Saturday, 17 February 2018

AWS CloudFront

Model
  • Distribution
    • Web: DNS starts with "d" (download)
    • RTMP: DNS starts with "s" (streaming)
  • Origin - place where the authority files are stored
    • S3
    • Custom Web Server
  • Behavior
    • How CF behaves when receives request
    • Path pattern - specifies requests the behaviors applies to
    • Examples
      • Forward Headers/Cookies
      • Minimum/Default/Maximum TTL
      • Restrict Viewer Access (signed Urls only)
  • Integrated with WAF
  • Supports HTTP/2 
  • Supports IPv6
    • Using signed urls not recommended as IPv4 vs IPv6 mixture possible

Lambda@Edge
  • Ability to run lambda on CF
  • Events 
    • Viewer Request (after)
    • Origin Request (before)
    • Origin Response (after)
    • Viewer Reponse (before)
  • Use cases
    • Inspect rewrite cookies/urls
    • Support legacy urls
    • Make HTTP requests to third parties

Forwarding Requests
  • Origin does not see all request data 
  • Forwardable
    • Headers (All, Whitelisted Only)
    • Cookies
    • Query parameters
  • Forwarding allows caching different object version based on value
    • Increases cache memory footprint
  • Use cases
    • Prevent hotlinking
    • Allow CORS for everyone

TTL
  • Obey origin response headers (Cache-Control max-age, s-max-age, Expires)
    • max-age is recommended
  • Behavior can override: mininum TTL, default TTL, Maximum TTL
    • e.g. in cases when Origin does not set it properly
  • TTL-0
    • Used for Dynamic Content
    • CloudFront still caches the content
    • Makes GET If-Modified-Since every time
      • gives origin a chance to signal content hasn't changed
      • this saves bandwidth as Origin does not have to resend the page

Origin
  • S3
    • Origin Access Identity (OAI)
      • special CF user associated with customer Distribution-Origin
        • "Principal":{"CanonicalUser":"79a59d8f8d5218e7cd47ef2be"},
      • change S3 bucket policy to only allow OAI
  • Custom (customer own Web Server)
  • Multiple origins
    • First match (based on path) wins
    • Requires cache behavior for each origin

Signing
  • Restrict access with signed urls or/and signed cookies
    • Date/Time
    • IPs
    • Requires: CloudFront Key-Pair
  • Signed Url
    • Restrict access to individual files
    • Query parameters: Expires, Policy, Signature, Key-Pair-Id
  • Signed Cookies
    • Not supported for RTMP
    • No need to change urls
    • Restrict access to multiple files at once
      • e.g. HLS stream (multiple file segments)
    • User authenticates on customer site which sets her browser's Signed Cookie
  • Process
    • Create public-private key-pair
    • Upload to account (via Console)
    • Indicate which AWS accounts can sign (Trusted Signer)
    • Create policy document (i.e. rules of access)
      • SHA1 of policy document signed with private key
    • Include encoded policy document + signature as query string parameters
    • CloudFront verifies policy/signature on access 
  • Account Id added to 
    • Web - behavior  (can have multiple behaviors)
    • RTMP - distribution

Trusted Signer
  • AWS account with an active CloudFront Key Pair
  • Key Pair allowed for root account only (not IAM user)
  • Max 2 active key pairs at a time
  • Possible to upload your own RSA key

Geoblocking
  • Built-in: country-level (~99.8% accuracy)
  • ThirdParty
    • Use your webserver to build links 

Compression
  • Supported natively 
  • Compressed by edge locations
  • Compressible files 1,000 bytes - 10,000,000 bytes
  • ETAGs are stripped (as "compressed vs non-compressed" should have different values)
  • Enabled on Behavior
  • Custom Origin Compressions
    • Still use when file type not supported by CF

Invalidation
  • Expensive
  • Supports wildcards
    • e.g. "/images/hi-res/*"

SSL
  • Custom SSL certificates 
    • Dedicated IP - 600$/month
    • SNI - only newer browsers support them
  • Supports ACM certificates
  • Supports Redirection HTTP->HTTPS on the edge
  • Communitcation to Origin 
    • Match Viewer
    • Enforce HTTPS
    • Enforce HTTP

Pricing
  • Classes 
    • All (us, eu, ap-northeast, ap-southeast-1, ap-southeast-2, sa-east)
    • 200 (us, eu, ap-northeast, ap-southeast-1)
    • 100 (us, eu)
    • Viewers in locations not covered in price class see larger latency
  • Reserved Capacity available

Can act as reverse proxy
  • May sit in front of dynamic website
    • cache only certain portions based on rules
    • works like Varnish
  • Header "X-Forwarded-Proto" useful to decide http vs https on origin

Header manipulation
  • Custom Headers can be added/overridden
  • Use case:
    • Add  X-Shared-Secret=****** to allow Origin verify the request is from CF
    • Add CORS headers (bypass user)

Field-level Encryption
  • Ability to encrypt HTML Forms fields at the edge
  • Keys
    • Public RSA provided by customer to CloudFront
    • Private RSA secured by user (e.g. Pameter Store+KMS)
  • Use cases
    • PCI compliance

References
at

No comments:

Post a Comment