Fatal编程技术网
  • amazon-cloudformation/
  • Amazon cloudformation 云面+;S3和x2B;HTTPS模板也服务于不需要的HTTP

Amazon cloudformation 云面+;S3和x2B;HTTPS模板也服务于不需要的HTTP

amazon-cloudformation

Amazon cloudformation 云面+;S3和x2B;HTTPS模板也服务于不需要的HTTP,amazon-cloudformation,amazon-cloudfront,Amazon Cloudformation,Amazon Cloudfront,我有一个Cloudformation模板,用于通过Cloudfront通过HTTPS提供S3内容(见末尾的堆栈) 它在HTTPS上运行良好- (env) justin@justin-XPS-13-9360:~/work/gists/ae46e471eb0e10e877731d787a9fbc2a$ curl -iv https://cloudfront-https-demo.s3-eu-west-1.amazonaws.com/index.json * Trying 52.218.90.64

我有一个Cloudformation模板,用于通过Cloudfront通过HTTPS提供S3内容(见末尾的堆栈)

它在HTTPS上运行良好-

(env) justin@justin-XPS-13-9360:~/work/gists/ae46e471eb0e10e877731d787a9fbc2a$ curl -iv https://cloudfront-https-demo.s3-eu-west-1.amazonaws.com/index.json
*   Trying 52.218.90.64...
* TCP_NODELAY set
* Connected to cloudfront-https-demo.s3-eu-west-1.amazonaws.com (52.218.90.64) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=Washington; L=Seattle; O=Amazon.com, Inc.; CN=*.s3-eu-west-1.amazonaws.com
*  start date: Aug  4 00:00:00 2020 GMT
*  expire date: Aug  9 12:00:00 2021 GMT
*  subjectAltName: host "cloudfront-https-demo.s3-eu-west-1.amazonaws.com" matched cert's "*.s3-eu-west-1.amazonaws.com"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert Baltimore CA-2 G2
*  SSL certificate verify ok.
> GET /index.json HTTP/1.1
> Host: cloudfront-https-demo.s3-eu-west-1.amazonaws.com
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< x-amz-id-2: zVJ4idiIpuyIJIDvXIXbykQe9Po1YebyXEnYMLPkQydhwPLBpkypQfas3vCKuMIfd2cv+yISoqo=
x-amz-id-2: zVJ4idiIpuyIJIDvXIXbykQe9Po1YebyXEnYMLPkQydhwPLBpkypQfas3vCKuMIfd2cv+yISoqo=
< x-amz-request-id: 3E4B1B22DB6EE25D
x-amz-request-id: 3E4B1B22DB6EE25D
< Date: Tue, 25 Aug 2020 19:32:49 GMT
Date: Tue, 25 Aug 2020 19:32:49 GMT
< Last-Modified: Tue, 25 Aug 2020 15:42:18 GMT
Last-Modified: Tue, 25 Aug 2020 15:42:18 GMT
< ETag: "50521abab7a013be83ee00ded3f9f424"
ETag: "50521abab7a013be83ee00ded3f9f424"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Type: application/json
Content-Type: application/json
< Content-Length: 19
Content-Length: 19
< Server: AmazonS3
Server: AmazonS3

< 
{"hello": "world"}
* Connection #0 to host cloudfront-https-demo.s3-eu-west-1.amazonaws.com left intact
我需要对模板做什么才能关闭纯HTTP/只保留HTTPS

---
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  AppName:
    Type: String
Resources:
  CloudFrontOAI:
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: access-identity-passport-front.s3.amazonaws.com
  SiteCloudFrontDist:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Enabled: true
        DefaultRootObject: index.json
        Origins:
          - DomainName:
              Fn::Sub:
                - ${app_name}.s3.amazonaws.com
                - app_name:
                    Ref: AppName
            Id:
              Fn::Sub:
                - ${app_name}-site-cf-origin
                - app_name:
                    Ref: AppName
            S3OriginConfig:
              OriginAccessIdentity:
                Fn::Sub:
                  - origin-access-identity/cloudfront/${oai}
                  - oai:
                      Ref: CloudFrontOAI
        DefaultCacheBehavior:
          AllowedMethods:
            - HEAD
            - GET
            - OPTIONS
          ForwardedValues:
            QueryString: false
          TargetOriginId:
            Fn::Sub:
              - ${app_name}-site-cf-origin
              - app_name:
                  Ref: AppName
          ViewerProtocolPolicy: https-only
        ViewerCertificate:
          CloudFrontDefaultCertificate: true
  SiteBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName:
        Ref: AppName  # NB same as app for URL convenience
  SiteBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket:
        Ref: SiteBucket
      PolicyDocument:
        Statement:
          - Action: s3:GetObject
            Effect: Allow
            Principal: '*'
            Resource:
              Fn::Sub:
                - arn:aws:s3:::${bucket_name}/*
                - bucket_name:
                    Ref: SiteBucket
        Version: '2012-10-17'
在这两种情况下,您都在使用域:

