问题描述
API网关(APIG)使用CloudFront(CF)时,不支持CDN边缘缓存。当我将CF发行版配置为使用APIG作为自定义来源时,出现权限拒绝错误。
API Gateway (APIG), while it uses CloudFront (CF) it does not support CDN edge caching. When I configured a CF distribution to use APIG as the custom origin, I get a permission denied error.
如何配置CF来解决此问题?
How do I configure CF to fix this?
推荐答案
直到API网关(APIG)通过内部使用CloudFront(CF)支持边缘缓存为止,我想出了一种解决方法。
Until API Gateway (APIG) supports edge caching via its internal use of CloudFront (CF), I have come up with a workaround.
您确实可以将CF dist放在APIG的前面,诀窍是仅强制HTTPS使用查看器协议策略,并且不转发HOST标头,因为APIG需要SNI。
You can indeed put CF dist in front of APIG, the trick is to force HTTPS only "Viewer Protocol Policy" AND to NOT forward the HOST header because APIG needs SNI.
我将CF默认缓存行为设置设置为不转发任何标头,并将查看器协议策略强制设置为仅HTTPS而且有效。希望这对其他人有帮助。
I setup my CF "Default Cache Behavior Settings" to not forward any headers, and forced "Viewer Protocol Policy" to "HTTPS Only" and it works. Hope this helps others.
这里是一个CloudFormation资源对象,它具有所有必需的配置(注意:我使用约定< stage>- -< app name> 表示StackName):
Here is a CloudFormation resource object that has all the required configuration (Note: I use the convention <stage>--<app name> for StackName):
CloudFront:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Enabled: true
IPV6Enabled: true
HttpVersion: http2
Comment: !Join [ '--', [!Ref 'AWS::StackName', ' Cloud Front']]
Aliases: [!Ref CloudFrontCname]
ViewerCertificate:
AcmCertificateArn: !Ref AcmCertificateArn
SslSupportMethod: sni-only
MinimumProtocolVersion: TLSv1.1_2016
Origins:
- Id: APIGOrigin
DomainName: !Sub
- ${apigId}.execute-api.${AWS::Region}.amazonaws.com
- { apigId: !Ref ApiGatewayLambdaProxy }
OriginPath: !Sub
- /${Stage}
- { Stage: !Select [ "0", !Split [ '--', !Ref 'AWS::StackName' ] ] }
CustomOriginConfig:
# HTTPPort: 80
HTTPSPort: 443
OriginProtocolPolicy: https-only
OriginCustomHeaders:
- HeaderName: 'Verify-From-Cf'
HeaderValue: !Ref VerifyFromCfHeaderVal
DefaultCacheBehavior:
AllowedMethods: ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
CachedMethods: ["GET", "HEAD", "OPTIONS"]
ForwardedValues:
Headers:
- Access-Control-Request-Headers
- Access-Control-Request-Method
- Origin
- Authorization
# - Host APIG needs to use SNI
QueryString: true
TargetOriginId: APIGOrigin
ViewerProtocolPolicy: https-only
Compress: true
DefaultTTL: 0
CustomErrorResponses:
- ErrorCachingMinTTL: 0
ErrorCode: 400
- ErrorCachingMinTTL: 1
ErrorCode: 403
- ErrorCachingMinTTL: 5
ErrorCode: 500
DNSARecord:
Type: AWS::Route53::RecordSet
Properties:
Comment: !Ref 'AWS::StackName'
Name: !Ref CloudFrontCname
Type: A
HostedZoneName: !Join ['.', [ !Select [1, !Split ['.', !Ref CloudFrontCname]], !Select [2, !Split ['.', !Ref CloudFrontCname]], '']]
AliasTarget:
HostedZoneId: !Ref Route53HostedZoneId
DNSName: !GetAtt CloudFront.DomainName
DNSAAAARecord:
Type: AWS::Route53::RecordSet
Properties:
Comment: !Ref 'AWS::StackName'
Name: !Ref CloudFrontCname
Type: AAAA
HostedZoneName: !Join ['.', [ !Select [1, !Split ['.', !Ref CloudFrontCname]], !Select [2, !Split ['.', !Ref CloudFrontCname]], '']]
AliasTarget:
HostedZoneId: !Ref Route53HostedZoneId
DNSName: !GetAtt CloudFront.DomainName
2018年末更新
- CloudFormation最终支持设置SSL协议版本:
MinimumProtocolVersion:TLSv1.1_2016 - 我已经烤好了(以及许多其他)进入OSS项目的最佳实践:
- CloudFormation finally supports setting SSL proto ver:
MinimumProtocolVersion: TLSv1.1_2016 - I've baked this (and many other) best practices into an OSS project: aws-blueprint
这篇关于如何在API网关前面添加CloudFront的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!