Cloudfront 到 s3 重定向到子域,给出访问被拒绝错误 [英] Cloudfront to s3 redirect to subdomain giving Access denied error
问题描述
我在 aws s3 上使用 Cloudfront 和路由 53 设置了静态网站.目前我可以通过 https://www.example.com
I have a static website setup on aws s3 using Cloudfront and route 53.
Currently I can correctly access the site correctly via https://www.example.com
我正在尝试将 http://example.com 和 https://example.com 重定向到 https://www.example.com(http://www.example.com 已正确重定向).
I'm trying to redirect http://example.com and https://example.com to https://www.example.com (http://www.example.com already redirects correctly).
似乎唯一的设置方法是使用两个 Cloudfront 分发版和两个 s3 存储桶(以及路由 53 中的两个别名 A 记录).
It seems that the only way to set this up is with two cloudfront distributions and two s3 buckets (and two alias A records in route 53).
我已经配置了一个 example.com 存储桶以使用 https 协议重定向到 www.example.com.
I have configured an example.com bucket to redirect to www.example.com using https protocol.
其中一个 cloudfront 发行版指向 www.example.com 存储桶,其中包含 http 到 https 重定向和作为 index.html 的默认根对象和备用域名作为 www.example.com其他 cloudfront 发行版指向 example.com 存储桶,没有 http 到 https 重定向,也没有在默认根对象中设置任何内容(我也尝试过 index.html 但没有帮助)和备用域名为 example.com.
One of the cloudfront distributions points to the www.example.com bucket with http to https redirect and the default root object as index.html and the alternate domain name as www.example.com
The other cloudfront distributions points to example.com bucket with no http to https redirect and nothing set in the default root object (I've also tried index.html but that didn't help) and the alternate domain name as example.com.
两个发行版在 ACM 中使用相同的证书设置,涵盖 *.example.com 和 example.com(其他设置使用默认值).
Both distributions use the same certificate setup in ACM that covers *.example.com and example.com
(other settings use the defaults).
当我尝试通过 https://example.com(或 http://example.com) 以及我的设置有什么问题?
I'm not clear why I'm getting an access denied error when I try to access via https://example.com (or http://example.com) and what is wrong about my setup?
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>....</RequestId>
<HostId>.....</HostId>
</Error>
更新有关存储桶的更多详细信息:
Update with more details on the buckets:
正如下面评论中提到的,根域 s3 存储桶可以在没有 cloudfront 的情况下正确重定向.重新添加 cloudfront,访问被拒绝错误再次出现.
As mentioned below in the comments the root domain s3 bucket, redirects correctly without cloudfront. Adding cloudfront back in and the access denied errors reappear.
两个存储桶都有公共访问权限,即 阻止所有公共访问 设置为关闭.
both buckets have public access ie Block all public access is set to off.
两者的存储桶策略设置为:
The bucket policy for both is set to:
{
"Version": "2012-10-17",
"Id": "Policy1595518880784",
"Statement": [
{
"Sid": "Stmt1595518834954",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example.com/*"
}
]
}
对于子域桶,它在资源中有一个 ..::www.example.com/*.
and for the subdomain bucket it has a ..:::www.example.com/* in the resourse.
cloudfront 中使用的存储桶来源是 example.com.s3.amazonaws.com 和 www.example.com.s3.amazonaws.com
The buckets origin used in cloudfront is example.com.s3.amazonaws.com and www.example.com.s3.amazonaws.com
推荐答案
问题在于重定向存储桶前面的 cloudfront 分布.尽管 cloudfront 中 www 存储桶的源自动完成工作正常,但它不适用于重定向存储桶.相反,您需要手动添加它,它不是 s3 rest api 格式,而是静态站点版本.因此,请输入以下形式的内容 example.com.s3-website-us-east-1.amazonaws.com 这看起来有点像 aws 控制台中的错误,它不应该自动完成无效s3 重定向存储桶前面的存储桶名称.
The issue is with the cloudfront distribution in front of the redirect bucket. Although the autocomplete of the origin for the www bucket in cloudfront works fine, it does not work for the redirect bucket. Instead you need to add this manually and it not to be of the s3 rest api format but of the static site version. So instead enter something of the form example.com.s3-website-us-east-1.amazonaws.com This seems a bit of like a bug in the aws console and it shouldn't autocomplete invalid bucket names infront of s3 redirecting buckets.
这篇关于Cloudfront 到 s3 重定向到子域,给出访问被拒绝错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
