We have an Drupal7 based e-commerce website, which I am trying to host in AWS. I was wondering, can AWS CloudFront be used to serve both static and dynamic content? Maybe, create two origins or something like that? Just a wild guess though. The reason to use CDN is to serve our js, css and images. The files are stored in EFS. I didnot go for S3 as I find it cumbersome and I need another S3FS module on Drupal and configure it. In short, just didn't want to walk that way. Moreover, my region does not have EFS, so I had to host the site in Ireland and thus need CDN. Nevertheless, is it possible to serve both static and dynamic content off CloudFront?
Another question is, does CloudFront support self-signed certificate? While testing, I had a test domain created with a self-signed cert, but when I feed it to CloudFront, it throws error. I think it is not possible using self-signed, is it?
PS. I had the Route53 point to Cloudfront DNS
Updated
Let me explain the entire steps that I performed:
Added the self-signed cert to chrome and my system, now I don't see a page that says it is insecure.. so all good till here. enter image description here
Created a CloudFront with below settings:
General
Distribution ID E2RDLVLNKPEXQ9
ARN arn:aws:cloudfront::xxxx:distribution/E2RDLVLNKPEXQ9
Delivery Method Web
Cookie Logging Off
Distribution Status Deployed
Price Class Use All Edge Locations (Best Performance)
State Enabled
Alternate Domain Names (CNAMEs)
*.kiirana11.com
SSL Certificate Default CloudFront Certificate (*.cloudfront.net)
Domain Name xxxx.cloudfront.net
Custom SSL Client Support -
Supported HTTP Versions HTTP/2, HTTP/1.1, HTTP/1.0
IPv6 Enabled
Last Modified 2017-02-24 09:41 UTC+5:30
Origin
Origin Domain Name
xxxxelb-1927396229.eu-west-1.elb.amazonaws.com
Origin ID
PPRD-kirana11elb
Origin SSL Protocols
TLSv1.2
TLSv1.1
TLSv1
SSLv3
Origin Protocol Policy
HTTP Only
HTTPS Only
Match Viewer
HTTP Port
80
HTTPS Port
443
Behaviour
Path Pattern
Default (*)
Origin
PPRD-kirana11elb
Viewer Protocol Policy
HTTP and HTTPS
Allowed HTTP Methods
GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE
Cached HTTP Methods
GET, HEAD +OPTIONS
Forward Headers
Whitelist
Whitelist Headers
CloudFront-Forwarded-Proto
Host
Object Caching
Use Origin Cache Headers
Minimum TTL
0
Maximum TTL
31536000
Default TTL
86400
Forward Cookies
All
Query String Forwarding and Caching
Forward all, cache based on all
Smooth Streaming
No
Restrict Viewer Access
No
Compress Objects Automatically
No
CloudFront Current State is Enabled and Deployed
Loaded CloudFront in Route53. For some reason, it is not getting auto-laoded for A name, I had to forcefully input the cloudfront DNS name.
Installed Drupal CDN module
Mode is set as "Origin Pull" , CDN mapping has cLOUDfRONT url WITH https
Now starts the problem:
[root@ip-10-1-36-192 ec2-user]# curl https://xxxx.cloudfront.net
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
CloudFront wasn't able to connect to the origin.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: Fvf4qfAwuzBRS4J_SA6p1I-UYnvqSuZxdvXV1E6HuGEMGOxWPeORsQ==
</PRE>
<ADDRESS>
</ADDRESS>
</BODY></HTML>You have new mail in /var/spool/mail/ec2-user
[root@ip-10-1-36-192 ec2-user]# curl -Ik https://website.com
HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate
Content-Language: en
Content-Type: text/html; charset=utf-8
Date: Fri, 24 Feb 2017 05:50:46 GMT
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Server: Apache/2.4.25 (Amazon) OpenSSL/1.0.1k-fips mod_fcgid/2.3.9
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Generator: Drupal 7 (http://drupal.org)
X-UA-Compatible: IE=edge,chrome=1
Connection: keep-alive
The entire sie has gone bonkered with CDN, This is what I see
If I disable CDN module, all is good from look and feel of the website perspective.
-k
with curl. That's an alias for--insecure
, which ignores invalid or untrusted SSL configurations. Clearly, if you have to use that option, it means your SSL configuration is invalid, and the 502 error is exactly what CloudFront would be expected to do in that case. CloudFront doesn't allow insecure connections to the origin. I addressed a potentially similar misconfiguration in this answer on Server Fault. – Michael - sqlbot