如何将 Cloudfront 之间的 SSL 设置为具有 EC2 自定义源的反向代理缓存? [英] How to set SSL between cloudfront as a reverse proxy cache with an EC2 custom origin?
问题描述
我的域名指向 cloudfront,它反过来使用自定义源引用我的 EC2 实例.在这种情况下,它是来自 EC2 的公共 dns 名称,如 xxxxx.us-west-2.compute.amazonaws.com.这使其表现得像一个反向代理.
I have my domain names pointed at cloudfront, which in turn references my EC2 instance using a custom origin. In this case it is the public dns name from EC2 like xxxxx.us-west-2.compute.amazonaws.com. This makes it behave like a reverse proxy.
我有一个需要用户信息的表单,所以我想设置 SSL.因为我的主域指向 cloudfront,
I have a form that takes user information so I would like to set up SSL. Because my main domain points to cloudfront,
如何设置cloudfront和EC2实例之间的关系,当使用CF作为反向代理缓存并且EC2实例是自定义域时.
How do I set up the relationship between cloudfront and the EC2 instance, when using CF like a reverse proxy cache and the EC2 instance is a custom domain.
我会这样做吗:
- 为我的源创建一个子域,例如origin.mydomain.com"
- 获取 origin.mydomain.com 的 SSL 证书
- 将 origin.mydomain.com 设置为 cloudfront 中的源,而不是由 amazon 创建的实例域.(不是 xxxxx.us-west-2.compute.amazonaws.com)
为了清晰起见,修改了标题和一些正文.
Modified title and some body for clarity.
推荐答案
是的,正是这个想法.
您错过的步骤是您的主域还需要一个 ssl 证书,您将在 CloudFront 分发版上安装"该证书.
The step you missed is that you also need an ssl certificate for your main domain, which you'll "install" on the CloudFront distribution.
因此您需要两个证书(或一个多域证书 - 有时称为 SAN 或 UCC - 或者您可以使用通配符证书),因为 - 正如您正确指出的 - CloudFront 是一个反向代理(不仅仅是在在这种情况下——这正是 CloudFront 的含义,缓存反向代理).
So you need two certs (or one multi-domain -- sometimes called SAN or UCC -- or you could use a wildcard cert), because -- as you correctly noted -- CloudFront is a reverse proxy (not just in this case -- that's exactly what CloudFront is, a caching revers proxy).
如果您只有源上的证书,CloudFront 和源之间的流量将被加密,但浏览器和 CloudFront 之间的流量不会加密.
If you only had a cert on the origin, the traffic between CloudFront and the origin would be encrypted, but the traffic between the browser and CloudFront would not be.
在 CloudFront 方面,您可以购买一个或从 AWS 证书管理器免费获取证书.这些证书适用于 CloudFront 和 ELB,但不能直接安装在 EC2 上,因此如果您不使用 ELB,则需要在其他地方获取证书.
On the CloudFront side, you can buy one or you get the cert for free from AWS Certificate manager. These certs work with both CloudFront and ELB, but cannot be installed on EC2 directly, so you'll need to obtain a cert elsewhere for that, if you are not using an ELB.
Gandi 会以 16 美元的价格向您出售一个简单的 EC2 实例证书,该证书在 CloudFront 之后运行.我与他们没有从属关系,但我提到这一点是因为我知道它适用于 CloudFront——我将它们用于此目的.LetsEncrypt 和 StartSSL 将免费为您提供一个,但可以说需要做更多的工作.我认为如果安装在 CloudFront 后面的源上,这些应该可以工作,但这取决于 CloudFront 信任存储信任的那些 CA,这可能是这种情况,但不一定保证.CloudFront 将拒绝使用由它无法识别的 CA 颁发的 SSL 证书连接到源(它返回 502 错误,过去我在 CloudFront 后面的 StartSSL 证书上遇到了问题)......这也意味着你不能在源上使用自签名证书.
Gandi will sell you a simple cert for the EC2 instance for $16, which works behind CloudFront. I have no affiliation with them but I mention this because I know it works with CloudFront -- I use them for this. LetsEncrypt and StartSSL will give you one for free, but, arguably a little more work is involved. I assume these should work if installed on an origin behind CloudFront, but that would depend on those CAs being trusted by the CloudFront trust store, which is likely to be the case but not necessarily guaranteed. CloudFront will refuse to connect to an origin with an SSL certificate issued by a CA that it does not recognize (it returns a 502 error, and in the past I have had trouble with StartSSL certs behind CloudFront)... and this also means you can't use a self-signed cert on the origin.
这篇关于如何将 Cloudfront 之间的 SSL 设置为具有 EC2 自定义源的反向代理缓存?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
