问题
I have my domain names pointed at cloudfront, which in turn references my EC2 instance using a custom origin. In this case it is the public dns name from EC2 like xxxxx.us-west-2.compute.amazonaws.com. This makes it behave like a reverse proxy.
I have a form that takes user information so I would like to set up SSL. Because my main domain points to cloudfront,
How do I set up the relationship between cloudfront and the EC2 instance, when using CF like a reverse proxy cache and the EC2 instance is a custom domain.
Would I do this:
- Create a subdomain for my origin, for example "origin.mydomain.com"
- Get a SSL cert for origin.mydomain.com
- Set origin.mydomain.com as the origin in cloudfront, as opposed to the instance domain created by amazon. (Not xxxxx.us-west-2.compute.amazonaws.com)
Edit: Modified title and some body for clarity.
回答1:
Yes, that's exactly the idea.
The step you missed is that you also need an ssl certificate for your main domain, which you'll "install" on the CloudFront distribution.
So you need two certs (or one multi-domain -- sometimes called SAN or UCC -- or you could use a wildcard cert), because -- as you correctly noted -- CloudFront is a reverse proxy (not just in this case -- that's exactly what CloudFront is, a caching revers proxy).
If you only had a cert on the origin, the traffic between CloudFront and the origin would be encrypted, but the traffic between the browser and CloudFront would not be.
On the CloudFront side, you can buy one or you get the cert for free from AWS Certificate manager. These certs work with both CloudFront and ELB, but cannot be installed on EC2 directly, so you'll need to obtain a cert elsewhere for that, if you are not using an ELB.
Gandi will sell you a simple cert for the EC2 instance for $16, which works behind CloudFront. I have no affiliation with them but I mention this because I know it works with CloudFront -- I use them for this. LetsEncrypt and StartSSL will give you one for free, but, arguably a little more work is involved. I assume these should work if installed on an origin behind CloudFront, but that would depend on those CAs being trusted by the CloudFront trust store, which is likely to be the case but not necessarily guaranteed. CloudFront will refuse to connect to an origin with an SSL certificate issued by a CA that it does not recognize (it returns a 502 error, and in the past I have had trouble with StartSSL certs behind CloudFront)... and this also means you can't use a self-signed cert on the origin.
回答2:
you can get an SSL certificate and assign it to your CF. There are 2 ways of doing this:
- cheap way is to get a wildcard SSL from AWS using their new (ish) certificate manager; once you got your SSL go to your CF distribution and simply edit your CF distribution and enable SSL
http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html
http://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html
- bit more expensive way is to get your own custom SSL and use it with CF but that will incears your cost by $600 / month for each SSL you use. the process is about the same as above with the difference that you have to upload your SSL to IAM and then go to CF console and activate.
http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-procedures.html
来源:https://stackoverflow.com/questions/40517500/how-to-set-ssl-between-cloudfront-as-a-reverse-proxy-cache-with-an-ec2-custom-or