AWS限制从Cloudfront到负载均衡器的访问 [英] AWS Restrict access from cloudfront to load balancer

问题描述

我正在将Cloudfront与负载均衡和ec2实例一起使用。

I'm using Cloudfront with load balancing and ec2 instances.

在AWS中，我的负载均衡器接受来自所有http连接的流量。可以限制仅接受我的Cloudfront发行版中的http连接吗？以及我该怎么做？

In AWS, my load balancer accepts traffic from all http connections. It is possible to restrict that to accept only http connections from my Cloudfront distributions ? And how can I do that ?

谢谢。

推荐答案

AFAIK ，您不能在第3层上执行此操作，因为ELB允许从任何位置（0.0.0.0/0）进行访问。

AFAIK, you can't do this at layer 3 as an ELB will allow access from anywhere (0.0.0.0/0).

如果您运行的是Apache并且可以找到一个特定的标题，该标题将在Cloudfront中使用/设置，然后您可以在第7层使用mod_headers进行此操作。

If you're running Apache and can find a specific header that cloudfront uses/sets then you could do this at layer 7 using mod_headers.

根据 http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html cloudfront将设置标题 Via 到 1.1 alphanumeric-string.cloudfront.net ，因此您可以通过以下操作在虚拟主机中进行匹配：

According to http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html cloudfront will set the Header Via to 1.1 alphanumeric-string.cloudfront.net, so you could match this in your virtualhost by doing something like:

SetEnvIf Via "^1\.1\ [a-z0-9]+\.cloudfront\.net$ VIA_CLOUDFRONT
<LocationMatch /origin/>
    Options -Indexes
    Order deny,allow
    Deny from all

    # allow from cloudfront only
    Allow from env=VIA_CLOUDFRONT
</LocationMatch>

这篇关于AWS限制从Cloudfront到负载均衡器的访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！