Amazon S3:同时使用DNS别名来存储桶+ HTTPS
[英]Amazon S3: using DNS alias to bucket + HTTPS at the same time
问题描述
I want to create an S3 bucket in the Frankfurt zone, and make the files accessible with the URL: https://files.stample.co/filename 
我想在法兰克福区创建一个S3存储桶,并使用URL访问这些文件: https://files.stample.co/filename : https://files.stample.co/filename
So I want both HTTPS, and a custom DNS alias (CNAME) at the same time. 所以我同时想要HTTPS和自定义DNS别名(CNAME)。
According to what I understand, Amazon has a wildcard certificate for URL https://*.s3.amazonaws.com . 根据我的理解,亚马逊有URL https://*.s3.amazonaws.com的通配符证书。
HTTPS / SSL HTTPS / SSL
So this wildcard will: 所以这个通配符将:
- Work for
https://stample-files.s3.amazonaws.com适用于https://stample-files.s3.amazonaws.com - Not work for
https://files.stample.co.s3.amazonaws.com不适用于https://files.stample.co.s3.amazonaws.com
So what I understand and confirmed by other StackOverflow posts is that if I want SSL to work I have to use a bucket name with no dot otherwise the Amazon certificat with wildcard won't match the bucket domain. 所以我理解并通过其他StackOverflow 帖子确认的是,如果我希望SSL工作,我必须使用没有点的存储桶名称,否则带有通配符的Amazon证书将与存储区域不匹配。
Using DNS alias / CNAME 使用DNS别名/ CNAME
On this S3 documentation , under Customizing Amazon S3 URLs with CNAMEs section: 在此S3文档中 ,在“ Customizing Amazon S3 URLs with CNAMEs部分下:
Depending on your needs, you might not want "s3.amazonaws.com" to appear on your website or service.
The bucket name must be the same as the CNAME.
This seems to be for technical reasons because otherwise Amazon can't know the bucket we try to target: 这似乎是出于技术原因,否则亚马逊无法知道我们尝试定位的存储桶:
Because Amazon S3 sees only the original host name www.example.com and is unaware of the CNAME mapping used to resolve the request, the CNAME and the bucket name must be the same.
So what I understand here is that for CNAME to work, we have to use dots in the bucketname. 所以我在这里理解的是,为了使CNAME起作用,我们必须在bucketname中使用点。
Both together ? 两者一起 ?
If I use dots in bucket name: 如果我在桶名中使用点:
- SSL won't work SSL不起作用
- CNAME will work CNAME会起作用
If I don't use dots in bucket name: 如果我不在桶名中使用点:
- SSL will work SSL会起作用
- CNAME won't work CNAME不起作用
I've tested both cases and could not make SSL and CNAME work fine together. 我已经测试了两种情况,无法使SSL和CNAME一起工作。
What can I do to make both work? 我能做些什么来使两者都有效? It seems to me that what I want to achieve is not very fancy... 在我看来,我想要实现的并不是很花哨......
2 个解决方案
解决方案1
12 2015-09-23 03:26:52
You can potentially do both, depending on what you mean by that, but it requires a change in your approach and an understanding of some S3 internals, or an understanding of why what you are trying can't possibly be expected to work. 根据您的意思,您可以同时执行这两项操作,但这需要更改您的方法并了解某些S3内部,或者理解为什么您尝试的内容不可能发挥作用。
First, to clarify, when I say you can do both, I assume you do not expect that you could create a bucket called "example.com" and then be able to access the bucket as https://example.com . 首先,澄清一下,当我说你可以做到这两点时,我假设你不要期望你可以创建一个名为“example.com”的存储桶,然后能够以https://example.com访问存储桶。
If that's what you want or expect, you are missing out on some fundamentals of SSL. 如果这是您想要或期望的,那么您就错过了一些基本的SSL。
For a web server to offer SSL, it must have an SSL certificate signed by a trusted Certificate Authority. 对于提供SSL的Web服务器,它必须具有由受信任的证书颁发机构签名的SSL证书。 This certificate not only contains a public key used for encryption, it also contains the hostname for which it is valid, and will not work for a different hostname. 此证书不仅包含用于加密的公钥,还包含有效的主机名,并且不适用于其他主机名。 SSL not only provides encryption, it also provides assurance that the web site you reached is indeed the web site you believe it to be. SSL不仅提供加密,还可以保证您访问的网站确实是您认为的网站。 For s3, the hostname in the certificate is *.s3.amazonaws.com and some regional variants, which I'll explain below. 对于s3,证书中的主机名是*.s3.amazonaws.com和一些区域变体,我将在下面解释。 The rules for hostname matching require that the * not match anything with a dot in it, so *.s3.amazonaws.com does match example-bucket.s3.amazonaws.com (no dot in the hostname component that aligns with the * ) but it does not match example.com.s3.amazonaws.com because * does not match example.com since it contains a dot. 主机名匹配规则要求* 不匹配任何带有点的内容,因此*.s3.amazonaws.com确实匹配example-bucket.s3.amazonaws.com (主机名组件中没有与*对齐的点)但它与example.com.s3.amazonaws.com不匹配,因为*与example.com不匹配,因为它包含一个点。 These rules are imposed by browsers, and this isn't a limitation in S3. 这些规则由浏览器强加,这不是S3的限制。
