[英]Amazon S3: using DNS alias to bucket + HTTPS at the same time
I want to create an S3 bucket in the Frankfurt zone, and make the files accessible with the URL: https://files.stample.co/filename
我想在法兰克福区创建一个S3存储桶,并使用URL访问这些文件:
https://files.stample.co/filename
: https://files.stample.co/filename
So I want both HTTPS, and a custom DNS alias (CNAME) at the same time. 所以我同时想要HTTPS和自定义DNS别名(CNAME)。
According to what I understand, Amazon has a wildcard certificate for URL https://*.s3.amazonaws.com
. 根据我的理解,亚马逊有URL
https://*.s3.amazonaws.com
的通配符证书。
So this wildcard will: 所以这个通配符将:
https://stample-files.s3.amazonaws.com
https://stample-files.s3.amazonaws.com
https://files.stample.co.s3.amazonaws.com
https://files.stample.co.s3.amazonaws.com
So what I understand and confirmed by other StackOverflow posts is that if I want SSL to work I have to use a bucket name with no dot otherwise the Amazon certificat with wildcard won't match the bucket domain. 所以我理解并通过其他StackOverflow 帖子确认的是,如果我希望SSL工作,我必须使用没有点的存储桶名称,否则带有通配符的Amazon证书将与存储区域不匹配。
On this S3 documentation , under Customizing Amazon S3 URLs with CNAMEs
section: 在此S3文档中 ,在“
Customizing Amazon S3 URLs with CNAMEs
部分下:
Depending on your needs, you might not want "s3.amazonaws.com" to appear on your website or service.
根据您的需要,您可能不希望“s3.amazonaws.com”出现在您的网站或服务上。 For example, if you host your website images on Amazon S3, you might prefer http://images.johnsmith.net/ instead of http://johnsmith-images.s3.amazonaws.com/ .
例如,如果您在Amazon S3上托管您的网站图像,您可能更喜欢http://images.johnsmith.net/而不是http://johnsmith-images.s3.amazonaws.com/ 。
The bucket name must be the same as the CNAME.
存储桶名称必须与CNAME相同。 So http://images.johnsmith.net/filename would be the same as http://images.johnsmith.net.s3.amazonaws.com/filename if a CNAME were created to map images.johnsmith.net to images.johnsmith.net.s3.amazonaws.com.
因此,如果创建了一个CNAME来将images.johnsmith.net映射到images.johnsmith,那么http://images.johnsmith.net/filename将与http://images.johnsmith.net.s3.amazonaws.com/filename相同。 .net.s3.amazonaws.com。
This seems to be for technical reasons because otherwise Amazon can't know the bucket we try to target: 这似乎是出于技术原因,否则亚马逊无法知道我们尝试定位的存储桶:
Because Amazon S3 sees only the original host name www.example.com and is unaware of the CNAME mapping used to resolve the request, the CNAME and the bucket name must be the same.
由于Amazon S3仅看到原始主机名www.example.com,并且不知道用于解析请求的CNAME映射,因此CNAME和存储桶名称必须相同。
So what I understand here is that for CNAME to work, we have to use dots in the bucketname. 所以我在这里理解的是,为了使CNAME起作用,我们必须在bucketname中使用点。
If I use dots in bucket name: 如果我在桶名中使用点:
If I don't use dots in bucket name: 如果我不在桶名中使用点:
I've tested both cases and could not make SSL and CNAME work fine together. 我已经测试了两种情况,无法使SSL和CNAME一起工作。
What can I do to make both work? 我能做些什么来使两者都有效? It seems to me that what I want to achieve is not very fancy...
在我看来,我想要实现的并不是很花哨......
You can potentially do both, depending on what you mean by that, but it requires a change in your approach and an understanding of some S3 internals, or an understanding of why what you are trying can't possibly be expected to work. 根据您的意思,您可以同时执行这两项操作,但这需要更改您的方法并了解某些S3内部,或者理解为什么您尝试的内容不可能发挥作用。
First, to clarify, when I say you can do both, I assume you do not expect that you could create a bucket called "example.com" and then be able to access the bucket as https://example.com
. 首先,澄清一下,当我说你可以做到这两点时,我假设你不要期望你可以创建一个名为“example.com”的存储桶,然后能够以
https://example.com
访问存储桶。
If that's what you want or expect, you are missing out on some fundamentals of SSL. 如果这是您想要或期望的,那么您就错过了一些基本的SSL。
For a web server to offer SSL, it must have an SSL certificate signed by a trusted Certificate Authority. 对于提供SSL的Web服务器,它必须具有由受信任的证书颁发机构签名的SSL证书。 This certificate not only contains a public key used for encryption, it also contains the hostname for which it is valid, and will not work for a different hostname.
