我正在将Cloudfront与负载均衡和ec2实例一起使用。
I'm using Cloudfront with load balancing and ec2 instances.
在AWS中,我的负载均衡器接受来自所有http连接的流量。可以限制仅接受我的Cloudfront发行版中的http连接吗?以及我该怎么做?
In AWS, my load balancer accepts traffic from all http connections. It is possible to restrict that to accept only http connections from my Cloudfront distributions ? And how can I do that ?
谢谢。
推荐答案AFAIK ,您不能在第3层上执行此操作,因为ELB允许从任何位置(0.0.0.0/0)进行访问。
AFAIK, you can't do this at layer 3 as an ELB will allow access from anywhere (0.0.0.0/0).
如果您运行的是Apache并且可以找到一个特定的标题,该标题将在Cloudfront中使用/设置,然后您可以在第7层使用mod_headers进行此操作。
If you're running Apache and can find a specific header that cloudfront uses/sets then you could do this at layer 7 using mod_headers.
根据 docs.aws.amazon/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html cloudfront将设置标题 Via 到 1.1 alphanumeric-string.cloudfront ,因此您可以通过以下操作在虚拟主机中进行匹配:
According to docs.aws.amazon/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html cloudfront will set the Header Via to 1.1 alphanumeric-string.cloudfront, so you could match this in your virtualhost by doing something like:
SetEnvIf Via "^1\.1\ [a-z0-9]+\.cloudfront\$ VIA_CLOUDFRONT <LocationMatch /origin/> Options -Indexes Order deny,allow Deny from all # allow from cloudfront only Allow from env=VIA_CLOUDFRONT </LocationMatch>更多推荐
AWS限制从Cloudfront到负载均衡器的访问
发布评论