亚马逊S3:使用DNS别名斗+ HTTPS的同时 [英] Amazon S3: using DNS alias to bucket + HTTPS at the same time
问题描述
我想创建法兰克福区的S3存储,使文件的URL访问: https://files.stample.co/filename
I want to create an S3 bucket in the Frankfurt zone, and make the files accessible with the URL: https://files.stample.co/filename
所以,我想无论HTTPS,和一个自定义DNS别名(CNAME)在同一时间。
So I want both HTTPS, and a custom DNS alias (CNAME) at the same time.
据我了解,亚马逊已经为URL通配符证书 HTTPS://*.s3.amazonaws.com 。
According to what I understand, Amazon has a wildcard certificate for URL https://*.s3.amazonaws.com.
所以这通配符将:
- 为
https://stample-files.s3.amazonaws.com工作
- 在不工作
https://files.stample.co.s3.amazonaws.com
- Work for
https://stample-files.s3.amazonaws.com - Not work for
https://files.stample.co.s3.amazonaws.com
所以,我的理解,并通过其他计算器帖子证实是,如果我想SSL工作,我不得不使用没有点斗名,否则亚马逊证书时使用通配符不会桶域相匹配。
So what I understand and confirmed by other StackOverflow posts is that if I want SSL to work I have to use a bucket name with no dot otherwise the Amazon certificat with wildcard won't match the bucket domain.
在此 S3文档,在自定义使用的CNAME Amazon S3的网址部分:
根据您的需求,您可能不希望s3.amazonaws.com出现在您的网站或服务。例如,如果你在Amazon S3上托管你的网站图像,你可以preFER http://images.johnsmith.net / 代替 http://johnsmith-images.s3.amazonaws.com/。
Depending on your needs, you might not want "s3.amazonaws.com" to appear on your website or service. For example, if you host your website images on Amazon S3, you might prefer http://images.johnsmith.net/ instead of http://johnsmith-images.s3.amazonaws.com/.
桶名称必须相同CNAME。所以 http://images.johnsmith.net/filename 的将是相同的 http://images.johnsmith.net.s3.amazonaws.com/filename 如果CNAME被创造地图images.johnsmith.net到images.johnsmith.net.s3.amazonaws.com。
The bucket name must be the same as the CNAME. So http://images.johnsmith.net/filename would be the same as http://images.johnsmith.net.s3.amazonaws.com/filename if a CNAME were created to map images.johnsmith.net to images.johnsmith.net.s3.amazonaws.com.
这似乎是因为技术原因,否则亚马逊不知道我们试图针对斗:
This seems to be for technical reasons because otherwise Amazon can't know the bucket we try to target:
由于亚马逊S3只能看到原来的主机名www.example.com和不知道用来解析请求的CNAME映射,CNAME记录和桶名称必须是相同的。
Because Amazon S3 sees only the original host name www.example.com and is unaware of the CNAME mapping used to resolve the request, the CNAME and the bucket name must be the same.
所以,我明白这里是为CNAME的工作,我们必须使用点在bucketname。
So what I understand here is that for CNAME to work, we have to use dots in the bucketname.
如果我用水桶名点:
- 在SSL将无法正常工作
- CNAME将工作
如果我不使用的水桶名点:
If I don't use dots in bucket name:
- 在SSL将工作
- 在CNAME将无法正常工作
我测试过这两种情况下,不能使SSL和CNAME精细共同努力。
I've tested both cases and could not make SSL and CNAME work fine together.
我能做些什么,以使双方的工作?在我看来,这正是我想要实现的是不是很花哨......
What can I do to make both work? It seems to me that what I want to achieve is not very fancy...
推荐答案
您有可能两者都做,这取决于你的意思,但它需要在你的方法的变化,一些S3内部的理解,或理解为什么你正在尝试不可能指望工作。
You can potentially do both, depending on what you mean by that, but it requires a change in your approach and an understanding of some S3 internals, or an understanding of why what you are trying can't possibly be expected to work.
首先,要澄清一下,我说你可以两者都做,我想你不认为你可以创建一个名为example.com斗,然后能够访问桶为 HTTPS ://example.com
First, to clarify, when I say you can do both, I assume you do not expect that you could create a bucket called "example.com" and then be able to access the bucket as https://example.com.
如果这就是你想要的或希望,你错过了SSL的一些基础知识。
If that's what you want or expect, you are missing out on some fundamentals of SSL.
