Cloudfront,ELB和SSL [英] Cloudfront, ELB and SSL
问题描述
如果我使用Cloudfront坐在本身位于ELB后面的Web服务器前面,是否适用以下条件?
If i use Cloudfront to sit in front of a webserver, which itself is behind an ELB, would the following apply?
-
我使用Route53为CF域创建域名记录,并将SSL证书应用于该域以保护分发
I use Route53 to create a domain name record for the CF domain and apply an SSL certificate to that domain to secure the distribution
如果CF无法提供服务从缓存中获取内容,然后将SSL连接转发到ELB(将Web服务器作为原始服务器发送到前端)
If CF can not serve the content from the cache then the SSL connection is forward to the the ELB (which fronts the webserver as an origin server)
因此,我还需要使用在ELB上使用相同的域名(FQDN)(通过Route53 CNAME)并在那里也应用相同的证书?
Therefore i also need to use the same domain name (FQDN) on the ELB (via Route53 CNAME) and apply the same cert there too?
当CF通过ELB将请求转发给SSL时被终止
是吗?一个FQDN证书是否足以使用通配符?改用原始服务器域名更好吗?
When CF forwards the request through the ELB the SSL is terminated Is that right ? Will one FQDN cert suffice or better to use a wildcard? Is it better to use the origin server domain name instead?
因为我现在可以使用新的AWS Certificate Manager工具(ACM)添加这些证书,是否有人知道如果使用ACM(CF成为昂贵的AWS服务),CF是否仍然需要使用自定义SSL证书的费用?
As i can now use the new AWS certificate manager tool (ACM) to add these certs, does anyone know if CF still require the cost for use of custom SSL cert if using ACM (which makes CF an expensive AWS service)?
推荐答案
如果CF无法提供缓存中的内容,则SSL连接将转发到ELB(位于ELB之前作为源服务器的Web服务器)
If CF can not serve the content from the cache then the SSL connection is forward to the the ELB (which fronts the webserver as an origin server)
SSL连接未转发。在CloudFront与ELB之间建立了新的SSL连接。
The SSL connection is not "forwarded". A new SSL connection is established between CloudFront and the ELB.
用户与CloudFront之间的SSL连接与CloudFront与ELB之间的连接是完全不同的连接。因此,在ELB和CloudFront上使用的域名没有匹配要求。
The SSL connection between the user and CloudFront is a completely different connection than the one between CloudFront and the ELB. Therefore, there is not requirements on matching the domain names used on the ELB and CloudFront.
因此,我还需要使用相同的域名(FQDN)在ELB上(通过Route53 CNAME)并在那里也应用相同的证书?
Therefore i also need to use the same domain name (FQDN) on the ELB (via Route53 CNAME) and apply the same cert there too?
唯一的限制是SSL证书ELB上的域名必须与ELB上使用的域名匹配。它可以是与CloudFront上使用的SSL证书和域名不同的名称。
The only restriction is that the SSL certificate on the ELB must match the domain name used on the ELB. It can be a different SSL cert and domain name than those used on CloudFront.
如果要使用自定义SSL功能并支持所有客户端,则不仅那些支持SNI的设备,是的,即使您使用的是ACM,您仍然必须支付额外的费用。
If you want to use the "Custom SSL" feature and support "All Clients", not just those that support SNI, then yes, you must still pay the extra charges, even is you are using ACM.
示例1
您可以为www.domain.com和origin.domain.com创建Route 53记录,并为* .domain.com创建SSL证书。通过这些,您可以将www.domain.com分配给CloudFront发行版,将origin.domain.com分配给您的ELB,并在两者上都使用通配符证书。
You can create Route 53 records for www.domain.com and origin.domain.com and an SSL cert for *.domain.com. From these, you would assign www.domain.com to the CloudFront distribution, origin.domain.com to your ELB, and use the wildcard cert on both.
示例2
您可以为www.domain.com和origin.domain.com创建Route 53记录,并为www.domain.com创建单独的SSL证书和origin.domain.com。通过这些,您可以使用www.domain.com证书将www.domain.com分配给CloudFront分配,并使用origin.domain.com证书将origin.domain.com分配给ELB。
You can create Route 53 records for www.domain.com and origin.domain.com and separate SSL certs for www.domain.com and origin.domain.com. From these, you would assign www.domain.com to the CloudFront distribution using the www.domain.com cert, and origin.domain.com to your ELB using the origin.domain.com cert.
示例3
您可以为www.domain1.com和origin.domain2.com创建Route 53记录, www.domain2.com和origin.domain2.com的单独SSL证书。通过这些,您将使用www.domain2.com证书将www.domain2.com分配给CloudFront分配,并使用origin.domain2.com证书将origin.domain2.com分配给ELB。
You can create Route 53 records for www.domain1.com and origin.domain2.com and separate SSL certs for www.domain2.com and origin.domain2.com. From these, you would assign www.domain2.com to the CloudFront distribution using the www.domain2.com cert, and origin.domain2.com to your ELB using the origin.domain2.com cert.
这篇关于Cloudfront,ELB和SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
