My notes while I set up CloudFront. Aside from learning, my main purpose is to add https to my http://jimnelson.us site which is currently hosted in an S3 bucket.
I can’t quite tell whether or not I can use TLS with Route53, but I’m using Hurricane Electric DNS as slave servers to my home-based DNS for now.
Otherwise, the options are:
- CloudFront -Probably overkill for a site that was perfectly well-served from my home static IP, but it seems the most straightforward way to get https for my S3-bucket-hosted site.
- Elastic Beanstalk - At first glance I can’t see a way to point this at an S3 bucket. EB seems to assume/require a VM or container to spin up to load balance.
- Set up my own VM or container to be a front end. This is likely more complex and more expensive than the other options aside from using my home setup, but then I might as well host from home (as I do with most of my sites, anyway).
- Just thought of this while typing this list: can I make Lambda do this? Will have to check that out later.
- Security options to check out (not for this site, but for future knowledge)
- Signed URLs
- Signed cookies
- AWS WAF Web ACLs
When requesting custom cert:
- It emails the contacts registered in DNS
After requesting I also spotted an import certificate option. I should try adding another cert to a test site sometime.
- I can’t seem to immediately assign the cert to my in-process CloudFront setup. Maybe I can add it later?
- Huh. I went back later, and my cert is in the box but the radio button is grayed out. But I’m not sure the distribution is ready yet.
- IPv6 is available. Yay!
- I am unreasonably giddy at fetching my page via the CloudFront URL
- But the status is still “In Progress” 10 minutes later, and the cert is the *.cloudfront.com cert
- Checking CloudWatch while waiting on the distribution to finish. I have 6 metrics for my distribution ID but no new logs (yet).
- Oh, right. I think I had to specify an S3 bucket and folder for the logs. Well, they aren’t there yet, either.
- It took about 30 minutes for the distribution to deploy. I still can’t change the SSL to custom. I guess I’ll give it some more time and check back later.
My first 404 check returned a 403 instead. I can set custom error pages, but this confuses me.
<Error> <Code>AccessDenied</Code> <Message>Access Denied</Message> <RequestId>2CADEC308CE02043</RequestId> <HostId> Z8zKRx92fm0y9wYLB/qbe9JeZAvaNc+vMYZauAeF/P2O/V3YAkj9OHuNA4LCFzJe7fzsjs+gBJw= </HostId> </Error>
- Well, the http part is working, so I’ll change www.jimnelson.us CNAME from
…Many hours later…
- Woohoo! I’m finally able to use my AWS CM cert!
- My CloudFront session had timed out this time, so I had to sign back in. I wonder if this was the trick. If this happens again, I’ll log out and back in.
- After status went back to “deployed”:
- Changed the Behaviors -> (pattern) -> Viewer Protocol Policy from HTTP and HTTPS to Redirect HTTP to HTTPS
- Changed canonical site url to https://www.jimnelson.us
- Changed redirect on jimnelson.us (on home front end) to use https://www.jimnelson.us
- Cloud services don’t necessarily respond or complete instantly, or even in minutes. I’m used to home lab where I make a change and the results are immediately verifiable, measurable and logged.
- No biggie as the end goal is to automate provisioning and testing, but while ad-hoc playing around it’s a paradigm change.
- AWS can do TLS via CloudFront or Elastic Beanstalk
- Given the UI doesn’t let you view the private cert key, you can’t use AWS-issued certs outside of AWS (unless there is an API to retrieve it)
- CloudFront can route from S3 buckets (and presumably other resources; I haven’t tried this yet)
- Elastic Beanstalk seems to require spinning up VMs for any load balancing it manages.
- CloudFront-to-CloudWatch as set in the CF configuration appears to only set up metrics in CloudWatch; I think I’ll have to explicitly import the log files.
- Repeating from above: security options to check out
- Signed URLs
- Signed cookies
- AWS WAF Web ACLs
- CloudFront logs are in W3C format (same as IIS)
- I’m not seeing referer in the logs (do I recall seeing an option for this?)
- Fun fact: Chrome will give a certificate warning on a site for recently having bypassed a problem cert
- I did all this from my top-level AWS account, and I’m pretty sure I shouldn’t do that
- I also didn’t have to explicitly set permissions anywhere
- So the “to do” is to learn about IAM security and any alternatives
- Try this again with a new bucket
- My bucket for this exercise was already set up to serve http, but I think CloudFront is using the s3:// interface to grab the files making the http configuration superfluous
- Experiment with routes to different buckets
- I figure on having a bucket for the site generator files and a bucket for images, videos and such that I don’t want in the generator git repo
- And I might have reason to route to another service like search or something dynamic
- Do all this via AWS CLI and/or API, as this was all done via the AWS Console UI
- (Well, I did check logs and updated content with AWS CLI)
- Figure out how much extra I’m paying to use CloudFront for my tiny, low-volume personal site over straight S3 http