AWS限制从Cloudfront到负载均衡器的访问

本文介绍了AWS限制从Cloudfront到负载均衡器的访问的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我正在将Cloudfront与负载均衡和ec2实例一起使用。

I'm using Cloudfront with load balancing and ec2 instances.

在AWS中，我的负载均衡器接受来自所有http连接的流量。可以限制仅接受我的Cloudfront发行版中的http连接吗？以及我该怎么做？

In AWS, my load balancer accepts traffic from all http connections. It is possible to restrict that to accept only http connections from my Cloudfront distributions ? And how can I do that ?

谢谢。

推荐答案

AFAIK ，您不能在第3层上执行此操作，因为ELB允许从任何位置（0.0.0.0/0）进行访问。

AFAIK, you can't do this at layer 3 as an ELB will allow access from anywhere (0.0.0.0/0).

如果您运行的是Apache并且可以找到一个特定的标题，该标题将在Cloudfront中使用/设置，然后您可以在第7层使用mod_headers进行此操作。

If you're running Apache and can find a specific header that cloudfront uses/sets then you could do this at layer 7 using mod_headers.

根据 docs.aws.amazon/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html cloudfront将设置标题 Via 到 1.1 alphanumeric-string.cloudfront ，因此您可以通过以下操作在虚拟主机中进行匹配：

According to docs.aws.amazon/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html cloudfront will set the Header Via to 1.1 alphanumeric-string.cloudfront, so you could match this in your virtualhost by doing something like:

SetEnvIf Via "^1\.1\ [a-z0-9]+\.cloudfront\$ VIA_CLOUDFRONT <LocationMatch /origin/> Options -Indexes Order deny,allow Deny from all # allow from cloudfront only Allow from env=VIA_CLOUDFRONT </LocationMatch>