关于CloudFront的https only
选项的。在beast,当您询问为什么https-only
不起作用时,您的问题具有误导性。您提供的bucket策略不是答案。答案是您根本没有使用CloudFront。那么,为什么还要在你的问题中包含它呢?CloudFront是绝对使用的,它在模板中被明确使用和引用。正确的答案是,除了https-only
声明之外,还必须扩展BucketPolicy以包含“安全”条件。但是我要到明天才能回答这个问题。@Justin在你的问题中,你是冰壶https://cloudfront-https-demo.s3-eu-west-1.amazonaws.com/index.json
。这不是cloudfront端点。正如我在问题中所解释的,cloudfront端点是不同的。但不管怎样,我很高兴你找到了一个“解决方案”。但该端点被列为cloudfront域,不是吗?你认为我应该像你建议的那样卷曲云阵域?