My notes while I set up CloudFront. Aside from learning, my main purpose is to add https to my http://jimnelson.us site which is currently hosted in an S3 bucket.

I can’t quite tell whether or not I can use TLS with Route53, but I’m using Hurricane Electric DNS as slave servers to my home-based DNS for now.

Otherwise, the options are:

  • CloudFront -Probably overkill for a site that was perfectly well-served from my home static IP, but it seems the most straightforward way to get https for my S3-bucket-hosted site.
  • Elastic Beanstalk - At first glance I can’t see a way to point this at an S3 bucket. EB seems to assume/require a VM or container to spin up to load balance.
  • Set up my own VM or container to be a front end. This is likely more complex and more expensive than the other options aside from using my home setup, but then I might as well host from home (as I do with most of my sites, anyway).
  • Just thought of this while typing this list: can I make Lambda do this? Will have to check that out later.

Notes

  • Security options to check out (not for this site, but for future knowledge)
    • Signed URLs
    • Signed cookies
    • AWS WAF Web ACLs

When requesting custom cert:

  • It emails the contacts registered in DNS
  • After requesting I also spotted an import certificate option. I should try adding another cert to a test site sometime.

  • I can’t seem to immediately assign the cert to my in-process CloudFront setup. Maybe I can add it later?
    • Huh. I went back later, and my cert is in the box but the radio button is grayed out. But I’m not sure the distribution is ready yet.
  • IPv6 is available. Yay!
  • I am unreasonably giddy at fetching my page via the CloudFront URL
  • But the status is still “In Progress” 10 minutes later, and the cert is the *.cloudfront.com cert
  • Checking CloudWatch while waiting on the distribution to finish. I have 6 metrics for my distribution ID but no new logs (yet).
    • Oh, right. I think I had to specify an S3 bucket and folder for the logs. Well, they aren’t there yet, either.
  • It took about 30 minutes for the distribution to deploy. I still can’t change the SSL to custom. I guess I’ll give it some more time and check back later.
  • My first 404 check returned a 403 instead. I can set custom error pages, but this confuses me.

      <Error>
      <Code>AccessDenied</Code>
      <Message>Access Denied</Message>
      <RequestId>2CADEC308CE02043</RequestId>
      <HostId>
      Z8zKRx92fm0y9wYLB/qbe9JeZAvaNc+vMYZauAeF/P2O/V3YAkj9OHuNA4LCFzJe7fzsjs+gBJw=
      </HostId>
      </Error>
    
  • Well, the http part is working, so I’ll change www.jimnelson.us CNAME from www.jimnelson.us.s3-website-us-east-1.amazonaws.com. to d576c5oyv2luk.cloudfront.net.

…Many hours later…

  • Woohoo! I’m finally able to use my AWS CM cert!
    • My CloudFront session had timed out this time, so I had to sign back in. I wonder if this was the trick. If this happens again, I’ll log out and back in.
  • After status went back to “deployed”:
    • Changed the Behaviors -> (pattern) -> Viewer Protocol Policy from HTTP and HTTPS to Redirect HTTP to HTTPS
    • Changed canonical site url to https://www.jimnelson.us
    • Changed redirect on jimnelson.us (on home front end) to use https://www.jimnelson.us

Lessons Learned

  • Cloud services don’t necessarily respond or complete instantly, or even in minutes. I’m used to home lab where I make a change and the results are immediately verifiable, measurable and logged.
    • No biggie as the end goal is to automate provisioning and testing, but while ad-hoc playing around it’s a paradigm change.
  • AWS can do TLS via CloudFront or Elastic Beanstalk
  • Given the UI doesn’t let you view the private cert key, you can’t use AWS-issued certs outside of AWS (unless there is an API to retrieve it)
  • CloudFront can route from S3 buckets (and presumably other resources; I haven’t tried this yet)
  • Elastic Beanstalk seems to require spinning up VMs for any load balancing it manages.
  • CloudFront-to-CloudWatch as set in the CF configuration appears to only set up metrics in CloudWatch; I think I’ll have to explicitly import the log files.
  • Repeating from above: security options to check out
    • Signed URLs
    • Signed cookies
    • AWS WAF Web ACLs
  • CloudFront logs are in W3C format (same as IIS)
  • I’m not seeing referer in the logs (do I recall seeing an option for this?)
  • Fun fact: Chrome will give a certificate warning on a site for recently having bypassed a problem cert

To Do

  • I did all this from my top-level AWS account, and I’m pretty sure I shouldn’t do that
    • I also didn’t have to explicitly set permissions anywhere
    • So the “to do” is to learn about IAM security and any alternatives
  • Try this again with a new bucket
    • My bucket for this exercise was already set up to serve http, but I think CloudFront is using the s3:// interface to grab the files making the http configuration superfluous
  • Experiment with routes to different buckets
    • I figure on having a bucket for the site generator files and a bucket for images, videos and such that I don’t want in the generator git repo
    • And I might have reason to route to another service like search or something dynamic
  • Do all this via AWS CLI and/or API, as this was all done via the AWS Console UI
    • (Well, I did check logs and updated content with AWS CLI)
  • Figure out how much extra I’m paying to use CloudFront for my tiny, low-volume personal site over straight S3 http