此证书不仅包含用于加密的公钥,还包含有效的主机名,并且不适用于其他主机名。 SSL not only provides encryption, it also provides assurance that the web site you reached is indeed the web site you believe it to be.
SSL不仅提供加密,还可以保证您访问的网站确实是您认为的网站。 For s3, the hostname in the certificate is
*.s3.amazonaws.com
and some regional variants, which I'll explain below. 对于s3,证书中的主机名是
*.s3.amazonaws.com
和一些区域变体,我将在下面解释。 The rules for hostname matching require that the *
not match anything with a dot in it, so *.s3.amazonaws.com
does match example-bucket.s3.amazonaws.com
(no dot in the hostname component that aligns with the *
) but it does not match example.com.s3.amazonaws.com
because *
does not match example.com
since it contains a dot. 主机名匹配规则要求
*
不匹配任何带有点的内容,因此*.s3.amazonaws.com
确实匹配example-bucket.s3.amazonaws.com
(主机名组件中没有与*
对齐的点)但它与example.com.s3.amazonaws.com
不匹配,因为*
与example.com
不匹配,因为它包含一个点。 These rules are imposed by browsers, and this isn't a limitation in S3. 这些规则由浏览器强加,这不是S3的限制。
Now, if you are trying to use https://example.com
to access your bucket, S3 alone won't enable this, because example.com
by itself isn't even remotely similar to the hostname on S3's SSL certificate, which is *.s3.amazonaws.com
. 现在,如果你要使用
https://example.com
来访问你的水桶,S3不会单独实现这一目标,因为example.com
本身并不是甚至远程类似主机上S3的SSL证书,这是*.s3.amazonaws.com
。 You not only need to purchase an SSL certificate from a Certificate Authority that has been signed for use with "example.com," but you also need to install it on the web server... which, in this case, is S3... and S3 doesn't support this. 您不仅需要从已签署用于“example.com”的证书颁发机构购买SSL证书,还需要将其安装在Web服务器上......在本例中为S3。 。和S3不支持这个。
Amazon CloudFront, however, does. 但是,Amazon CloudFront可以。 You can configure a CloudFront distribution as a front-end to your bucket, and install your own SSL certificate on CloudFront, accessing the bucket over HTTPS that way.
您可以将CloudFront分配配置为存储桶的前端,并在CloudFront上安装您自己的SSL证书,通过HTTPS以这种方式访问存储桶。 In this configuration, it doesn't matter what your bucket name is -- it doesn't even have to match your domain name, because you can configure CloudFront to use whatever bucket you want.
在此配置中,您的存储桶名称无关紧要 - 它甚至不必与您的域名匹配,因为您可以将CloudFront配置为使用您想要的任何存储桶。 The browser fetches content through CloudFront, which in turn pulls the content from the bucket.
浏览器通过CloudFront获取内容,而CloudFront又从存储桶中提取内容。
Now... assuming that isn't what you're asking... assuming that you don't expect your own domain to work in SSL with Amazon's certificate... you can configure a bucket with dotted name, allowing you to create a CNAME for hosting your "example.com" content... and still access the bucket with HTTPS. 现在......假设这不是您要求的...假设您不希望自己的域在使用亚马逊证书的SSL中工作...您可以配置带有虚线名称的存储桶,允许您创建用于托管“example.com”内容的CNAME ...仍然可以使用HTTPS访问存储桶。 However, you can't access it with SSL using the CNAME, for reasons explained above... because your hostname doesn't match the one on S3's SSL cert.
但是,由于上面解释的原因,您无法使用 CNAME通过SSL访问它...因为您的主机名与S3的SSL证书上的主机名不匹配。
However, if you want to access a bucket with dots in the name over SSL, you can do this using the regional endpoint where your bucket was provisioned. 但是,如果要通过SSL访问名称中包含点的存储桶,则可以使用配置存储桶的区域端点执行此操作。
The "example.com" bucket in the us-west-2 region would be addressed by putting the bucket name in the first part if the path instead if the beginning of the hostname... like this: us-west-2区域中的“example.com”存储桶将通过将存储桶名称放在第一部分来解决,如果路径改为主机名的开头...就像这样:
https://s3-us-west-2.amazonaws.com/example.com/path/to/file.jpg
Each S3 region has at least one regional endpoint that works this way. 每个S3区域至少有一个以这种方式工作的区域端点 。 For the "US-Standard" region, the endpoints are "s3.amazonaws.com" which geographically routes to the main site in Virginia or the mirror site in Oregon, "s3-external-1.amazonaws.com" which routes only to Virginia, or "s3-external-2.amazonaws.com" which is largely undocumented but routes to the mirror in Oregon.
