亚马逊S3:同时使用DNS别名桶+ HTTPS [英] Amazon S3: using DNS alias to bucket + HTTPS at the same time
问题描述
https://files.stample.co/filename 所以我同时要同时使用HTTPS和自定义DNS别名(CNAME)。
根据什么我明白,亚马逊有一个通配符,用于URL https://*.s3.amazonaws.com 。
HTTPS / SSL
所以这个通配符将:
- 为
https://stample-files.s3.amazonaws.com - 为
https://files.stample.co.s3.amazonaws.com
所以我理解并被其他StackOverflow 帖子确认的是,如果我希望SSL工作,我必须使用桶名称,没有点否则亚马逊证书与通配符将不匹配桶域。
使用DNS别名/ CNAME
在此 S3文档下,使用CNAME自定义Amazon S3网址部分:
根据您的需要,您可能不想s3.amazonaws.com出现在您的网站或服务上。例如,如果您在Amazon S3上托管网站图像,则可能希望 http://images.johnsmith.net/ 而不是 http://johnsmith-images.s3.amazonaws.com/ 。
桶名必须与CNAME相同。因此, http://images.johnsmith.net/filename 将与 http://images.johnsmith.net.s3.amazonaws.com/filename 如果CNAME是创建以将images.johnsmith.net映射到images.johnsmith.net.s3.amazonaws.com。
这似乎是技术原因,否则亚马逊不能知道我们试图定位的桶:
因为Amazon S3只看到原始的主机名www.example。 com,并不知道用于解决请求的CNAME映射,CNAME和桶名称必须相同。
那么什么我理解这里是为了CNAME工作,我们必须在桶名中使用点。
两者一起?
如果我在桶名中使用点数:
- SSL不起作用
- CNAME将会工作
如果我不在桶名中使用点:
- SSL将工作
<我已经测试了这两种情况,无法使SSL和CNAME一起工作。
我可以做些什么来使这两个工作?在我看来,我想要实现的不是很花哨...
似乎目前不可能只使用S3,但是CloudFront可以支持自定义证书。
在某些情况下,CloudFront不是很贵,甚至比S3便宜。当使用 SNI 时,它可以免费提供自定义证书(但是它不支持旧版浏览器,如< IE7 ,< Chrome6< Firefox 2.0)
如何使用CloudFront
我将以您要使用 https://files.mydomain.com 指向称为 mydomain-files的S3存储库(
需要自定义证书
根据Michael - sqlbotanwser,需要使用自定义证书。我的初始假设是使用CNAME将允许在使用我的自定义域时使用Amazon S3通配符证书,但这是错误的:绝对需要自定义证书,并且可以仅使用CloudFront而不是S3。
获得免费证书
您可以使用任何您想要的证书提供商,但在这里我采取 StartSSL (StartCom ),提供免费的SSL证书(限于一个子域名和1年)。
- 验证您对域名的所有权
mydomain.com - 使用域名创建证书
files.mydomain.com - 下载证书(files.crt)和私钥(files.key,使用您的自定义密码加密):它们是PEM格式
- 解密私钥:
openssl rsa -in files.key -out files.key - 生成带有StartSSL文件的证书链,从这里:
cat sub.class1.server.ca.pem ca.pem>> link.crt
将证书上传到AWS
- 安装AWS CLI上传证书(注意密钥必须是未加密的,证书是PEM格式的,证书链是CloudFront所必需的)。你必须选择一个名字和路径(选择你想要的,但路径应以
/ cloudfront / - 上传您的证书到AWS for Cloudfront使用,如记录的此处:
aws iam upload-server-certificate --server-certificate-name CUSTOM_CERTIFICATE_NAME --certificate-body file://files.crt --private-key file://files.key --certificate-chain file ://chain.crt --path / cloudfront / CUSTOM_PATH /
配置CloudFront
- 创建新的Web发布
- 使用CNAME:
files.mydomain.com - 选择自定义SSL证书单选按钮,然后选择您上传时选择的证书(
CUSTOM_CERTIFICATE_NAME) / li>
- 将您的S3存储区选择为CloudFront发行版本
- 验证并等待部署到完成:您应该访问您的桶文件,网址如
https://xyzxyzxyz.cloudfront.net/file
配置DNS
- 打开您的
mydomain.comDNS配置 - 添加CNAME:
文件IN CNAME xyzxyzxyz.cloudfront.net - 等待(请参阅DNS TTL)(如果新的DNS条目可以快速)
结束
您现在应该能够使用 https://files.mydomain.com/file 访问您的文件。证书将是您为 files.mydomain.com 生成的自定义证书,所以一切都可以正常运行。
I want to create an S3 bucket in the Frankfurt zone, and make the files accessible with the URL: https://files.stample.co/filename
So I want both HTTPS, and a custom DNS alias (CNAME) at the same time.
According to what I understand, Amazon has a wildcard certificate for URL https://*.s3.amazonaws.com.
HTTPS / SSL
So this wildcard will:
- Work for
https://stample-files.s3.amazonaws.com - Not work for
https://files.stample.co.s3.amazonaws.com
So what I understand and confirmed by other StackOverflow posts is that if I want SSL to work I have to use a bucket name with no dot otherwise the Amazon certificat with wildcard won't match the bucket domain.
Using DNS alias / CNAME
On this S3 documentation, under Customizing Amazon S3 URLs with CNAMEs section:
Depending on your needs, you might not want "s3.amazonaws.com" to appear on your website or service. For example, if you host your website images on Amazon S3, you might prefer http://images.johnsmith.net/ instead of http://johnsmith-images.s3.amazonaws.com/.
The bucket name must be the same as the CNAME. So http://images.johnsmith.net/filename would be the same as http://images.johnsmith.net.s3.amazonaws.com/filename if a CNAME were created to map images.johnsmith.net to images.johnsmith.net.s3.amazonaws.com.
This seems to be for technical reasons because otherwise Amazon can't know the bucket we try to target:
Because Amazon S3 sees only the original host name www.example.com and is unaware of the CNAME mapping used to resolve the request, the CNAME and the bucket name must be the same.
So what I understand here is that for CNAME to work, we have to use dots in the bucketname.
Both together ?
If I use dots in bucket name:
- SSL won't work
- CNAME will work
If I don't use dots in bucket name:
- SSL will work
- CNAME won't work
I've tested both cases and could not make SSL and CNAME work fine together.
What can I do to make both work? It seems to me that what I want to achieve is not very fancy...
It seems it is currently not possible to do by using S3 only, but it is possible with CloudFront as it supports custom certificates.
CloudFront is not very expensive and can even be cheaper than S3 in some cases. It support custom certificates for free when using SNI (however it's not supported by older browsers like < IE7, < Chrome6, < Firefox 2.0)
HOWTO with CloudFront
I'll take as example that you want to use https://files.mydomain.com to point to an S3 bucket called mydomain-files (the bucket name does not mater and can contain dots).
Custom certificate is required
According to "Michael - sqlbot" anwser, it is required to use a custom certificate. My initial assumption was that using a CNAME will permit to use Amazon S3 wildcard certificate while using my custom domain but this was false: a custom certificate is absolutly required, and is possible to setup with CloudFront only, not S3.
Get free certificate
You can use whatever certificate provider you want but here I take StartSSL (StartCom) which provide free SSL certificates (limited to one subdomain and 1 year however).
- Validate your ownership of domain
mydomain.com - Create certificate with domain
files.mydomain.com - Download the certificate (files.crt) and private key (files.key, encrypted with your custom password): they are in PEM format
- Decrypt the private key:
openssl rsa -in files.key -out files.key - Generate certificate chain with StartSSL files from here:
cat sub.class1.server.ca.pem ca.pem >> chain.crt
Upload certificate to AWS
- Install AWS CLI to upload the certificate (note the key must be unencrypted, the certificate be in PEM format, and the certificate chain is required for CloudFront). You have to choose a name and a path (choose what you want but the path should start with
/cloudfront/ - Upload your certificate to AWS for Cloudfront usage, like documented here:
aws iam upload-server-certificate --server-certificate-name CUSTOM_CERTIFICATE_NAME --certificate-body file://files.crt --private-key file://files.key --certificate-chain file://chain.crt --path /cloudfront/CUSTOM_PATH/
Configure CloudFront
- Create a new Web Distribution
- Use CNAME:
files.mydomain.com - Select the "Custom SSL certificate" radio button and select your certificate (
CUSTOM_CERTIFICATE_NAMEyou choose when uploading) - Select your S3 bucket as CloudFront distribution origin
- Validate and wait for deployment to complete: you should access your bucket files with url like
https://xyzxyzxyz.cloudfront.net/file
Configure DNS
- Open your
mydomain.comDNS configuration - Add the CNAME:
files IN CNAME xyzxyzxyz.cloudfront.net - Wait for DNS to propagate (see DNS TTL) (can be fast if new DNS entry)
End
You should now be able to access your files with https://files.mydomain.com/file. The certificate will be your custom certificate generated for files.mydomain.com so everything will work fine.
这篇关于亚马逊S3:同时使用DNS别名桶+ HTTPS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
