I want to host a HTTPS-only static website using Amazon S3 and GoDaddy. Here's what I've done so far:
a) Created S3 static website at Amazon
b) Added S3 static URL at GoDaddy's CNAME records
CNAME **NAME**: *WWW* and **HOST** : *mywebsite.com.s3-website.ap-south-1.amazonaws.com*
c) Then in forwading **Domain** section added http://mywebsite.com
Now, I can access my website using http://mywebsite.com address. However, I want the site to be available via HTTPS only, for which I bought an SSL certificate from GoDaddy. And did setup on GoDaddy.
Now, the question is:
Is there a way to have an automatic http to https redirect with this setup?
You need to use CloudFront to serve HTTPS requests for an Amazon S3 Bucket. Amazon published Key Differences Between the Amazon Website and the REST API Endpoint to highlight website hosting on s3 does not support SSL connections.
However, this tutorial by Amazon will walk you through creating a CloudFront distribution to serve s3 content using HTTPS.
Related
I have my site (www.mycompany.com.ar) hosted on my data center. We develop an static site and put it on www.mycompany.com.ar/myapp. In my country connectivity issues are an everyday thing, so we decided to host a cloud version in AWS S3 and keep both versions working. The domain is handled by our internet provider, how can I map the S3 bucket to a subdomain?
I bought a domain (xyz.com) from some domain provider.
I pointed its nameserver to Cloudflare to host dns.
I created an S3 bucket with name (xyz.com) and hosted my static website on it.
I added a CNAME record on cloudflare to point to the static website url of bucket.
Everything is working fine till here. (xyz.com) opens the static website hosted on S3 bucket.
Now I want to create (api.xyz.com) for AWS API Gateway custom domain.
I want API Gateway to trigger Lambda so that it computes and return back the result.
For above I added another CNAME record in cloudflare so that AWS ACM is able to issue me a certificate for (api.xyz.com). After few minutes ACM was able to issue me a certificate.
Now I added the custom domain in API Gateway and selected the above ACM certificate.
When I make http GET call to my api chrome shows:
This site can’t be reached
api.xyz.com’s server IP address could not be found.
DNS_PROBE_FINISHED_NXDOMAIN
How to fix this?
I am a beginner and maybe I am using some terms wrong. Please Ignore
Create a CNAME record to your api gateway and make sure you hit it using https
Let’s assume that I have a S3 hosted website. Aside from that I have an EC2 that would be to receive http requests from that website. Is there a way that I can set up a security group so that that EC2 can only receive http requests from that website? I know that if the website was hosted on another EC2 I could this vos the IP address or a load balancer, I’m just not sure how to go about it in the S3 website case.
When you launch a website on S3 you will have all Static front-end Contents being served (Just like having a pure HTML/CSS/Javascript website with no Webserver on your local Machine). Means all the calls, XHRs or embedded resource pointing to your EC2 instance are requests which are generated by visitors Browsers with Network Source of their IP with the Origin of "S3 or If you place a CloudFront on S3 it will be CloudFront as Origin in HTTP Headers) communicating with the Destination Target of EC2 (Where you have your WebServer serving on port 80or443). There is no SG that could be applied on the Bucket. However, S3 Buckets can be configured with a Policy to white-list certain IPs address to access Bucket Content and subsequently the Static Web content hosted on it. You can Also enforce CORS policy and have conditions to check Referees and Origins.
Putting aside the Bucket Level Policy, IP White listing, CORS and Condition Restrictions If you serve your Web S3 Bucket from a CloudFront Distribution you can apply GEOIP restriction Rules at the CloudFront level as well.
Just in case if say like you have an API server on EC2 which is going to be called by your CloudFront Domain you can Apply some access control at both CloudFront and EC2 Web level to enforce tightened CORS policies. I.e. Other Websites on the Internet can not Hijack your API service or do CSRF attacks(again as a Browser Level Protection Only).
I have hosted my static website in S3 bucket using angular5 and mapped to a custom domain using Route53. I want to have SSL/TLS(HTTPS) for my site, so I used ACM to generate the certificate and mapped it to my site using CloudFront. The ACM status is issued and it says it's in use. but my website is not HTTPS enabled.
Everything is hosted in us-east-1, I am accessing my site from East-Asia. Is this an issue?
Am I missing something?
The ACM certificate for CloudFront should have been generated in the N.Virginia region. Then you should be able to assign it to your CloudFront distribution.
In your CloudFront distribution Origin, you should set the "Origin Protocol Policy" parameter to "HTTPS Only" if you want to use HTTPS between CloudFront and your S3 bucket.
In your CloudFront distribution Cache Behavior, you should set the "Viewer Protocol Policy" parameter to "Redirect HTTP to HTTPS" so that every HTTP communication between the clients and your CloudFront distribution is redirected to use HTTPS.
Then you would have to change your DNS record to point to the CloudFront distribution CNAME.
Additionally you could configure your CloudFront distribution and your S3 bucket to restrict access directly from the clients to the S3 buckets, so that every request goes through your ClouddFront distribution.
Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content
Typically, if you're using an Amazon S3 bucket as the origin for a
CloudFront distribution, you grant everyone permission to read the
objects in your bucket. This allows anyone to access your objects
either through CloudFront or using the Amazon S3 URL. CloudFront
doesn't expose Amazon S3 URLs, but your users might have those URLs if
your application serves any objects directly from Amazon S3 or if
anyone gives out direct links to specific objects in Amazon S3
wanted to enable https on my subdomain, with static site hosting.
Some how s3 throws up :
a.example.com uses an invalid certificate. The certificate is only valid for the following names: *.s3.amazonaws.com, s3.amazonaws.com. error Code : SSL_ERROR_BAD_CERT_DOMAIN
S3 doesn't directly support SSL with a custom domain name on a static web site. This feature is provided by CloudFront, which you configure in front of the S3 bucket.
http://docs.aws.amazon.com/AmazonS3/latest/dev/website-hosting-cloudfront-walkthrough.html
After configuring CloudFront, you then need to go to Amazon Certificate Manager, ensure that the selected region is us-east-1¹ and either obtain a new SSL certficate, or import the certificate you purchased from a third party vendor.
http://docs.aws.amazon.com/acm/latest/userguide/gs.html
Then, configure the CloudFront distribution to use the certificate from ACM.
¹ us-east-1. Because of the internal design of CloudFront's integration with ACM, you always select us-east-1 in Amazon Certificate Manager regardless of the region where your S3 bucket is located. This does not have any pricing or performance implications.