Cloudfront + S3 + HTTPS 模板也提供不需要的 HTTP

【问题标题】:Cloudfront + S3 + HTTPS template also serving unwanted HTTPCloudfront + S3 + HTTPS 模板也提供不需要的 HTTP
【发布时间】:2020-12-14 13:32:12
【问题描述】:

我有一个 Cloudformation 模板,用于通过 Cloudfront 通过 HTTPS 提供 S3 内容(参见最后的堆栈)。

它在 HTTPS 上运行良好 -

(env) justin@justin-XPS-13-9360:~/work/gists/ae46e471eb0e10e877731d787a9fbc2a$ curl -iv https://cloudfront-https-demo.s3-eu-west-1.amazonaws.com/index.json
*   Trying 52.218.90.64...
* TCP_NODELAY set
* Connected to cloudfront-https-demo.s3-eu-west-1.amazonaws.com (52.218.90.64) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=Washington; L=Seattle; O=Amazon.com, Inc.; CN=*.s3-eu-west-1.amazonaws.com
*  start date: Aug  4 00:00:00 2020 GMT
*  expire date: Aug  9 12:00:00 2021 GMT
*  subjectAltName: host "cloudfront-https-demo.s3-eu-west-1.amazonaws.com" matched cert's "*.s3-eu-west-1.amazonaws.com"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert Baltimore CA-2 G2
*  SSL certificate verify ok.
> GET /index.json HTTP/1.1
> Host: cloudfront-https-demo.s3-eu-west-1.amazonaws.com
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< x-amz-id-2: zVJ4idiIpuyIJIDvXIXbykQe9Po1YebyXEnYMLPkQydhwPLBpkypQfas3vCKuMIfd2cv+yISoqo=
x-amz-id-2: zVJ4idiIpuyIJIDvXIXbykQe9Po1YebyXEnYMLPkQydhwPLBpkypQfas3vCKuMIfd2cv+yISoqo=
< x-amz-request-id: 3E4B1B22DB6EE25D
x-amz-request-id: 3E4B1B22DB6EE25D
< Date: Tue, 25 Aug 2020 19:32:49 GMT
Date: Tue, 25 Aug 2020 19:32:49 GMT
< Last-Modified: Tue, 25 Aug 2020 15:42:18 GMT
Last-Modified: Tue, 25 Aug 2020 15:42:18 GMT
< ETag: "50521abab7a013be83ee00ded3f9f424"
ETag: "50521abab7a013be83ee00ded3f9f424"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Type: application/json
Content-Type: application/json
< Content-Length: 19
Content-Length: 19
< Server: AmazonS3
Server: AmazonS3

< 
{"hello": "world"}
* Connection #0 to host cloudfront-https-demo.s3-eu-west-1.amazonaws.com left intact

(我将一个index.json 文件推送到存储桶)

但有点好,因为它仍然提供纯 HTTP,尽管我在模板中指定了 https-only -

(env) justin@justin-XPS-13-9360:~/work/gists/ae46e471eb0e10e877731d787a9fbc2a$ curl -iv http://cloudfront-https-demo.s3-eu-west-1.amazonaws.com/index.json
*   Trying 52.218.88.232...
* TCP_NODELAY set
* Connected to cloudfront-https-demo.s3-eu-west-1.amazonaws.com (52.218.88.232) port 80 (#0)
> GET /index.json HTTP/1.1
> Host: cloudfront-https-demo.s3-eu-west-1.amazonaws.com
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< x-amz-id-2: 9MKgLpvr1BmjF49D98VGThFi0JN4wUzAtIaocNh/8DTss54Zlo+/WFMymbLTdKpUoN0fvvLpMLg=
x-amz-id-2: 9MKgLpvr1BmjF49D98VGThFi0JN4wUzAtIaocNh/8DTss54Zlo+/WFMymbLTdKpUoN0fvvLpMLg=
< x-amz-request-id: 5H1V5SBZAJAY2QAW
x-amz-request-id: 5H1V5SBZAJAY2QAW
< Date: Tue, 25 Aug 2020 19:33:27 GMT
Date: Tue, 25 Aug 2020 19:33:27 GMT
< Last-Modified: Tue, 25 Aug 2020 15:42:18 GMT
Last-Modified: Tue, 25 Aug 2020 15:42:18 GMT
< ETag: "50521abab7a013be83ee00ded3f9f424"
ETag: "50521abab7a013be83ee00ded3f9f424"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Type: application/json
Content-Type: application/json
< Content-Length: 19
Content-Length: 19
< Server: AmazonS3
Server: AmazonS3

< 
{"hello": "world"}
* Connection #0 to host cloudfront-https-demo.s3-eu-west-1.amazonaws.com left intact

我需要对模板执行什么操作才能关闭纯 HTTP/只保留 HTTPS?

---
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  AppName:
    Type: String
Resources:
  CloudFrontOAI:
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: access-identity-passport-front.s3.amazonaws.com
  SiteCloudFrontDist:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Enabled: true
        DefaultRootObject: index.json
        Origins:
          - DomainName:
              Fn::Sub:
                - ${app_name}.s3.amazonaws.com
                - app_name:
                    Ref: AppName
            Id:
              Fn::Sub:
                - ${app_name}-site-cf-origin
                - app_name:
                    Ref: AppName
            S3OriginConfig:
              OriginAccessIdentity:
                Fn::Sub:
                  - origin-access-identity/cloudfront/${oai}
                  - oai:
                      Ref: CloudFrontOAI
        DefaultCacheBehavior:
          AllowedMethods:
            - HEAD
            - GET
            - OPTIONS
          ForwardedValues:
            QueryString: false
          TargetOriginId:
            Fn::Sub:
              - ${app_name}-site-cf-origin
              - app_name:
                  Ref: AppName
          ViewerProtocolPolicy: https-only
        ViewerCertificate:
          CloudFrontDefaultCertificate: true
  SiteBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName:
        Ref: AppName  # NB same as app for URL convenience
  SiteBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket:
        Ref: SiteBucket
      PolicyDocument:
        Statement:
          - Action: s3:GetObject
            Effect: Allow
            Principal: '*'
            Resource:
              Fn::Sub:
                - arn:aws:s3:::${bucket_name}/*
                - bucket_name:
                    Ref: SiteBucket
        Version: '2012-10-17'

【问题讨论】:

    标签: amazon-cloudformation amazon-cloudfront


    【解决方案1】:

    在这两种情况下,您都在使用域:

    cloudfront-https-demo.s3-eu-west-1.amazonaws.com

    这不是 CloudFront 域,它有 format 的,例如:

    d111111abcdef8.cloudfront.net

    在我看来,您正在使用表单的 url:

    https://<bucket name>.s3-<AWS Region>.amazonaws.com/<object name>

    但是,这不是 CloudFront URL,如 docs 中所示:

    使用您的 Amazon S3 URL 来验证您的内容是否可公开访问,但请记住,这不是您准备使用 CloudFront 分发内容时使用的 URL。 p>

    【讨论】:

    • 对不起,这点与指定域名下是否有HTTPS和/或HTTP端点无关
    • @Justin 感谢您告诉我。但是在关于 CloudFront 的 https-only 选项的问题的上下文中,您的回答是不正确的。至少当您问为什么https-only 不起作用时,您的问题具有误导性。您提供的存储桶策略不是答案。答案是您根本没有使用 CloudFront。因此,为什么还要将它包含在您的问题中?
    • CloudFront 是绝对使用的,在模板中明确使用和引用。正确的答案是除了https-only 声明之外,您还必须扩展 BucketPolicy 以包含“安全”条件。但我要等到明天才能回答这个问题。
    • @Justin 在您的问题中,您正在冰壶https://cloudfront-https-demo.s3-eu-west-1.amazonaws.com/index.json。这不是云端端点。正如我在问题中解释的那样,云端端点是不同的。但无论如何,我很高兴你找到了一个“解决方案”。
    • 但是该端点被列为云端域,不是吗?你认为我应该卷曲你建议的云端域吗?
    【解决方案2】:

    需要修改存储桶策略以禁用非安全连接-

    {
    "Version": "2012-10-17",
    "Id": "ExamplePolicy",
    "Statement": [
        {
            "Sid": "AllowSSLRequestsOnly",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket_name/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "true"
                }
            }
        }
    ]
}

    【讨论】:

      猜你喜欢
      • 2019-02-11
      • 2013-03-07
      • 2020-08-20
      • 1970-01-01
      • 2021-01-25
      • 2021-01-29
      • 2015-04-18
      • 2020-11-15
      • 2016-06-06
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode