堆栈内存溢出
  简体   繁体   English

适用于VPC / VPN的AWS Cloudfront

[英]AWS Cloudfront for VPC/VPN

 原文  2016-02-19 15:50:37       amazon-web-services/ vpn/ amazon-cloudfront/ amazon-vpc

问题描述

Does AWS allow usage of Cloudfront for websites usage, eg:- caching web pages. AWS是否允许使用Cloudfront进行网站使用,例如: - 缓存网页。 Website should be accessible within corporate VPN only. 网站只能在公司VPN中访问。 Is it a good idea to cache webpages on cloudfront when using Application restricted within one network? 在一个网络中使用受限制的应用程序时,在云端缓存网页是一个好主意吗?

3 个解决方案

解决方案1
 19 已采纳  2016-02-20 03:57:48

As @daxlerod points out, it is possible to use the relatively new Web Application Firewall service with CloudFront, to restrict access to the content, for example, by IP address ranges. 正如@daxlerod指出的那样,可以在CloudFront中使用相对较新的Web应用程序防火墙服务来限制对内容的访问,例如,通过IP地址范围。

And, of course, there's no requirement that the web site actually be hosted inside AWS in order to use CloudFront in front of it. 当然,并不要求网站实际托管在AWS内部,以便在其前面使用CloudFront。

However, "will it work?" 但是,“它会起作用吗?” and "are all the implications of the required configuration acceptable from a security perspective?" 并且“从安全角度来看,所需配置的所有含义是什么?” are two different questions. 是两个不同的问题。

In order to use CloudFront on a site, the origin server (the web server where CloudFront fetches content that isn't in the cache at the edge node where the content is being requested) has to be accessible from the Internet, in order for CloudFront to connect to it, which means your private site has to be exposed, at some level, to the Internet. 为了在站点上使用CloudFront,必须可以从Internet访问源服务器(CloudFront在其中提取不在请求内容的边缘节点的缓存中的内容的Web服务器),以便CloudFront连接到它,这意味着您的私人网站必须在某种程度上暴露给互联网。

The CloudFront IP address ranges are public information, so you could partially secure access to the origin server with the origin server's firewall, but this only prevents access from anywhere other than through CloudFront -- and that isn't enough, because if I knew the name of your "secured" server, I could create my own CloudFront distribution and access it through CloudFront, since the IP addresses would be in the same range. CloudFront IP地址范围是公共信息,因此您可以使用源服务器的防火墙部分保护对原始服务器的访问,但这只能阻止从CloudFront以外的任何地方进行访问 - 这是不够的,因为如果我知道您的“安全”服务器的名称,我可以创建自己的CloudFront分配并通过CloudFront访问它,因为IP地址将在相同的范围内。

The mechanism CloudFront provides for ensuring that requests came from and through an authorized CloudFront distribution is custom origin headers, which allows CloudFront to inject an unknown custom header and secret value into each request it sends to your origin server, to allow your server to authenticate the fact that the request not only came from CloudFront, but from your specific CloudFront distribution. CloudFront提供的机制是确保来自授权CloudFront分配的请求是自定义源头,这允许CloudFront将未知的自定义头和秘密值注入它发送到源服务器的每个请求,以允许您的服务器验证事实上,该请求不仅来自CloudFront,而且来自您的特定CloudFront分配。 Your origin server would reject requests not accompanied by this header, without explanation, of course. 当然,您的原始服务器会拒绝不带此标题的请求,而无需解释。

See http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/forward-custom-headers.html#forward-custom-headers-restrict-access . 请参阅http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/forward-custom-headers.html#forward-custom-headers-restrict-access

And, of course, you need https between the browser and CloudFront and https between CloudFront and the origin server. 当然,您需要在浏览器和CloudFront之间使用https,在CloudFront和源服务器之间使用https。 It is possible to configure CloudFront to use (or require) https on the front side or the back side separately, so you will want to ensure it's configured appropriately for both, if the security considerations addressed above make it a viable solution for your needs. 可以将CloudFront配置为分别在正面或背面使用(或要求)https,因此,如果上述安全注意事项使其成为满足您需求的可行解决方案,则需要确保为两者配置适当的https。

For information that is not highly sensitive, this seems like a sensible approach if caching or other features of CloudFront would be beneficial to your site. 对于不是非常敏感的信息,如果CloudFront的缓存或其他功能对您的网站有益,这似乎是一种明智的方法。

解决方案2
 2  2016-02-20 02:41:19

Yes, you CloudFront is designed as a caching layer in front of a web site. 是的,您将CloudFront设计为网站前的缓存层。

If you want to restrict access to CloudFront, you can use the Web Application Firewall service. 如果要限制对CloudFront的访问,可以使用Web应用程序防火墙服务。

解决方案3
 0  2017-11-06 23:37:26

将您的网站置于公共网络>在CloudFront分配中附加WAF规则>在WAF规则中公司IP的白名单范围和黑名单其他所有内容

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS VPN 到 AWS VPC - AWS VPN to AWS VPC AWS VPC中的VPN设备 - VPN appliance in AWS VPC 通过VPC将AWS VPN NAT转换为AWS IOT - NAT AWS VPN to AWS IOT via VPC AWS VPC VPN IPsec 到客户网关 - AWS VPC VPN IPsec to customer gateway AWS 多 VPC VPN 共享可能性 - AWS Multi VPC VPN Sharing Possibility AWS VPC将流量路由到客户端VPN连接 - AWS VPC route traffic to Client VPN connections 如何将 aws vpc 和 gcp bigquery 与 vpn 连接? - How to connect aws vpc and gcp bigquery with vpn? AWS Cloudfront 黑名单,通过 VPN 访问 - AWS Cloudfront blacklist, access via VPN AWS Site-to-Site VPN 和 AWS VPC 对等互连之间的区别? - Difference between AWS Site-to-Site VPN and AWS VPC peering? AWS EC2 实例能否在同一个 VPC 上 ping 客户端 VPN? - Could AWS EC2 instances ping Client VPN on the same VPC?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM