Cloudfront 通过自己的 SSL 证书提供服务
有谁知道是否可以在使用您自己的 CNAME 的同时使用您自己的证书通过 https 为 cloudfront 提供服务? 我什至找不到通过 S3 设置我自己的 SSL 证书的方法...所以我不确定这是否可能。
更新:如果有人对此问题的更新感兴趣 - maxcdn.com 提供在您的域上托管 SSL 证书的服务,每月只需 59 美元的固定费用。
它不是亚马逊,但它甚至支持从您的服务器拉取并永久托管,或者如果您在指定的任何时间发送缓存控制标头,直到它再次获取原始网址。
整个报价非常简洁。 :D
does anyone know if its possible to serve with cloudfront over https with your own certificate while using your own CNAME?
i can't even find a way to set up my own SSL cert over S3... so im not sure if this is even possible.
UPDATE: if someone is interested in an update about this issue - maxcdn.com offers to host your SSL cert on your domain for only $59 flat fee a month.
it's not amazon but it even supports pulling from your server and hosting forever or if you send a cache control header for whatever time you specify until it fetches the original url again.
the whole offer is pretty neat. :D
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
我对此进行了广泛的研究,不,目前不可能将 HTTPS 与 CNAME 一起使用,除非您能够忽略客户端上的证书名称不匹配。 HTTPS 适用于“简单”存储桶名称,但 CNAME 仅适用于完全限定域的存储桶名称。AWS 始终在添加新功能,因此我可以看到它们能够在以下位置提供自定义证书:某些点,但目前还不支持。See: http://stackoverflow.com/questions/3048236/amazon-s3-https-ssl-is-it-possible
编辑:仍然无法直接访问S3,但可以通过CloudFront:http://aws.amazon.com/cloudfront/custom-ssl-domains/
I looked into this extensively, and no, currently it's not possible to use HTTPS with CNAMEs unless you're able to ignore cert name mismatches on the client side. HTTPS works with "simple" bucket names, but CNAMEs only work with bucket names that are fully-qualified domains.AWS is always adding new features, so I can see them being able to serve up custom certificates at some point, but there's no support for that yet.See: http://stackoverflow.com/questions/3048236/amazon-s3-https-ssl-is-it-possible
edit: Still not possible for direct access to S3, but it is possible through CloudFront: http://aws.amazon.com/cloudfront/custom-ssl-domains/
请注意编辑和内容以下更新
我之所以复活这一点,是因为亚马逊正在进行一项调查(截至撰写本文时),询问客户对其产品路线图的反馈。请参阅有关此调查的帖子:https://forums.aws.amazon.com/thread。 jspa?threadID=26488&tstart=30
和直接调查链接:http://aws.qualtrics.com/SE/?SID=SV_9yvAN5PK8abJIFK< /s>
编辑:注意到 2012 年 6 月 11 日发布的一篇文章,其中 AWS 更新了调查链接:查看有关此调查的帖子:https://forums.aws.amazon.com/thread.jspa?messageID= 363869
新调查链接:http://aws.qualtrics.com/SE/?SID=SV_e4eM1cRblPaccFS< /del>
我认为值得花时间向他们提供关于使 CNAME + SSL 成为受支持功能的反馈。编辑:2013 年 6 月 11 日宣布,使用专用的自定义 SSL 证书AWS 上的 CloudFront 现在支持 IP:
请参阅 AWS 博客上的功能公告:http://aws.typepad.com/aws/2013/06/custom-ssl-domain-names- root-domain-hosting-for-amazon-cloudfront.html
在选择这条路线之前,需要考虑的一个事项是,您需要看到偏离 https://[distribution].cloudfront.net 路线,因为托管自定义 SSL 证书的定价为每月 600 美元。
编辑:2014 年 3 月 5 日宣布,AWS 上的 CloudFront 现在支持使用服务器名称指示 (SNI) 的自定义 SSL 证书 - 无需额外费用:
正如 wikichen 中所述,AWS 现在支持通过 SNI 自定义 SSL 证书。这是巨大的,因为它开启了利用 AWS 现有基础设施(IP 地址)的可能性。因此,AWS 不会对该服务收取额外费用!要了解更多信息,请阅读 AWS 博客文章:http://aws.typepad.com/aws/2014/03/server-name-indicate-sni-and-http-redirection-for-amazon-cloudfront.html
不过,应该注意的一点是,服务器名称指示 (SNI) 确实有一些缺点,在完全依赖它之前应该考虑这些缺点。特别是一些较旧的浏览器不支持它。如果想更好地理解这一点,请参阅:SNI 是否实际使用并且浏览器支持吗?
编辑:AWS 于 2016 年 1 月 21 日宣布,他们免费提供自定义 SSL 证书!
要在 AWS 网站上阅读完整公告:https://aws.amazon.com /blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/
Amazon 宣布推出一项名为 AWS Certificate Manager 的新服务,为 AWS 资源提供免费的 SSL/TLS 证书。
这些证书通常是从 Symantec、Comodo 和 RapidSSL 等第三方证书提供商购买的,价格从 50 美元到数百美元不等,具体取决于所执行的身份验证的级别。
获取新证书的过程总是有点混乱,需要在受保护的服务器上生成证书签名请求,将该请求发送给证书提供商,然后在收到证书后安装证书。由于 Amazon 正在管理整个流程,因此所有这些都消失了,并且可以在 AWS 资源上自动快速颁发和配置证书。
证书有一些限制。亚马逊仅提供域验证证书,这是一种通过电子邮件进行域验证的简单验证。如果您想要扩展验证证书,您可以坚持使用他们当前的证书提供商。此外,证书不能用于代码签名或电子邮件加密。
PLEASE NOTE THE EDITS & UPDATES BELOW
I am resurrecting this because Amazon is running a survey (as of this writing) which asks customers on feedback for their produce roadmap.See the post on this survey being available:https://forums.aws.amazon.com/thread.jspa?threadID=26488&tstart=30
and the direct survey link:http://aws.qualtrics.com/SE/?SID=SV_9yvAN5PK8abJIFK
EDIT: Noticed a post from June 11, 2012 that AWS had updated the survey link:See the post on this survey being available:https://forums.aws.amazon.com/thread.jspa?messageID=363869
New Survey Link:http://aws.qualtrics.com/SE/?SID=SV_e4eM1cRblPaccFS
I think it is worth the time to provide them feedback about making CNAME + SSL a supported feature.EDIT: Announced on June 11, 2013, custom SSL Certs with dedicated IPs are now supported with CloudFront on AWS:
See the feature announcement on the AWS Blog: http://aws.typepad.com/aws/2013/06/custom-ssl-domain-names-root-domain-hosting-for-amazon-cloudfront.html
One item of consideration before counting on going this route, you need to see significant value from deviating from the https://[distribution].cloudfront.net route as the pricing is $600 USD per month for hosting custom SSL certs.
EDIT: Announced on March 5, 2014, custom SSL Certs using Server Name Indication (SNI) are now supported with CloudFront on AWS -- NO ADDITIONAL CHARGE:
As wikichen noted below, AWS now supports custom SSL Certs via SNI. This is HUGE as it opens the possibility of leveraging AWS' existing infrastructure (IP addresses). As such, AWS does not charge extra for this service! To learn more, read about it on the AWS blog post: http://aws.typepad.com/aws/2014/03/server-name-indication-sni-and-http-redirection-for-amazon-cloudfront.html
One item that should be noted though, Server Name Indication (SNI) does have some drawbacks that should be considered before relying on it completely. In particular it is not supported by some older browsers. If want to understand this better, see: Is SNI actually used and supported in browsers?
EDIT: AWS announced on January 21, 2016, they supply custom SSL Certs for FREE!
To read about the full announcement on the AWS site: https://aws.amazon.com/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/
Amazon has announced a new service called AWS Certificate Manager, offering free SSL/TLS certificates for AWS resources.
These certificates are usually purchased from third-party certificate providers like Symantec, Comodo and RapidSSL and can cost anywhere from $50 to hundreds of dollars, depending on the level of identity verification performed.
The process of obtaining a new certificate has always been a bit messy, requiring the generation of a Certificate Signing Request on the server being protected, sending that request to a certificate provider, and then installing the certificate once it is received. Since Amazon is managing the whole process, all of that goes away and certificates can be quickly issued and provisioned on AWS resources automatically.
There are a few limitations to the certificates. Amazon only provides domain validated certificates, a simple verification where domain validation takes place via email. If you want an Extended Validation certificate, you may stick with their current certificate providers. In addition, the certificates cannot be used for code signing or email encryption.
从今天开始,您可以在 AWS CloudFront 中使用您自己的 SSL 证书 http://aws.typepad.com/aws/2013/06/custom-ssl-domain-names-root-domain-hosting-for-amazon-cloudfront.html
但是您每月为与一个或多个 CloudFront 分配关联的每个 SSL 证书支付 600 美元 (!)。Starting today, you can use your own SSL certificate with AWS CloudFront http://aws.typepad.com/aws/2013/06/custom-ssl-domain-names-root-domain-hosting-for-amazon-cloudfront.html
butYou pay $600 per month (!) for each SSL certificate associated with one or more CloudFront distributions.只是想用最新的 AWS 新闻更新这个问题。您现在可以在 CloudFront 上将 HTTPS 与 CNAME 结合使用,因为它现在支持使用服务器名称指示 (SNI) 的自定义 SSL 证书。
http://aws.typepad.com/aws/2014/03/server-name-inspiration-sni-and-http-redirection-for-amazon-cloudfront.html
设法设置免费的 1 类 StartSSL S3 上的 CloudFront 分布式静态站点的证书没有太多麻烦(请参阅:使用 SNI 通过 HTTPS 提供服务时出现 CloudFront 错误)。
Just want to update this question with the latest AWS news. You can now use HTTPS with CNAMEs on CloudFront as it now supports custom SSL certificates using Server Name Indication (SNI).
http://aws.typepad.com/aws/2014/03/server-name-indication-sni-and-http-redirection-for-amazon-cloudfront.html
Managed to set up a free Class 1 StartSSL cert for my CloudFront distributed static site on S3 without too much trouble (see: CloudFront error when serving over HTTPS using SNI).
现在可以将您自己的 SSL 证书用于 Cloudfront,无需额外费用。这样 600 美元/分钟的费用就消失了。
来自 AWS 新闻通讯:
It's now possible to use your own SSL certificate for Cloudfront with no additional costs. So the 600$/m charge is gone.
From AWS newsletter: