Amazon S3:同时使用 DNS 别名存储桶 + HTTPS [英] Amazon S3: using DNS alias to bucket + HTTPS at the same time

问题描述

我想在法兰克福区域创建一个 S3 存储桶，并通过以下 URL 访问文件:https://files.stample.co/filename

I want to create an S3 bucket in the Frankfurt zone, and make the files accessible with the URL: https://files.stample.co/filename

所以我想要同时使用 HTTPS 和自定义 DNS 别名 (CNAME).

So I want both HTTPS, and a custom DNS alias (CNAME) at the same time.

据我了解，亚马逊有一个 URL https://*.s3.amazonaws.com 的通配符证书.

According to what I understand, Amazon has a wildcard certificate for URL https://*.s3.amazonaws.com.

所以这个通配符将:

• 为 https://stample-files.s3.amazonaws.com 工作
• 不适用于 https://files.stample.co.s3.amazonaws.com

所以我理解并通过其他 StackOverflow 帖子 确认的是，如果我想让 SSL 工作，我必须使用不带点的存储桶名称，否则带有通配符的 Amazon 证书将与存储桶域不匹配.

So what I understand and confirmed by other StackOverflow posts is that if I want SSL to work I have to use a bucket name with no dot otherwise the Amazon certificat with wildcard won't match the bucket domain.

在这个 S3 文档上，在 下使用 CNAME 自定义 Amazon S3 URL 部分:

On this S3 documentation, under Customizing Amazon S3 URLs with CNAMEs section:

根据您的需要，您可能不希望s3.amazonaws.com"出现在您的网站或服务上.例如，如果您在 Amazon S3 上托管您的网站图像，您可能更喜欢 http://images.johnsmith.net/ 而不是 http://johnsmith-images.s3.amazonaws.com/.

Depending on your needs, you might not want "s3.amazonaws.com" to appear on your website or service. For example, if you host your website images on Amazon S3, you might prefer http://images.johnsmith.net/ instead of http://johnsmith-images.s3.amazonaws.com/.

存储桶名称必须与 CNAME 相同.所以 http://images.johnsmith.net/filename 与 http://images.johnsmith.net.s3.amazonaws.com/filename 如果 CNAME 是创建以将 images.johnsmith.net 映射到 images.johnsmith.net.s3.amazonaws.com.

The bucket name must be the same as the CNAME. So http://images.johnsmith.net/filename would be the same as http://images.johnsmith.net.s3.amazonaws.com/filename if a CNAME were created to map images.johnsmith.net to images.johnsmith.net.s3.amazonaws.com.

这似乎是出于技术原因，否则亚马逊无法知道我们尝试定位的存储桶:

This seems to be for technical reasons because otherwise Amazon can't know the bucket we try to target:

因为 Amazon S3 只能看到原始主机名 www.example.com 并且不知道用于解析请求的 CNAME 映射，所以 CNAME 和存储桶名称必须相同.

Because Amazon S3 sees only the original host name www.example.com and is unaware of the CNAME mapping used to resolve the request, the CNAME and the bucket name must be the same.

所以我在这里理解的是，要使 CNAME 工作，我们必须在存储桶名称中使用点.

So what I understand here is that for CNAME to work, we have to use dots in the bucketname.

如果我在存储桶名称中使用点:

If I use dots in bucket name:

• SSL 不起作用
• CNAME 将起作用

如果我不在存储桶名称中使用点:

If I don't use dots in bucket name:

• SSL 可以使用
• CNAME 不起作用

我已经测试了这两种情况，但无法让 SSL 和 CNAME 一起正常工作.

I've tested both cases and could not make SSL and CNAME work fine together.

我该怎么做才能使两者都起作用?在我看来，我想要实现的目标并不是很花哨......

What can I do to make both work? It seems to me that what I want to achieve is not very fancy...

推荐答案

目前仅使用 S3 似乎无法做到，但 CloudFront 可以实现，因为它支持自定义证书.

It seems it is currently not possible to do by using S3 only, but it is possible with CloudFront as it supports custom certificates.

