我已经设置了一个多租户应用程序,应该可以通过子域(例如https://client1.example.at )向客户端提供。 对* .example.at的请求通过Route 53路由到负载均衡器。负载均衡器具有AWS签名通配符证书(例如,支持example.at和* .example.at)。 从这一方面来说,一切都按预期工作,我可以访问https : //client1.example.at,https://client2.example.at等。
基于此设置,我想将没有子域(除了www)的特定请求(例如https://www.example.at或https://example.at )路由到存储桶(也称为www.example.com)而不是负载均衡器(我只想为“主域”的请求提供静态站点)。 它可以工作,但我只能在不使用HTTPS的情况下访问www.example.at和example.at。 我的设置如下:
然后我发现我必须使用Cloudfront才能将HTTPS用于带有S3存储桶的自定义域(如果这是正确的?)。 现在我有几个问题:
是否有必要使用Cloudfront通过HTTPS为我的S3存储桶提供www.example.at和example.at的内容? 如果需要Cloudfront,那么我必须根据官方AWS文档为USEx EAST区域的www.example.at和example.at申请新证书。 是否可以使用AWS证书管理器为同一域创建两个证书,或者我是否可以与此设置发生冲突? 是否可以使用* .example.at作为具有负载均衡器别名的类型记录? 一般来说,我的Route 53设置是否有效?I have set up a multi tenant application which should be available to clients via a subdomain (e.g. https://client1.example.at). Requests to *.example.at are routed to a load balancer via Route 53. The load balancer has an AWS signed wildcard certificate (e.g. supporting example.at and *.example.at). From this side, everything is working as expected and I can access https://client1.example.at, https://client2.example.at, etc.
Based on this setup, I wanted to route specific request without subdomain (except www) such as https://www.example.at or https://example.at to a bucket (which is also named www.example.com) and not to the load balancer (I just want to serve a static site for requests to the "main domain"). It works but I can only access www.example.at and example.at without using HTTPS. My setup can be seen below:
I then found out that I have to use Cloudfront in order to use HTTPS for a custom domain with S3 buckets (if that is correct?). Now I have a few questions:
Is it necessary to use Cloudfront to serve content from my S3 bucket for www.example.at and example.at via HTTPS? If Cloudfront is necessary then I have to request a new certificate for www.example.at and example.at in region US EAST according to the official AWS docs. Is it possible to create two certificates for the same domain with AWS certificate manager or can I get some conflicts with this setup? Is it ok to use *.example.at as A type record with alias to the load balancer at all? Generally speaking, is my Route 53 setup valid at all?最满意答案
我想将没有子域(除了www)的特定请求(例如https://www.example.com或https://example.com )路由到存储桶(也称为www.example.com)
除非您在S3前面使用代理(重新路由从浏览器传递的主机名),否则每个“域”必须路由到不同的存储桶,域名必须与存储桶名称匹配。 如果他们没有,那么您的请求将转到与您路由的DNS名称匹配的存储桶,则路由与S3存储桶端点的主机名无关。
换句话说,假设您的主机名是www.example.com,并且您将CNAME设置为example.com.s3.amazonaws.com(或者您可以使用网站端点,这与此示例无关)。
当请求命中DNS名称www.example.com时,它将被发送到S3主机名后面的S3服务器。 来自浏览器的请求是针对主机名“www.example.com” ,引用的实际CNAME指向S3端点是无关紧要的,因为S3从不知道浏览器用于连接S3的实际CNAME。 因此S3将尝试从www.example.com存储桶中提取请求的对象。
URL - > S3 Bucket
https://www.example.com - > s3://www.example.com https://example.com - > s3://example.com它可以工作,但我只能在不使用HTTPS的情况下访问www.example.at和example.at。
将SSL用于S3存储桶时,这样的CNAME DNS路由不起作用。 原因是S3通配符证书深度为1级(* .s3.amazonaws.com),因此您的存储桶www.example.com.s3.amazonaws.com将无法匹配它,因为它有2个以上的额外级别外卡。 因此,您的浏览器拒绝该证书作为主机名无效。
要实现此目的,您必须在S3前面使用某种代理,并使用您自己的相关域证书。
是否有必要使用Cloudfront通过HTTPS为我的S3存储桶提供www.example.at和example.at的内容?
