我有一个Cloudformation模板,用于通过Cloudfront通过HTTPS提供S3内容(请参见末尾的堆栈)。
通过HTTPS可以正常工作-
(env) justin@justin-XPS-13-9360:~/work/gists/ae46e471eb0e10e877731d787a9fbc2a$ curl -iv https://cloudfront-https-demo.s3-eu-west-1.amazonaws.com/index.json
* Trying 52.218.90.64...
* TCP_NODELAY set
* Connected to cloudfront-https-demo.s3-eu-west-1.amazonaws.com (52.218.90.64) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=Washington; L=Seattle; O=Amazon.com, Inc.; CN=*.s3-eu-west-1.amazonaws.com
* start date: Aug 4 00:00:00 2020 GMT
* expire date: Aug 9 12:00:00 2021 GMT
* subjectAltName: host "cloudfront-https-demo.s3-eu-west-1.amazonaws.com" matched cert's "*.s3-eu-west-1.amazonaws.com"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert Baltimore CA-2 G2
* SSL certificate verify ok.
> GET /index.json HTTP/1.1
> Host: cloudfront-https-demo.s3-eu-west-1.amazonaws.com
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< x-amz-id-2: zVJ4idiIpuyIJIDvXIXbykQe9Po1YebyXEnYMLPkQydhwPLBpkypQfas3vCKuMIfd2cv+yISoqo=
x-amz-id-2: zVJ4idiIpuyIJIDvXIXbykQe9Po1YebyXEnYMLPkQydhwPLBpkypQfas3vCKuMIfd2cv+yISoqo=
< x-amz-request-id: 3E4B1B22DB6EE25D
x-amz-request-id: 3E4B1B22DB6EE25D
< Date: Tue, 25 Aug 2020 19:32:49 GMT
Date: Tue, 25 Aug 2020 19:32:49 GMT
< Last-Modified: Tue, 25 Aug 2020 15:42:18 GMT
Last-Modified: Tue, 25 Aug 2020 15:42:18 GMT
< ETag: "50521abab7a013be83ee00ded3f9f424"
ETag: "50521abab7a013be83ee00ded3f9f424"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Type: application/json
Content-Type: application/json
< Content-Length: 19
Content-Length: 19
< Server: AmazonS3
Server: AmazonS3
<
{"hello": "world"}
* Connection #0 to host cloudfront-https-demo.s3-eu-west-1.amazonaws.com left intact
(我将index.json文件推送到了存储桶中)
但有点 也很好,因为尽管我在模板中指定了https-only-
(env) justin@justin-XPS-13-9360:~/work/gists/ae46e471eb0e10e877731d787a9fbc2a$ curl -iv http://cloudfront-https-demo.s3-eu-west-1.amazonaws.com/index.json
* Trying 52.218.88.232...
* TCP_NODELAY set
* Connected to cloudfront-https-demo.s3-eu-west-1.amazonaws.com (52.218.88.232) port 80 (#0)
> GET /index.json HTTP/1.1
> Host: cloudfront-https-demo.s3-eu-west-1.amazonaws.com
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< x-amz-id-2: 9MKgLpvr1BmjF49D98VGThFi0JN4wUzAtIaocNh/8DTss54Zlo+/WFMymbLTdKpUoN0fvvLpMLg=
x-amz-id-2: 9MKgLpvr1BmjF49D98VGThFi0JN4wUzAtIaocNh/8DTss54Zlo+/WFMymbLTdKpUoN0fvvLpMLg=
< x-amz-request-id: 5H1V5SBZAJAY2QAW
x-amz-request-id: 5H1V5SBZAJAY2QAW
< Date: Tue, 25 Aug 2020 19:33:27 GMT
Date: Tue, 25 Aug 2020 19:33:27 GMT
< Last-Modified: Tue, 25 Aug 2020 15:42:18 GMT
Last-Modified: Tue, 25 Aug 2020 15:42:18 GMT
< ETag: "50521abab7a013be83ee00ded3f9f424"
ETag: "50521abab7a013be83ee00ded3f9f424"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Type: application/json
Content-Type: application/json
< Content-Length: 19
Content-Length: 19
< Server: AmazonS3
Server: AmazonS3
<
{"hello": "world"}
* Connection #0 to host cloudfront-https-demo.s3-eu-west-1.amazonaws.com left intact
我需要对模板做些什么以关闭纯HTTP /仅让我使用HTTPS?
---
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
AppName:
Type: String
Resources:
CloudFrontOAI:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: access-identity-passport-front.s3.amazonaws.com
SiteCloudFrontDist:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Enabled: true
DefaultRootObject: index.json
Origins:
- DomainName:
Fn::Sub:
- ${app_name}.s3.amazonaws.com
- app_name:
Ref: AppName
Id:
Fn::Sub:
- ${app_name}-site-cf-origin
- app_name:
Ref: AppName
S3OriginConfig:
OriginAccessIdentity:
Fn::Sub:
- origin-access-identity/cloudfront/${oai}
- oai:
Ref: CloudFrontOAI
DefaultCacheBehavior:
AllowedMethods:
- HEAD
- GET
- OPTIONS
ForwardedValues:
QueryString: false
TargetOriginId:
Fn::Sub:
- ${app_name}-site-cf-origin
- app_name:
Ref: AppName
ViewerProtocolPolicy: https-only
ViewerCertificate:
CloudFrontDefaultCertificate: true
SiteBucket:
Type: AWS::S3::Bucket
Properties:
BucketName:
Ref: AppName # NB same as app for URL convenience
SiteBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: SiteBucket
PolicyDocument:
Statement:
- Action: s3:GetObject
Effect: Allow
Principal: '*'
Resource:
Fn::Sub:
- arn:aws:s3:::${bucket_name}/*
- bucket_name:
Ref: SiteBucket
Version: '2012-10-17'
答案 0 :(得分:0)
在两种情况下,您都使用域:
cloudfront-https-demo.s3-eu-west-1.amazonaws.com
这不是CloudFront域,它具有format,例如:
d111111abcdef8.cloudfront.net
在我看来您正在使用以下形式的网址:
https://<bucket name>.s3-<AWS Region>.amazonaws.com/<object name>
但是,这不是docs中指示的 CloudFront URL :
使用您的Amazon S3 URL验证您的内容可公开访问,但是请记住,这不是您准备在CloudFront分发内容时将使用的URL 。
>
答案 1 :(得分:0)
需要修改存储桶策略以禁用非安全连接-
start chrome --start-maximized /force-device-scale-factor=1 "https://www.google.es"