对于“美国标准”地区,端点是“s3.amazonaws.com”,它在地理上路由到弗吉尼亚州的主要站点或俄勒冈州的镜像站点,“s3-external-1.amazonaws.com”仅路由到弗吉尼亚州,或“s3-external-2.amazonaws.com”,这在很大程度上没有记载,但在俄勒冈州的镜子路线。
So, it is possible to access resources in a bucket with dots in the name, over HTTPS, but you have to know the bucket's region... though you cannot simply access it with https://your-cname.example.com
, because of the way SSL works, in general. 因此,可以通过HTTPS访问名称中带点的存储桶中的资源,但您必须知道存储桶的区域...尽管您无法使用
https://your-cname.example.com
访问它,因为SSL的工作方式一般。
It seems it is currently not possible to do by using S3 only, but it is possible with CloudFront as it supports custom certificates. 目前似乎不可能只使用S3,但CloudFront可以支持自定义证书。
CloudFront is not very expensive and can even be cheaper than S3 in some cases. CloudFront不是很贵,在某些情况下甚至比S3便宜。 It support custom certificates for free when using SNI (however it's not supported by older browsers like < IE7, < Chrome6, < Firefox 2.0)
它在使用SNI时免费支持自定义证书(但<IE7,<Chrome6,<Firefox 2.0等旧版浏览器不支持它)
I'll take as example that you want to use https://files.mydomain.com
to point to an S3 bucket called mydomain-files
(the bucket name does not mater and can contain dots). 我将以您希望使用
https://files.mydomain.com
指向名为mydomain-files
的S3存储桶为例(存储桶名称不包含并且可以包含点)。
According to "Michael - sqlbot" anwser, it is required to use a custom certificate. 根据“Michael - sqlbot”anwser,它需要使用自定义证书。 My initial assumption was that using a CNAME will permit to use Amazon S3 wildcard certificate while using my custom domain but this was false: a custom certificate is absolutly required, and is possible to setup with CloudFront only, not S3.
我最初的假设是使用CNAME将允许在使用我的自定义域时使用Amazon S3通配符证书,但这是错误的:绝对需要自定义证书,并且可以仅使用CloudFront而不是S3进行设置。
You can use whatever certificate provider you want but here I take StartSSL (StartCom) which provide free SSL certificates (limited to one subdomain and 1 year however). 您可以使用您想要的任何证书提供程序,但在这里我使用StartSSL (StartCom)提供免费的SSL证书(仅限于一个子域和1年)。
mydomain.com
mydomain.com
的所有权 files.mydomain.com
files.mydomain.com
创建证书 openssl rsa -in files.key -out files.key
openssl rsa -in files.key -out files.key
cat sub.class1.server.ca.pem ca.pem >> chain.crt
cat sub.class1.server.ca.pem ca.pem >> chain.crt
/cloudfront/
/cloudfront/
开头) aws iam upload-server-certificate --server-certificate-name CUSTOM_CERTIFICATE_NAME --certificate-body file://files.crt --private-key file://files.key --certificate-chain file://chain.crt --path /cloudfront/CUSTOM_PATH/
aws iam upload-server-certificate --server-certificate-name CUSTOM_CERTIFICATE_NAME --certificate-body file://files.crt --private-key file://files.key --certificate-chain file://chain.crt --path /cloudfront/CUSTOM_PATH/
files.mydomain.com
files.mydomain.com
CUSTOM_CERTIFICATE_NAME
you choose when uploading) CUSTOM_CERTIFICATE_NAME
) https://xyzxyzxyz.cloudfront.net/file
https://xyzxyzxyz.cloudfront.net/file
等https://xyzxyzxyz.cloudfront.net/file
访问您的存储桶文件 mydomain.com
DNS configuration mydomain.com
DNS配置 files IN CNAME xyzxyzxyz.cloudfront.net
files IN CNAME xyzxyzxyz.cloudfront.net
添加CNAME: files IN CNAME xyzxyzxyz.cloudfront.net
You should now be able to access your files with https://files.mydomain.com/file
. 您现在应该可以使用
https://files.mydomain.com/file
访问您的文件。 The certificate will be your custom certificate generated for files.mydomain.com
so everything will work fine. 证书将是为
files.mydomain.com
生成的自定义证书,因此一切正常。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.