有关Web服务器提供SSL,它必须由受信任的证书颁发机构签署的SSL证书。此证书不仅包含用于加密的公开密钥,它也包含对于其是有效的主机名,并且不会对不同的主机名工作。 SSL不仅提供了加密功能,它也提供了保证您达到该网站确实是网站,你认为它是。对于S3,证书中的主机名是 *。s3.amazonaws.com 和一些区域的变种,我将在下面解释。主机名匹配的规则要求 * 的不匹配的东西,在这一个点,所以 *。s3.amazonaws .COM 不匹配 example-bucket.s3.amazonaws.com (在主机组件中没有句点,与对齐 * ),但它不匹配 example.com.s3.amazonaws.com ,因为 * 不匹配 example.com ,因为它包含了一个点。这些规则是由浏览器强加的,而这不是在S3中的限制。
For a web server to offer SSL, it must have an SSL certificate signed by a trusted Certificate Authority. This certificate not only contains a public key used for encryption, it also contains the hostname for which it is valid, and will not work for a different hostname. SSL not only provides encryption, it also provides assurance that the web site you reached is indeed the web site you believe it to be. For s3, the hostname in the certificate is *.s3.amazonaws.com and some regional variants, which I'll explain below. The rules for hostname matching require that the * not match anything with a dot in it, so *.s3.amazonaws.com does match example-bucket.s3.amazonaws.com (no dot in the hostname component that aligns with the *) but it does not match example.com.s3.amazonaws.com because * does not match example.com since it contains a dot. These rules are imposed by browsers, and this isn't a limitation in S3.
现在,如果你要使用 https://example.com 来访问你的水桶,S3不会单独实现这一目标,因为 example.com 本身不是连的远程的相似,在S3上的SSL证书,这是主机名 *。s3.amazonaws.com 。你不仅需要购买从已签署的使用与认证机构的SSL证书example.com,但你还需要到Web服务器......,在这种情况下,是S3上安装它.. 。和S3不支持此
Now, if you are trying to use https://example.com to access your bucket, S3 alone won't enable this, because example.com by itself isn't even remotely similar to the hostname on S3's SSL certificate, which is *.s3.amazonaws.com. You not only need to purchase an SSL certificate from a Certificate Authority that has been signed for use with "example.com," but you also need to install it on the web server... which, in this case, is S3... and S3 doesn't support this.
亚马逊的CloudFront的,但是,确实。您可以配置CloudFront的分布前端到你的水桶,并安装在CloudFront的自己的SSL证书,访问桶通过HTTPS的方式。在这种配置下,它不会不管你的水桶的名字是 - 它甚至没有来匹配您的域名,因为你可以配置CloudFront的使用任何斗你想要的。浏览器通过CloudFront的,这又是直接从桶中的内容获取的内容。
Amazon CloudFront, however, does. You can configure a CloudFront distribution as a front-end to your bucket, and install your own SSL certificate on CloudFront, accessing the bucket over HTTPS that way. In this configuration, it doesn't matter what your bucket name is -- it doesn't even have to match your domain name, because you can configure CloudFront to use whatever bucket you want. The browser fetches content through CloudFront, which in turn pulls the content from the bucket.
现在......假设是不是你在问什么......假设你不希望自己的域名在SSL工作与亚马逊的证书......你可以配置具有带点名称的水桶,使您可以创建一个CNAME主办的example.com的内容...并仍可以访问桶HTTPS。但是,你不能使用SSL的访问使用的CNAME的,其原因解释上面的...因为您的主机没有一个在S3上的SSL证书不匹配。
Now... assuming that isn't what you're asking... assuming that you don't expect your own domain to work in SSL with Amazon's certificate... you can configure a bucket with dotted name, allowing you to create a CNAME for hosting your "example.com" content... and still access the bucket with HTTPS. However, you can't access it with SSL using the CNAME, for reasons explained above... because your hostname doesn't match the one on S3's SSL cert.
不过,如果你想访问与点的水桶中通过SSL的名称,则可以使用区域终点,你的水桶被调配做到这一点。
However, if you want to access a bucket with dots in the name over SSL, you can do this using the regional endpoint where your bucket was provisioned.
在美西2区的example.com斗将通过把斗名,在第一部分得到解决,如果路径,而不是如果主机名的开始......是这样的:
The "example.com" bucket in the us-west-2 region would be addressed by putting the bucket name in the first part if the path instead if the beginning of the hostname... like this:
https://s3-us-west-2.amazonaws.com/example.com/path/to/file.jpg
每个S3区至少有一个区域端点这种方式工作。对于美标地区,终点是s3.amazonaws.com的地理路线在弗吉尼亚哪些路由仅在主站点或镜像站点在俄勒冈州,s3-external-1.amazonaws.com弗吉尼亚州,或者s3-external-2.amazonaws.com这在很大程度上是无证,但路线在俄勒冈州的镜子。
Each S3 region has at least one regional endpoint that works this way. For the "US-Standard" region, the endpoints are "s3.amazonaws.com" which geographically routes to the main site in Virginia or the mirror site in Oregon, "s3-external-1.amazonaws.com" which routes only to Virginia, or "s3-external-2.amazonaws.com" which is largely undocumented but routes to the mirror in Oregon.
那么,就可以访问资源的水桶与点的名义,通过HTTPS,但你要知道桶的区域......虽然你不能简单地用 HTTPS访问:/ /your-cname.example.com 因路SSL的工作原理,一般来说,
So, it is possible to access resources in a bucket with dots in the name, over HTTPS, but you have to know the bucket's region... though you cannot simply access it with https://your-cname.example.com, because of the way SSL works, in general.
这篇关于亚马逊S3:使用DNS别名斗+ HTTPS的同时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