CloudFront 不是很贵，在某些情况下甚至可以比 S3 便宜.它在使用 SNI 时免费支持自定义证书(但是它不支持像 < IE7 这样的旧浏览器, < Chrome6, < Firefox 2.0)

CloudFront is not very expensive and can even be cheaper than S3 in some cases. It support custom certificates for free when using SNI (however it's not supported by older browsers like < IE7, < Chrome6, < Firefox 2.0)

我将以您想使用 https://files.mydomain.com 指向名为 mydomain-files 的 S3 存储桶(存储桶名称无关紧要，可以包含点).

I'll take as example that you want to use https://files.mydomain.com to point to an S3 bucket called mydomain-files (the bucket name does not mater and can contain dots).

根据Michael - sqlbot"anwser，需要使用自定义证书.我最初的假设是使用 CNAME 将允许在使用我的自定义域时使用 Amazon S3 通配符证书，但这是错误的:自定义证书是绝对需要的，并且只能使用 CloudFront 设置，而不是 S3.

According to "Michael - sqlbot" anwser, it is required to use a custom certificate. My initial assumption was that using a CNAME will permit to use Amazon S3 wildcard certificate while using my custom domain but this was false: a custom certificate is absolutly required, and is possible to setup with CloudFront only, not S3.

您可以使用任何您想要的证书提供商，但在这里我使用 StartSSL (StartCom)，它提供免费的 SSL 证书(但仅限于一个子域和 1 年).

You can use whatever certificate provider you want but here I take StartSSL (StartCom) which provide free SSL certificates (limited to one subdomain and 1 year however).

• 验证您对域 mydomain.com
的所有权
• 使用域files.mydomain.com
创建证书
• 下载证书 (files.crt) 和私钥(files.key，使用您的自定义密码加密):它们采用 PEM 格式
• 解密私钥:openssl rsa -in files.key -out files.key
• 使用来自此处的 StartSSL 文件生成证书链:cat sub.class1.server.ca.pem ca.pem >>chain.crt

• Validate your ownership of domain mydomain.com
• Create certificate with domain files.mydomain.com
• Download the certificate (files.crt) and private key (files.key, encrypted with your custom password): they are in PEM format
• Decrypt the private key: openssl rsa -in files.key -out files.key
• Generate certificate chain with StartSSL files from here: cat sub.class1.server.ca.pem ca.pem >> chain.crt

• 安装 AWS CLI 以上传证书(注意密钥必须未加密，证书为 PEM 格式，CloudFront 需要证书链).你必须选择一个名称和一个路径(选择你想要的但路径应该以 /cloudfront/
开头
• 将您的证书上传到 AWS 以供 Cloudfront 使用，如记录在 此处: aws iam upload-server-certificate --server-certificate-name CUSTOM_CERTIFICATE_NAME --certificate-body file://files.crt --private-key file://files.key --certificate-chain file://chain.crt --path/cloudfront/CUSTOM_PATH/

• 创建新的网络分发
• 使用 CNAME:files.mydomain.com
• 选择自定义 SSL 证书"单选按钮并选择您的证书(上传时选择的CUSTOM_CERTIFICATE_NAME)
• 选择您的 S3 存储桶作为 CloudFront 分配源
• 验证并等待部署完成:您应该使用类似 https://xyzxyzxyz.cloudfront.net/file
的 url 访问您的存储桶文件

• Create a new Web Distribution
• Use CNAME: files.mydomain.com
• Select the "Custom SSL certificate" radio button and select your certificate (CUSTOM_CERTIFICATE_NAME you choose when uploading)
• Select your S3 bucket as CloudFront distribution origin
• Validate and wait for deployment to complete: you should access your bucket files with url like https://xyzxyzxyz.cloudfront.net/file

• 打开您的 mydomain.com DNS 配置
• 添加 CNAME:files IN CNAME xyzxyzxyz.cloudfront.net
• 等待 DNS 传播(请参阅 DNS TTL)(如果有新的 DNS 条目，速度会很快)

您现在应该可以使用 https://files.mydomain.com/file 访问您的文件.该证书将是您为 files.mydomain.com 生成的自定义证书，因此一切正常.

You should now be able to access your files with https://files.mydomain.com/file. The certificate will be your custom certificate generated for files.mydomain.com so everything will work fine.

这篇关于Amazon S3:同时使用 DNS 别名存储桶 + HTTPS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！