Now, if you are trying to use https://example.com to access your bucket, S3 alone won't enable this, because example.com by itself isn't even remotely similar to the hostname on S3's SSL certificate, which is *.s3.amazonaws.com . 现在,如果你要使用https://example.com来访问你的水桶,S3不会单独实现这一目标,因为example.com本身并不是甚至远程类似主机上S3的SSL证书,这是*.s3.amazonaws.com 。 You not only need to purchase an SSL certificate from a Certificate Authority that has been signed for use with "example.com," but you also need to install it on the web server... which, in this case, is S3... and S3 doesn't support this. 您不仅需要从已签署用于“example.com”的证书颁发机构购买SSL证书,还需要将其安装在Web服务器上......在本例中为S3。 。和S3不支持这个。
Amazon CloudFront, however, does. 但是,Amazon CloudFront可以。 You can configure a CloudFront distribution as a front-end to your bucket, and install your own SSL certificate on CloudFront, accessing the bucket over HTTPS that way. 您可以将CloudFront分配配置为存储桶的前端,并在CloudFront上安装您自己的SSL证书,通过HTTPS以这种方式访问存储桶。 In this configuration, it doesn't matter what your bucket name is -- it doesn't even have to match your domain name, because you can configure CloudFront to use whatever bucket you want. 在此配置中,您的存储桶名称无关紧要 - 它甚至不必与您的域名匹配,因为您可以将CloudFront配置为使用您想要的任何存储桶。 The browser fetches content through CloudFront, which in turn pulls the content from the bucket. 浏览器通过CloudFront获取内容,而CloudFront又从存储桶中提取内容。
Now... assuming that isn't what you're asking... assuming that you don't expect your own domain to work in SSL with Amazon's certificate... you can configure a bucket with dotted name, allowing you to create a CNAME for hosting your "example.com" content... and still access the bucket with HTTPS. 现在......假设这不是您要求的...假设您不希望自己的域在使用亚马逊证书的SSL中工作...您可以配置带有虚线名称的存储桶,允许您创建用于托管“example.com”内容的CNAME ...仍然可以使用HTTPS访问存储桶。 However, you can't access it with SSL using the CNAME, for reasons explained above... because your hostname doesn't match the one on S3's SSL cert. 但是,由于上面解释的原因,您无法使用 CNAME通过SSL访问它...因为您的主机名与S3的SSL证书上的主机名不匹配。
However, if you want to access a bucket with dots in the name over SSL, you can do this using the regional endpoint where your bucket was provisioned. 但是,如果要通过SSL访问名称中包含点的存储桶,则可以使用配置存储桶的区域端点执行此操作。
The "example.com" bucket in the us-west-2 region would be addressed by putting the bucket name in the first part if the path instead if the beginning of the hostname... like this: us-west-2区域中的“example.com”存储桶将通过将存储桶名称放在第一部分来解决,如果路径改为主机名的开头...就像这样:
https://s3-us-west-2.amazonaws.com/example.com/path/to/file.jpg
Each S3 region has at least one regional endpoint that works this way. 每个S3区域至少有一个以这种方式工作的区域端点 。 For the "US-Standard" region, the endpoints are "s3.amazonaws.com" which geographically routes to the main site in Virginia or the mirror site in Oregon, "s3-external-1.amazonaws.com" which routes only to Virginia, or "s3-external-2.amazonaws.com" which is largely undocumented but routes to the mirror in Oregon. 对于“美国标准”地区,端点是“s3.amazonaws.com”,它在地理上路由到弗吉尼亚州的主要站点或俄勒冈州的镜像站点,“s3-external-1.amazonaws.com”仅路由到弗吉尼亚州,或“s3-external-2.amazonaws.com”,这在很大程度上没有记载,但在俄勒冈州的镜子路线。
So, it is possible to access resources in a bucket with dots in the name, over HTTPS, but you have to know the bucket's region... though you cannot simply access it with https://your-cname.example.com , because of the way SSL works, in general. 因此,可以通过HTTPS访问名称中带点的存储桶中的资源,但您必须知道存储桶的区域...尽管您无法使用https://your-cname.example.com访问它,因为SSL的工作方式一般。
解决方案2
1 已采纳 2015-09-23 09:22:12
It seems it is currently not possible to do by using S3 only, but it is possible with CloudFront as it supports custom certificates. 目前似乎不可能只使用S3,但CloudFront可以支持自定义证书。
CloudFront is not very expensive and can even be cheaper than S3 in some cases. CloudFront不是很贵,在某些情况下甚至比S3便宜。 It support custom certificates for free when using SNI (however it's not supported by older browsers like < IE7, < Chrome6, < Firefox 2.0) 它在使用SNI时免费支持自定义证书(但<IE7,<Chrome6,<Firefox 2.0等旧版浏览器不支持它)