CloudFront是使用CNAME路由DNS解决HTTPS到我们刚才提到的S3存储桶问题的绝佳选择。
如果需要Cloudfront,那么我必须根据官方AWS文档为USEx EAST区域的www.example.at和example.at申请新证书。 是否可以使用AWS证书管理器为同一域创建两个证书,或者我是否可以与此设置发生冲突?
我无法回答那个,我只能建议你试着找出会发生什么。 如果它不起作用那么它不是一个选项。 不应该花很多时间来解决这个问题。
是否可以使用* .example.at作为具有负载均衡器别名的类型记录?
为了澄清,A记录只能是IP地址,A Alias类似于CNAME(但是特定于Route53)。
我强烈推荐CNAMES(或ALIASES,它们相似)。 直接指向S3的A-Records之一是一个坏主意,因为您不知道该IP是否或何时将从服务中删除。 通过使用CNAME / ALIAS引用主机名,您不必担心这一点。 除非您可以100%确定IP仍然可用,否则您不应该引用它。
一般来说,我的Route 53设置是否有效?
我没有看到它的任何问题,基于你所描述的,听起来像事情按预期工作。
I wanted to route specific request without subdomain (except www) such as https://www.example.com or https://example.com to a bucket (which is also named www.example.com)
Each of those "domains" must route to a different bucket unless you are using a proxy (which reroutes the hostname passed from the browser) in front of S3, the domain name must match the bucket name. If they don't then your requests are going to a bucket matching the DNS name you routed from, the routing has nothing to do with the hostname of the S3 bucket endpoint.
In other words, let's say your hostname was www.example.com, and you set the CNAME to example.com.s3.amazonaws.com (or you could use the website endpoint, it doesn't matter for this example).
When a request hits the DNS name www.example.com it then is sent to the S3 server which is behind the S3 hostname. That request from the browser is for hostname "www.example.com", the actual CNAME referenced which pointed to the S3 endpoint is irrelevant because S3 never knows what actual CNAME was used to by your browser to connect to S3. So S3 will attempt to pull the requested object from the www.example.com bucket.
URL -> S3 Bucket
https://www.example.com -> s3://www.example.com https://example.com -> s3://example.comIt works but I can only access www.example.at and example.at without using HTTPS.
CNAME DNS routing like this when using SSL to an S3 bucket does not work. The reason for this is that the S3 wild card certificates are 1 level deep (*.s3.amazonaws.com) so your bucket www.example.com.s3.amazonaws.com will fail to match it because it has 2 extra levels above the wild card. So your browser rejects the certificate as invalid for the hostname.
To accomplish this you must use a proxy of some sort in front of S3 with your own certificates for the domain in question.
Is it necessary to use Cloudfront to serve content from my S3 bucket for www.example.at and example.at via HTTPS?
CloudFront is an excellent option for addressing the HTTPS with CNAME routed DNS to an S3 bucket issue we just mentioned.
If Cloudfront is necessary then I have to request a new certificate for www.example.at and example.at in region US EAST according to the official AWS docs. Is it possible to create two certificates for the same domain with AWS certificate manager or can I get some conflicts with this setup?
I can't answer that one, I can only suggest you try and find out what happens. If it doesn't work then it's not an option. It shouldn't take much time to figure this one out.
Is it ok to use *.example.at as A type record with alias to the load balancer at all?
To clarify, an A Record can only ever be an IP address, an A Alias is similar to a CNAME (but is Route53 specific).
I highly recommend CNAMES (or ALIASES, they are similar). Pointing directly at one of S3's A-Records is a bad idea because you don't know if or when that IP will be removed from service. By referencing the hostname with a CNAME/ALIAS you don't have to worry about that. Unless you can be 100% sure that the IP will remain available then you shouldn't reference it.
Generally speaking, is my Route 53 setup valid at all?
I don't see any issues with it, based on what you described it sounds like like things are working as expected.
更多推荐
发布评论