Cloudfront 使用 Route 53 重定向
Cloudfront Redirect using Route 53
我正在使用 Terraform 创建 Cloudfront 分布。我有它 运行,但我可以访问它的唯一方法是通过 https://<id>.cloudfront.net/ 地址。我想在 Route 53 区域中使用一条记录,我必须重定向到 Cloudfront 分布。知道怎么做吗?
variable "www_domain_name" {
default = "example.com"
}
S3 存储桶用于托管静态代码。这对 public 可用,并使用允许 public 访问的策略。
resource "aws_s3_bucket" "www" {
bucket = var.www_domain_name
acl = "public-read"
policy = <<POLICY
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::${var.www_domain_name}/*"]
}
]
}
POLICY
website {
index_document = "index.html"
error_document = "404.html"
}
}
AWS Certificate Manager 用于为域创建 SSL 证书。这可能需要很长时间才能申请,并且需要您使用您的电子邮件地址进行确认。
resource "aws_acm_certificate" "certificate" {
domain_name = "*.${var.root_domain_name}"
validation_method = "EMAIL"
subject_alternative_names = [ var.root_domain_name ]
}
AWS Cloudfront 用于将网站负载分配到 Amazon 的边缘位置。
resource "aws_cloudfront_distribution" "www_distribution" {
/**
* The distribution's origin needs a "custom" setup in order to redirect
* traffic from <domain>.com to www.<domain>.com. The values bellow are the
* defaults.
*/
origin {
custom_origin_config {
http_port = "80"
https_port = "443"
origin_protocol_policy = "http-only"
origin_ssl_protocols = ["TLSv1", "TLSv1.1", "TLSv1.2"]
}
/**
* This connects the S3 bucket created earlier to the Cloudfront
* distribution.
*/
domain_name = aws_s3_bucket.www.website_endpoint
origin_id = var.www_domain_name
}
enabled = true
default_root_object = "index.html"
default_cache_behavior {
viewer_protocol_policy = "redirect-to-https"
compress = true
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = var.www_domain_name
min_ttl = 0
default_ttl = 86400
max_ttl = 31536000
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
}
/**
* This sets the aliases of the Cloudfront distribution. Here, it is being
* set to be accessible by <var.www_domain_name>.
*/
aliases = [ var.www_domain_name ]
restrictions {
geo_restriction {
restriction_type = "none"
}
}
/**
* The AWS ACM Certificate is then applied to the distribution.
*/
viewer_certificate {
acm_certificate_arn = aws_acm_certificate.certificate.arn
ssl_support_method = "sni-only"
}
}
需要创建 Route 53 区域,以便其名称服务器可以指向 Cloudfront Distribution。
resource "aws_route53_zone" "zone" {
name = var.root_domain_name
}
这是重定向到 Cloudfront 分发的 Route 53 记录。
resource "aws_route53_record" "www" {
zone_id = aws_route53_zone.zone.zone_id
name = var.www_domain_name
type = "A"
alias {
name = aws_cloudfront_distribution.www_distribution.domain_name
zone_id = aws_cloudfront_distribution.www_distribution.hosted_zone_id
evaluate_target_health = false
}
}
在评论和聊天中反复讨论后,Route53 区域似乎配置错误,缺少域期望的名称服务器。
添加名称服务器记录以匹配 whois tylernorlund.com | grep "Name Server" 的输出显示的内容后,该区域再次可解析并且能够解析记录。
$ whois tylernorlund.com | grep "Name Server"
Name Server: NS-1398.AWSDNS-46.ORG
Name Server: NS-1571.AWSDNS-04.CO.UK
Name Server: NS-365.AWSDNS-45.COM
Name Server: NS-871.AWSDNS-44.NET
Name Server: ns-1398.awsdns-46.org
Name Server: ns-1571.awsdns-04.co.uk
Name Server: ns-365.awsdns-45.com
Name Server: ns-871.awsdns-44.net
$ dig tylernorlund.com any @8.8.8.8
; <<>> DiG 9.11.3-1ubuntu1.14-Ubuntu <<>> tylernorlund.com any @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31196
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;tylernorlund.com. IN ANY
;; ANSWER SECTION:
tylernorlund.com. 59 IN A 99.86.119.38
tylernorlund.com. 59 IN A 99.86.119.32
tylernorlund.com. 59 IN A 99.86.119.124
tylernorlund.com. 59 IN A 99.86.119.72
tylernorlund.com. 21599 IN NS ns-1398.awsdns-46.org.
tylernorlund.com. 21599 IN NS ns-1571.awsdns-04.co.uk.
tylernorlund.com. 21599 IN NS ns-365.awsdns-45.com.
tylernorlund.com. 21599 IN NS ns-871.awsdns-44.net.
tylernorlund.com. 899 IN SOA ns-365.awsdns-45.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
tylernorlund.com. 599 IN MX 10 inbound-smtp.us-east-1.amazonaws.com.
tylernorlund.com. 299 IN TXT "v=spf1 include:amazonses.com ~all"
;; Query time: 54 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Mar 03 10:21:44 GMT 2021
;; MSG SIZE rcvd: 402
我正在使用 Terraform 创建 Cloudfront 分布。我有它 运行,但我可以访问它的唯一方法是通过 https://<id>.cloudfront.net/ 地址。我想在 Route 53 区域中使用一条记录,我必须重定向到 Cloudfront 分布。知道怎么做吗?
variable "www_domain_name" {
default = "example.com"
}
S3 存储桶用于托管静态代码。这对 public 可用,并使用允许 public 访问的策略。
resource "aws_s3_bucket" "www" {
bucket = var.www_domain_name
acl = "public-read"
policy = <<POLICY
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::${var.www_domain_name}/*"]
}
]
}
POLICY
website {
index_document = "index.html"
error_document = "404.html"
}
}
AWS Certificate Manager 用于为域创建 SSL 证书。这可能需要很长时间才能申请,并且需要您使用您的电子邮件地址进行确认。
resource "aws_acm_certificate" "certificate" {
domain_name = "*.${var.root_domain_name}"
validation_method = "EMAIL"
subject_alternative_names = [ var.root_domain_name ]
}
AWS Cloudfront 用于将网站负载分配到 Amazon 的边缘位置。
resource "aws_cloudfront_distribution" "www_distribution" {
/**
* The distribution's origin needs a "custom" setup in order to redirect
* traffic from <domain>.com to www.<domain>.com. The values bellow are the
* defaults.
*/
origin {
custom_origin_config {
http_port = "80"
https_port = "443"
origin_protocol_policy = "http-only"
origin_ssl_protocols = ["TLSv1", "TLSv1.1", "TLSv1.2"]
}
/**
* This connects the S3 bucket created earlier to the Cloudfront
* distribution.
*/
domain_name = aws_s3_bucket.www.website_endpoint
origin_id = var.www_domain_name
}
enabled = true
default_root_object = "index.html"
default_cache_behavior {
viewer_protocol_policy = "redirect-to-https"
compress = true
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = var.www_domain_name
min_ttl = 0
default_ttl = 86400
max_ttl = 31536000
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
}
/**
* This sets the aliases of the Cloudfront distribution. Here, it is being
* set to be accessible by <var.www_domain_name>.
*/
aliases = [ var.www_domain_name ]
restrictions {
geo_restriction {
restriction_type = "none"
}
}
/**
* The AWS ACM Certificate is then applied to the distribution.
*/
viewer_certificate {
acm_certificate_arn = aws_acm_certificate.certificate.arn
ssl_support_method = "sni-only"
}
}
需要创建 Route 53 区域,以便其名称服务器可以指向 Cloudfront Distribution。
resource "aws_route53_zone" "zone" {
name = var.root_domain_name
}
这是重定向到 Cloudfront 分发的 Route 53 记录。
resource "aws_route53_record" "www" {
zone_id = aws_route53_zone.zone.zone_id
name = var.www_domain_name
type = "A"
alias {
name = aws_cloudfront_distribution.www_distribution.domain_name
zone_id = aws_cloudfront_distribution.www_distribution.hosted_zone_id
evaluate_target_health = false
}
}
在评论和聊天中反复讨论后,Route53 区域似乎配置错误,缺少域期望的名称服务器。
添加名称服务器记录以匹配 whois tylernorlund.com | grep "Name Server" 的输出显示的内容后,该区域再次可解析并且能够解析记录。
$ whois tylernorlund.com | grep "Name Server"
Name Server: NS-1398.AWSDNS-46.ORG
Name Server: NS-1571.AWSDNS-04.CO.UK
Name Server: NS-365.AWSDNS-45.COM
Name Server: NS-871.AWSDNS-44.NET
Name Server: ns-1398.awsdns-46.org
Name Server: ns-1571.awsdns-04.co.uk
Name Server: ns-365.awsdns-45.com
Name Server: ns-871.awsdns-44.net
$ dig tylernorlund.com any @8.8.8.8
; <<>> DiG 9.11.3-1ubuntu1.14-Ubuntu <<>> tylernorlund.com any @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31196
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;tylernorlund.com. IN ANY
;; ANSWER SECTION:
tylernorlund.com. 59 IN A 99.86.119.38
tylernorlund.com. 59 IN A 99.86.119.32
tylernorlund.com. 59 IN A 99.86.119.124
tylernorlund.com. 59 IN A 99.86.119.72
tylernorlund.com. 21599 IN NS ns-1398.awsdns-46.org.
tylernorlund.com. 21599 IN NS ns-1571.awsdns-04.co.uk.
tylernorlund.com. 21599 IN NS ns-365.awsdns-45.com.
tylernorlund.com. 21599 IN NS ns-871.awsdns-44.net.
tylernorlund.com. 899 IN SOA ns-365.awsdns-45.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
tylernorlund.com. 599 IN MX 10 inbound-smtp.us-east-1.amazonaws.com.
tylernorlund.com. 299 IN TXT "v=spf1 include:amazonses.com ~all"
;; Query time: 54 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Mar 03 10:21:44 GMT 2021
;; MSG SIZE rcvd: 402