如何强制 Cloudfront 将来自源的所有请求强制为 HTTPS?
Posted
技术标签:
【中文标题】如何强制 Cloudfront 将来自源的所有请求强制为 HTTPS?【英文标题】:How to force Cloudfront to make all requests from origin forced to be HTTPS? 【发布时间】:2021-09-02 17:27:43 【问题描述】:我的网站 https://phillhocking.com 的 Cloudfront 分发出现了一些奇怪的行为
这个 Cloudfront 发行版由 Terraform 管理,下面是我用来实例化它的代码:
resource "aws_cloudfront_distribution" "ghost-lightsail"
price_class = "PriceClass_100"
origin
domain_name = var.cloudfront_glue
origin_id = "$var.name-origin"
custom_origin_config
http_port = 80
https_port = 443
origin_protocol_policy = "http-only"
origin_ssl_protocols = ["TLSv1.2"]
enabled = true
is_ipv6_enabled = true
default_root_object = "/"
# lifecycle
# prevent_destroy = true
#
aliases = [var.domain_name]
default_cache_behavior
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "$var.name-origin"
compress = true
forwarded_values
query_string = true
headers = ["*"]
cookies
forward = "all"
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
ordered_cache_behavior
path_pattern = "assets/*"
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "$var.name-origin"
compress = true
forwarded_values
query_string = true
headers = ["*"]
cookies
forward = "none"
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
ordered_cache_behavior
path_pattern = "content/*"
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "$var.name-origin"
compress = true
forwarded_values
query_string = true
headers = ["*"]
cookies
forward = "none"
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
ordered_cache_behavior
path_pattern = "public/*"
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "$var.name-origin"
compress = true
forwarded_values
query_string = true
cookies
forward = "none"
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
ordered_cache_behavior
path_pattern = "img_responsive/*"
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "$var.name-origin"
compress = true
forwarded_values
query_string = true
cookies
forward = "none"
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
tags =
Environment = "$var.name-dev"
restrictions
geo_restriction
restriction_type = "none"
viewer_certificate
acm_certificate_arn = var.cloudfront_ssl_acm_arn
ssl_support_method = "sni-only"
minimum_protocol_version = "TLSv1.1_2016"
整个项目位于这里:https://github.com/phillhocking/aws-ghost/tree/dev
您会注意到,redirect-to-https 对于所有内容类型都是正确的,但是,它仍会尝试通过 http 为 Lightsail 实例上的任何图像加载内容,这些图像是 new 帖子,我是不知道如何进一步诊断/排除故障。我的目标是不必对 Lightsail 实例执行任何系统管理任务,并通过 Cloudfront 分发解决此问题。
这只发生在特定帖子中:https://phillhocking.com/new-linkedin-feature-request/
Note the content from the CDN distribution is requesting an http:// image
当您在“开发人员”窗格中单击这些链接时,它会毫无问题地转到图像。为什么 Cloudfront 分发版不会从源头自动管理此行为?
【问题讨论】:
哦,我只是注意到在其他页面上它有同样的问题,但是 Chrome (Chromium) “自动升级请求”到 https:// 我不知道为什么它不会发生在另一个帖子上。 【参考方案1】:重定向工作正常。您无法使用 http 获取图像,只能使用 https。但这只有在您真正尝试获取图像时才会生效。
我认为 chrome 只是检查您页面的源代码,并在 http 中查看图像或某些链接,然后停止。它不会尝试实际获取图像并遵循从 http 到 https 的重定向。
【讨论】:
嘿,@Marcin,谢谢你的回复。我注意到它实际上是“自动升级”某些图像到 https:// 例如phillhocking.com/deploying-salt-minion-on-windows 有没有办法强制 Cloudfront 发行版以 https:// 的形式提供这些服务,而不必触及原点来制定重写规则? Bitnami 容器非常复杂,以至于每次我触摸它时,它都会重定向所有内容,导致“重定向过多”。 这里是“自动升级到https”行为的一个例子:imgur.com/a/d6v8Rdw @phillhocking 我不知道。通常您会修复您的网站,并将其源代码更改为使用 https。如果它的 wordpress,也许有一个简单的方法? 它是一个 Bitnami Lightsail 设备,似乎他们已将其设置为处理 http/https 本身,当您尝试将 http 设备设置为具有 https 前缀时,它似乎会引入此错误,真令人沮丧:community.bitnami.com/t/…以上是关于如何强制 Cloudfront 将来自源的所有请求强制为 HTTPS?的主要内容,如果未能解决你的问题,请参考以下文章
来自 Cloudfront 的 HIT 后来自 Cloudfront 的 MISS
CLOUDFRONT EC2 源错误 CloudFront 试图建立与源的连接 [重复]