terraform - 如何强制 Cloudfront 将来自源的所有请求强制为 HTTPS?
问题描述
我的网站https://phillhocking.com的 Cloudfront 发行版出现了一些奇怪的行为
这个 Cloudfront 发行版由 Terraform 管理,下面是我用来实例化它的代码:
resource "aws_cloudfront_distribution" "ghost-lightsail" {
price_class = "PriceClass_100"
origin {
domain_name = var.cloudfront_glue
origin_id = "${var.name}-origin"
custom_origin_config {
http_port = 80
https_port = 443
origin_protocol_policy = "http-only"
origin_ssl_protocols = ["TLSv1.2"]
}
}
enabled = true
is_ipv6_enabled = true
default_root_object = "/"
# lifecycle {
# prevent_destroy = true
# }
aliases = [var.domain_name]
default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "${var.name}-origin"
compress = true
forwarded_values {
query_string = true
headers = ["*"]
cookies {
forward = "all"
}
}
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
ordered_cache_behavior {
path_pattern = "assets/*"
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "${var.name}-origin"
compress = true
forwarded_values {
query_string = true
headers = ["*"]
cookies {
forward = "none"
}
}
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
ordered_cache_behavior {
path_pattern = "content/*"
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "${var.name}-origin"
compress = true
forwarded_values {
query_string = true
headers = ["*"]
cookies {
forward = "none"
}
}
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
ordered_cache_behavior {
path_pattern = "public/*"
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "${var.name}-origin"
compress = true
forwarded_values {
query_string = true
cookies {
forward = "none"
}
}
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
ordered_cache_behavior {
path_pattern = "img_responsive/*"
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "${var.name}-origin"
compress = true
forwarded_values {
query_string = true
cookies {
forward = "none"
}
}
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
tags = {
Environment = "${var.name}-dev"
}
restrictions {
geo_restriction {
restriction_type = "none"
}
}
viewer_certificate {
acm_certificate_arn = var.cloudfront_ssl_acm_arn
ssl_support_method = "sni-only"
minimum_protocol_version = "TLSv1.1_2016"
}
}
整个项目位于此处:https ://github.com/phillhocking/aws-ghost/tree/dev
您会注意到redirect-to-https所有内容类型都是如此,但是,它仍会尝试通过 http 为 Lightsail 实例上的任何新帖子图像加载内容,我不知道如何进一步诊断/排除故障。我的目标是不必对 Lightsail 实例执行任何系统管理任务,并通过 Cloudfront 分发解决此问题。
这只发生在特定的帖子中:https ://phillhocking.com/new-linkedin-feature-request/
当您在“开发人员”窗格中单击这些链接时,它会毫无问题地转到图像。为什么 Cloudfront 发行版不会从源头自动管理此行为?
解决方案
重定向工作正常。您无法使用 http 获取图像,只能使用 https。但这只有在您实际尝试获取图像时才会生效。
我认为 chrome 只是检查您页面的源代码,并看到 http 以获取图像或某些链接,然后停止。它不会尝试实际获取图像并遵循从 http 到 https 的重定向。
推荐阅读
- css - 未找到 Blazor CSS
- angular - 在角度组件中显示 html 中的当前日期
- reactjs - 使用 React Router,当 URL 中有参数时,如何重定向到路由?
- android - 如何将 android 活动上下文传递给 Koin 模块?
- python - cv2.VideoCapture 在 Jupyter Notebook 中不起作用
- symfony - Twig 中“@”符号的含义
- macos - 自制程序不适用于带有 High Sierra 的 Macbook Pro
- html - 如何移动多个向上?
- android - 将暗模式实现为 PDF
- python - 将 DataFrame 拆分为两个 DataFrame 并过滤这两个 DataFrame 以具有相同的维度