Cloudfront证书和主机名:它们可以不同吗?
[英]Cloudfront certificate and hostname: can they be different?
问题描述
I have a certificate in IAM, registered to the hostname azb.hostname.com. 
我在IAM中有一个证书,已注册到主机名azb.hostname.com。 Then I have 2 cloudfront distributions, with auto hostnames, something like d727.cloudfront.net and d838.cloudfront.net. 然后,我有两个带有自动主机名的cloudfront发行版,例如d727.cloudfront.net和d838.cloudfront.net。
By default the certificate provided by cloudfront does not support TLSv1.1+ so I have to assign a custom certificate. 默认情况下,cloudfront提供的证书不支持TLSv1.1 +,因此我必须分配一个自定义证书。 I tried to use my certificate on one of them and...it works! 我尝试对其中之一使用我的证书,并且...有效!
What I can't understand is why the cloudfront is still available on its default hostname *.cloudfront.net: shouldn't it have become azb.hostname.com? 我不明白的是,为什么Cloudfront仍可以在其默认主机名* .cloudfront.net上使用:它不应该成为azb.hostname.com吗? And can I assign the same certificate to both of them? 我可以为他们两个分配相同的证书吗? Will they keep working? 他们会继续工作吗?
1 个解决方案
解决方案1
1 已采纳 2019-06-24 07:40:12
CloudFront will be available with *.cloudfront.net even though you have added your own cert and has added your domain in Alternate domain filed, this is expected. 即使您已经添加了自己的证书并将域添加到了备用域中,也可以在* .cloudfront.net中使用CloudFront。 if you don't want that , you probably need to add a WAF to read HOST header and if it's d1234xxx.cloudfront.net, block it. 如果您不希望这样做,则可能需要添加一个WAF来读取HOST标头,如果它是d1234xxx.cloudfront.net,则将其阻止。
You can use IAM/Cert with multiple distributions, it will not cause any problem. 您可以将IAM / Cert用于多个发行版,这不会造成任何问题。
Also, accessing d123.cloudfront.net supports tls1.1 and tls1.2 and I think recently, you can also restrict tls version as well. 另外,访问d123.cloudfront.net支持tls1.1和tls1.2,我认为最近还可以限制tls版本。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.