Can AWS CloudFront serve both dynamic and static content?

1
votes

We have an Drupal7 based e-commerce website, which I am trying to host in AWS. I was wondering, can AWS CloudFront be used to serve both static and dynamic content? Maybe, create two origins or something like that? Just a wild guess though. The reason to use CDN is to serve our js, css and images. The files are stored in EFS. I didnot go for S3 as I find it cumbersome and I need another S3FS module on Drupal and configure it. In short, just didn't want to walk that way. Moreover, my region does not have EFS, so I had to host the site in Ireland and thus need CDN. Nevertheless, is it possible to serve both static and dynamic content off CloudFront?

Another question is, does CloudFront support self-signed certificate? While testing, I had a test domain created with a self-signed cert, but when I feed it to CloudFront, it throws error. I think it is not possible using self-signed, is it?

PS. I had the Route53 point to Cloudfront DNS

Updated

Let me explain the entire steps that I performed:

  1. Added the self-signed cert to chrome and my system, now I don't see a page that says it is insecure.. so all good till here. enter image description here

  2. Created a CloudFront with below settings:

General 

    Distribution ID E2RDLVLNKPEXQ9

    ARN arn:aws:cloudfront::xxxx:distribution/E2RDLVLNKPEXQ9

    Delivery Method Web

    Cookie Logging  Off

    Distribution Status Deployed

    Price Class Use All Edge Locations (Best Performance)

    State   Enabled

    Alternate Domain Names (CNAMEs) 
    *.kiirana11.com

    SSL Certificate Default CloudFront Certificate (*.cloudfront.net)

    Domain Name xxxx.cloudfront.net

    Custom SSL Client Support   -

    Supported HTTP Versions HTTP/2, HTTP/1.1, HTTP/1.0

    IPv6    Enabled

    Last Modified   2017-02-24 09:41 UTC+5:30

Origin

Origin Domain Name
xxxxelb-1927396229.eu-west-1.elb.amazonaws.com

Origin ID
PPRD-kirana11elb    

Origin SSL Protocols
TLSv1.2
TLSv1.1
TLSv1
SSLv3

Origin Protocol Policy
HTTP Only
HTTPS Only
Match Viewer

HTTP Port
80

HTTPS Port
443

Behaviour

Path Pattern
Default (*)     

Origin
PPRD-kirana11elb

Viewer Protocol Policy
HTTP and HTTPS

Allowed HTTP Methods
GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE

Cached HTTP Methods
GET, HEAD +OPTIONS 

Forward Headers
Whitelist

Whitelist Headers
CloudFront-Forwarded-Proto
Host

Object Caching
Use Origin Cache Headers
Minimum TTL
0
Maximum TTL
31536000
Default TTL
86400

Forward Cookies
All

Query String Forwarding and Caching
Forward all, cache based on all

Smooth Streaming
No

Restrict Viewer Access
No

Compress Objects Automatically
No

CloudFront Current State is Enabled and Deployed

  1. Loaded CloudFront in Route53. For some reason, it is not getting auto-laoded for A name, I had to forcefully input the cloudfront DNS name.

  2. Installed Drupal CDN module

Mode is set as "Origin Pull" , CDN mapping has cLOUDfRONT url WITH https

Now starts the problem:

[root@ip-10-1-36-192 ec2-user]# curl https://xxxx.cloudfront.net
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
CloudFront wasn't able to connect to the origin.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: Fvf4qfAwuzBRS4J_SA6p1I-UYnvqSuZxdvXV1E6HuGEMGOxWPeORsQ==
</PRE>
<ADDRESS>
</ADDRESS>
</BODY></HTML>You have new mail in /var/spool/mail/ec2-user

[root@ip-10-1-36-192 ec2-user]# curl -Ik https://website.com
HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate
Content-Language: en
Content-Type: text/html; charset=utf-8
Date: Fri, 24 Feb 2017 05:50:46 GMT
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Server: Apache/2.4.25 (Amazon) OpenSSL/1.0.1k-fips mod_fcgid/2.3.9
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Generator: Drupal 7 (http://drupal.org)
X-UA-Compatible: IE=edge,chrome=1
Connection: keep-alive

The entire sie has gone bonkered with CDN, This is what I see

enter image description here

If I disable CDN module, all is good from look and feel of the website perspective.

2
amazon-web-servicesamazon-cloudfront
You have at least two questions here. The answer to the first one -- as written -- should be obvious from a search of Google or Stack Overflow, so I wonder if you are actually having a problem that you aren't mentioning with static+dynamic, and instead asking if it is "possible." The second question about the cert needs detail. CloudFront does not support this on the origin, only on the distribution.Michael - sqlbot
@Michael-sqlbot checkout my updated postAmitabh Ghosh
Don't use -k with curl. That's an alias for --insecure, which ignores invalid or untrusted SSL configurations. Clearly, if you have to use that option, it means your SSL configuration is invalid, and the 502 error is exactly what CloudFront would be expected to do in that case. CloudFront doesn't allow insecure connections to the origin. I addressed a potentially similar misconfiguration in this answer on Server Fault.Michael - sqlbot
Oh... "Added the self-signed cert to chrome and my system" You can't use a self-signed certificate on the origin. CloudFront has to be able to verify the origin's identity and that is impossible with a self-signed cert.Michael - sqlbot
Thanks @Michael-sqlbot. I provisioned a free SSL certificate from Comodo and I can now see my images, js and css are coming from CloudFront. One question though, the whole idea to use CDN for me, was to achieve better loading speed of my website. It has not changed much when I see in Google PageSpeed Insight. Can guesses what could be the reason?Amitabh Ghosh

2 Answers

1
votes

is it possible to serve both static and dynamic content off CloudFront?

Yes, CloudFront serves dynamic content as well. This can be PHP content, etc. Your origins can be S3 or web servers (aws instances), etc. Please read the CloudFront documentation for detailed information about how it works.

Yes, CloudFront supports self-signed certificates. You may elaborate more into what steps you took to set it up. Alternatively, please check the docs here: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html

0
votes

The issue was with self-signed certificate. I had provisioned a free SSL from Comodo and was able to configure it. Voila! CloudFront was able to identify it and my contents are served from it. And the Google Pagespeed Index also jumped from 74 to 85.

Thanks @Michael - sqlbot for clarifying the point to me.