HOWTO with CloudFront HOWTO与CloudFront
I'll take as example that you want to use https://files.mydomain.com to point to an S3 bucket called mydomain-files (the bucket name does not mater and can contain dots). 我将以您希望使用https://files.mydomain.com指向名为mydomain-files的S3存储桶为例(存储桶名称不包含并且可以包含点)。
Custom certificate is required 需要自定义证书
According to "Michael - sqlbot" anwser, it is required to use a custom certificate. 根据“Michael - sqlbot”anwser,它需要使用自定义证书。 My initial assumption was that using a CNAME will permit to use Amazon S3 wildcard certificate while using my custom domain but this was false: a custom certificate is absolutly required, and is possible to setup with CloudFront only, not S3. 我最初的假设是使用CNAME将允许在使用我的自定义域时使用Amazon S3通配符证书,但这是错误的:绝对需要自定义证书,并且可以仅使用CloudFront而不是S3进行设置。
Get free certificate 获得免费证书
You can use whatever certificate provider you want but here I take StartSSL (StartCom) which provide free SSL certificates (limited to one subdomain and 1 year however). 您可以使用您想要的任何证书提供程序,但在这里我使用StartSSL (StartCom)提供免费的SSL证书(仅限于一个子域和1年)。
- Validate your ownership of domain
mydomain.com验证您对域mydomain.com的所有权 - Create certificate with domain
files.mydomain.com使用域files.mydomain.com创建证书 - Download the certificate (files.crt) and private key (files.key, encrypted with your custom password): they are in PEM format 下载证书(files.crt)和私钥(files.key,使用您的自定义密码加密):它们是PEM格式
- Decrypt the private key:
openssl rsa -in files.key -out files.key解密私钥: openssl rsa -in files.key -out files.key - Generate certificate chain with StartSSL files from here :
cat sub.class1.server.ca.pem ca.pem >> chain.crt使用此处的 StartSSL文件生成证书链: cat sub.class1.server.ca.pem ca.pem >> chain.crt
Upload certificate to AWS 将证书上载到AWS
- Install AWS CLI to upload the certificate (note the key must be unencrypted, the certificate be in PEM format, and the certificate chain is required for CloudFront). 安装AWS CLI以上载证书(请注意,密钥必须未加密,证书必须为PEM格式,CloudFront需要证书链)。 You have to choose a name and a path (choose what you want but the path should start with
/cloudfront/您必须选择名称和路径(选择您想要的但路径应以/cloudfront/开头) - Upload your certificate to AWS for Cloudfront usage, like documented here :
aws iam upload-server-certificate --server-certificate-name CUSTOM_CERTIFICATE_NAME --certificate-body file://files.crt --private-key file://files.key --certificate-chain file://chain.crt --path /cloudfront/CUSTOM_PATH/上传证书AWS为的Cloudfront使用,如记录在这里 : aws iam upload-server-certificate --server-certificate-name CUSTOM_CERTIFICATE_NAME --certificate-body file://files.crt --private-key file://files.key --certificate-chain file://chain.crt --path /cloudfront/CUSTOM_PATH/
Configure CloudFront 配置CloudFront
- Create a new Web Distribution 创建一个新的Web分发
- Use CNAME:
files.mydomain.com使用CNAME: files.mydomain.com - Select the "Custom SSL certificate" radio button and select your certificate (
CUSTOM_CERTIFICATE_NAMEyou choose when uploading)选择“自定义SSL证书”单选按钮,然后选择您的证书(上传时选择的CUSTOM_CERTIFICATE_NAME) - Select your S3 bucket as CloudFront distribution origin 选择您的S3存储桶作为CloudFront分配源
- Validate and wait for deployment to complete: you should access your bucket files with url like
https://xyzxyzxyz.cloudfront.net/file验证并等待部署完成:您应该使用https://xyzxyzxyz.cloudfront.net/file等https://xyzxyzxyz.cloudfront.net/file访问您的存储桶文件
Configure DNS 配置DNS
- Open your
mydomain.comDNS configuration打开mydomain.comDNS配置 - Add the CNAME:
files IN CNAME xyzxyzxyz.cloudfront.netfiles IN CNAME xyzxyzxyz.cloudfront.net添加CNAME:files IN CNAME xyzxyzxyz.cloudfront.net - Wait for DNS to propagate (see DNS TTL) (can be fast if new DNS entry) 等待DNS传播(参见DNS TTL)(如果新的DNS条目可以快速)
End 结束
You should now be able to access your files with https://files.mydomain.com/file . 您现在应该可以使用https://files.mydomain.com/file访问您的文件。 The certificate will be your custom certificate generated for files.mydomain.com so everything will work fine. 证书将是为files.mydomain.com生成的自定义证书,因此一切正常。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.