AWS限制从Cloudfront到负载均衡器的访问 [英] AWS Restrict access from cloudfront to load balancer
问题描述
我正在将Cloudfront与负载均衡和ec2实例一起使用。
I'm using Cloudfront with load balancing and ec2 instances.
在AWS中,我的负载均衡器接受来自所有http连接的流量。可以限制仅接受我的Cloudfront发行版中的http连接吗?以及我该怎么做?
In AWS, my load balancer accepts traffic from all http connections. It is possible to restrict that to accept only http connections from my Cloudfront distributions ? And how can I do that ?
谢谢。
推荐答案
AFAIK ,您不能在第3层上执行此操作,因为ELB允许从任何位置(0.0.0.0/0)进行访问。
AFAIK, you can't do this at layer 3 as an ELB will allow access from anywhere (0.0.0.0/0).
如果您运行的是Apache并且可以找到一个特定的标题,该标题将在Cloudfront中使用/设置,然后您可以在第7层使用mod_headers进行此操作。
If you're running Apache and can find a specific header that cloudfront uses/sets then you could do this at layer 7 using mod_headers.
根据 http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html cloudfront将设置标题 Via
到 1.1 alphanumeric-string.cloudfront.net ,因此您可以通过以下操作在虚拟主机中进行匹配:
According to http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html cloudfront will set the Header Via
to 1.1 alphanumeric-string.cloudfront.net, so you could match this in your virtualhost by doing something like:
SetEnvIf Via "^1\.1\ [a-z0-9]+\.cloudfront\.net$ VIA_CLOUDFRONT
<LocationMatch /origin/>
Options -Indexes
Order deny,allow
Deny from all
# allow from cloudfront only
Allow from env=VIA_CLOUDFRONT
</LocationMatch>
这篇关于AWS限制从Cloudfront到负载均衡器的访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!