I have a bucket on S3 that needs to utilize the "static website" functionality in order to take advantage of the routing rules capabilities. Enabling this broke the built in ssl certificate. Is there a built in mechanism for supporting SSL requests on the S3 bucket while using the static website hosting? It seems like a major miss in functionality if this isn't present.
Also note that I need this to function outside of CloudFront as the hosted CSS suffers from CORS issues, which only the S3 bucket can resolve with its CORS Configuration options.
Thanks.
Static hosting and SSL do not work together. You could, as you know, use the ssl wildcard cert on the REST endpoint, but then you lose routing rules. And, as you have apparently found, Cloudfront's support for CORS is somewhat limited from what I can tell unless you have a very generous CORS policy.
From an AWS product manager on 2013-05-10:
Thanks for all your feedback. S3 static website hosting currently does not support SSL certificates. We may consider adding this support in the future. Please keep your feedback coming!
https://forums.aws.amazon.com/thread.jspa?threadID=60821#450167
The only noteworthy alternative that comes to mind -- which I have implemented successfully in the past -- is to use a reverse proxy (HAProxy? Nginx? Apache? Maybe even stunnel4? Others?) on EC2 in the same region to terminate the SSL and proxy the requests over to S3. In the same region, there are no bandwidth charges between EC2 and S3 so the only cost is that of the instance... which could still end up being less than the cost of using Cloudfront, and should perform comparably (without the caching aspect, of course).
Related
I reading an article about reverse-proxies. Among the benefits listed are
Enable HTTPS support
Gzip responses
I am wondering if I should concern myself with these if I am leveraging Firebase Hosting? I wasn't able to find any information on these topic within their documentation. In short, do I need a reverse-proxy with Firebase hosting?
Firebase Hosting already uses HTTPS, and Gzips most responses.
Even if it didn't, there is no requirement to have HTTPS and/or Gzip. If you don't know whether you need them, you probably shouldn't spend time on adding them.
Our web app that we are building is having a lot of its assets served via S3. When looking at them in Chrome they are being served via HTTP and not http/2.
Is there a config setting in S3 or a header that we could pass that would tell S3 to attempt to serve assets via http/2 if the client supports it?
I'm having issues finding any resources online about how to do this or if it's even possible.
Serve via CloudFront, there is a manual in the article
New – HTTP/2 Support for Amazon CloudFront
Serve via your own proxy. Nginx configuration for such magic is deeply explained here:
Nginx proxy Amazon S3 resources
In both options you should have SSL certificate generated for the domain you use to serve resources from S3.
I guess you need direct S3 access using HTTP2 rather than using a proxy server. I was looking for such feature too but it seems that AWS S3 do not have HTTP2 support yet.
BTW, google cloud storage have this feature though.
Is there any way to serve a static website (SPA actually) located on Google Cloud Storage via SSL, for that nice SSL address and icon for users to see?
Amazon allows this via CloudFront SNI.
Yes!
Using GCS directly via CNAME redirects only allows HTTP traffic.
To use HTTPS with your own domain, you'll need to set up Google Cloud Load Balancer, and optionally you'll want to set up Google Cloud CDN as well. While it adds a bit of complexity, Google Cloud Load Balancer allows you to fill a domain with all sorts of content. Some resources could be served by a GCS bucket, but you could also have servers in GCE serving dynamic content for other paths.
There are instructions for setting this up here: https://cloud.google.com/compute/docs/load-balancing/http/using-http-lb-with-cloud-storage.
An alternative would be to host your domain DNS server at CloudFlare. They give free HTTPS to HTTP service.
More Info:
https://www.cloudflare.com/ssl/
Adding HTTPS For Free With CloudFlare
As of April 2019: https://cloud.google.com/storage/docs/troubleshooting#https
HTTPS serving Issue: I want my content served through HTTPS.
Solution: While you can serve your content through HTTPS using direct
URIs such as https://storage.googleapis.com/my-bucket/my-object, when
hosting a static website using a CNAME redirect, Cloud Storage only
supports HTTP. To serve your content through a custom domain over SSL,
set up a load balancer, use a third-party Content Delivery Network
with Cloud Storage, or serve your static website content from Firebase
Hosting instead of Cloud Storage.
Pretty shocking in this day and age that with letsEncrypt everywhere they have not figured out how to do this.
An alternative would be to host your SPA on Firebase. All apps have SSL included by default even those with custom domains. They also have a CLI that makes it easy to deploy!
If you're not tied to Cloud Storage, another alternative to host your SPA directly on App Engine, using static files.
Follow this tutorial for something more compreensive.
If you still want your SPA to be stored in a Cloud Storage bucket, you can use this project to serve it through App Engine. You can host multiple websites with a single app, in fact.
Using App Engine either way, you'll get a free managed certificate, and a free monthly allowance.
For simplicity use FireBase, the command to update is ssh firebase deploy Iv done a few thousand html files in a matter of seconds.
I would also recommend the free service CloudFlare provides as well for an extra level of protection.
I am using an Amazon S3 bucket for uploading and downloading of data using my .NET application. Now my question is: I want to access my S3 bucket using SSL. Is it possible to implement SSL for an Amazon s3 bucket?
You can access your files via SSL like this:
https://s3.amazonaws.com/bucket_name/images/logo.gif
If you use a custom domain for your bucket, you can use S3 and CloudFront together with your own SSL certificate (or generate a free one via Amazon Certificate Manager): http://aws.amazon.com/cloudfront/custom-ssl-domains/
Custom domain SSL certs were just added today for $600/cert/month. Sign up for your invite below:
http://aws.amazon.com/cloudfront/custom-ssl-domains/
Update: SNI customer provided certs are now available for no additional charge. Much cheaper than $600/mo, and with XP nearly killed off, it should work well for most use cases.
#skalee AWS has a mechanism for achieving what the poster asks for, "implement SSL for an Amazon s3 bucket", it's called CloudFront. I'm reading "implement" as "use my SSL certs," not "just put an S on the HTTP URL which I'm sure the OP could have surmised.
Since CloudFront costs exactly the same as S3 ($0.12/GB), but has a ton of additional features around SSL AND allows you to add your own SNI cert at no additional cost, it's the obvious fix for "implementing SSL" on your domain.
I found you can do this easily via the Cloud Flare service.
Set up a bucket, enable webhosting on the bucket and point the desired CNAME to that endpoint via Cloudflare... and pay for the service of course... but $5-$20 VS $600 is much easier to stomach.
Full detail here:
https://www.engaging.io/easy-way-to-configure-ssl-for-amazon-s3-bucket-via-cloudflare/
It is not possible directly with S3, but you can create a Cloud Front distribution from you bucket. Then go to certificate manager and request a certificate. Amazon gives them for free. Ones you have successfully confirmed the certification, assign it to your Cloud Front distribution. Also remember to set the rule to re-direct http to https.
I'm hosting couple of static websites on Amazon S3, like my personal website to which I have assigned the SSL certificate as they have the Cloud Front distribution.
If you really need it, consider redirections.
For example, on request to assets.my-domain.example.com/path/to/file you could perform a 301 or 302 redirection to my-bucket-name.s3.amazonaws.com/path/to/file or s3.amazonaws.com/my-bucket-name/path/to/file (please remember that in the first case my-bucket-name cannot contain any dots, otherwise it won't match *.s3.amazonaws.com, s3.amazonaws.com stated in S3 certificate).
Not tested, but I believe it would work. I see few gotchas, however.
The first one is pretty obvious, an additional request to get this redirection. And I doubt you could use redirection server provided by your domain name registrar — you'd have to upload proper certificate there somehow — so you have to use your own server for this.
The second one is that you can have urls with your domain name in page source code, but when for example user opens the pic in separate tab, then address bar will display the target url.
As mentioned before, you cannot create free certificates for S3 buckets. However, you can create Cloud Front distribution and then assign the certificate for the Cloud Front instead. You request the certificate for your domain and then just assign it to the Cloud Front distribution in the Cloud Front settings. I've used this method to serve static websites via SSL as well as serve static files.
For static website creation Amazon is the go to place. It is really affordable to get a static website with SSL.
I have a website with only home page available through simple HTTP protocol.
All other pages are accessible only through HTTP over SSL(https://).
I'm using CDN for home page and very happy with it.
But for me it looks like using CDN for https pages is impossible because of security warnings, especially in IE. My files hosted at CDN are accessible though simple HTTP protocol.
What should I do? How this problem can be solved?
You need to get a CDN that supports serving files over HTTPS, then use that CDN for the SSL requests.
You can do this if their boxes have HTTPS support. What you can't do is use a subdomain of your own domain to cname against the cdn network. Because SSL doesn't work this way.
so https://cdn.tld/mydomain/path/to/file as a mechanism does work (because browsers will verify the cdn.tld ssl certificate correctly)
but https://cdn.mydomain.tld/path/to/file will not.
Two options, but in general I'd redirect all pages that don't need to be SSL'ed to their non-SSL equivalent and only use SSL when necessary.
Get a SSL certificate for your CDN host. It's just 30 bucks/year, but you need to take into account that this requires more configuration and depending on the traffic, this is also more expensive because the server requires more resources for SSL'd connections.
For the relevant pages, store the CSS/images/js files "local" on your own SSL host and use them when you need SSL. Of course you loose the speed etc. from the CDN, but that's a trade off. We opted for this because just our signup is SSL, 99.9999% of the time users spend on our website is on non-SSL links.