cloudfront-https-demo.s3-eu-west-1.amazonaws.com
这不是一个CloudFront域,它具有,例如:

d111111abcdef8.cloudfront.net
在我看来,您正在使用表单的url:

https://<bucket name>.s3-<AWS Region>.amazonaws.com/<object name>

https://.s3-:

使用Amazon S3 URL验证您的内容是否可公开访问,但请记住,当您准备使用CloudFront分发内容时,这不是您将使用的URL


在这两种情况下,您都在使用域:


cloudfront-https-demo.s3-eu-west-1.amazonaws.com


这不是一个CloudFront域,它具有,例如:


d111111abcdef8.cloudfront.net


在我看来,您正在使用表单的url:


https://<bucket name>.s3-<AWS Region>.amazonaws.com/<object name>



https://.s3-:

使用Amazon S3 URL验证您的内容是否可公开访问,但请记住,当您准备使用CloudFront分发内容时,这不是您将使用的URL


需要修改bucket策略以禁用非安全连接-


{
    "Version": "2012-10-17",
    "Id": "ExamplePolicy",
    "Statement": [
        {
            "Sid": "AllowSSLRequestsOnly",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket_name/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "true"
                }
            }
        }
    ]
}



需要修改bucket策略以禁用非安全连接-


{
    "Version": "2012-10-17",
    "Id": "ExamplePolicy",
    "Statement": [
        {
            "Sid": "AllowSSLRequestsOnly",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket_name/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "true"
                }
            }
        }
    ]
}



抱歉,这一点与HTTPS和/或HTTP端点在指定域下是否可用无关name@Justin谢谢你让我知道。但您的回答在问题询问的上下文中是不正确的,这是关于CloudFront的
https only
选项的。在beast,当您询问为什么
https-only
不起作用时,您的问题具有误导性。您提供的bucket策略不是答案。答案是您根本没有使用CloudFront。那么,为什么还要在你的问题中包含它呢?CloudFront是绝对使用的,它在模板中被明确使用和引用。正确的答案是,除了
https-only
声明之外,还必须扩展BucketPolicy以包含“安全”条件。但是我要到明天才能回答这个问题。@Justin在你的问题中,你是冰壶
https://cloudfront-https-demo.s3-eu-west-1.amazonaws.com/index.json
。这不是cloudfront端点。正如我在问题中所解释的,cloudfront端点是不同的。但不管怎样,我很高兴你找到了一个“解决方案”。但该端点被列为cloudfront域,不是吗?您认为我应该卷曲您建议的cloudfront域吗?很抱歉,这一点与指定域下是否存在HTTPS和/或HTTP端点无关name@Justin谢谢你让我知道。但您的回答在问题询问的上下文中是不正确的,这是关于CloudFront的
https only
选项的。在beast,当您询问为什么
https-only
不起作用时,您的问题具有误导性。您提供的bucket策略不是答案。答案是您根本没有使用CloudFront。那么,为什么还要在你的问题中包含它呢?CloudFront是绝对使用的,它在模板中被明确使用和引用。正确的答案是,除了
https-only
声明之外,还必须扩展BucketPolicy以包含“安全”条件。但是我要到明天才能回答这个问题。@Justin在你的问题中,你是冰壶
https://cloudfront-https-demo.s3-eu-west-1.amazonaws.com/index.json
。这不是cloudfront端点。正如我在问题中所解释的,cloudfront端点是不同的。但不管怎样,我很高兴你找到了一个“解决方案”。但该端点被列为cloudfront域,不是吗?你认为我应该像你建议的那样卷曲云阵域?