5

if i understood well, in order to create a custom origin distribution, I need to make public those files on my custom origin server.

In my case, that will be put those files into a public dir of an apache server. My question is, is it possible to restrict access to that apache server to just cloudfront?

I know how to do it to allow only one ip, but, how to do it with cf?

Thanks in advance!

Simon
  • 875
  • 2
  • 12
  • 22
  • Did you ever find an answer to this? I am in the same situation and I want to know how to do this as well. I am planning on using the CDN as a preventative measure against DDoS and if I can hide the server from the public, all the better. – karnage Aug 29 '11 at 21:22
  • @karnage - in case you are still interested, I've provided a [late answer](http://serverfault.com/a/350107/10305) below. – Steffen Opel Jan 18 '12 at 13:13
  • Also consider that if someone visits the cloudfront URI, then there will be no access restriction. – Myster Mar 25 '13 at 00:18

3 Answers3

4

You could restrict access to the published Amazon CloudFront Public IP Ranges; however, be aware of the respective disclaimer by Amazon:

The CloudFront IP addresses change frequently and we cannot guarantee advance notice of changes. On a best-effort basis, we will provide the list of current addresses. Customers should not use these addresses for mission critical applications and must never hard code them in DNS names. [emphasis mine]

Consequently you should monitor this forum/post to take notice of respective changes as early as possible (if this constraint is acceptable for your use case in the first place of course).

Steffen Opel
  • 5,638
  • 37
  • 55
  • The published link is broken. – Shoan Sep 17 '14 at 04:57
  • 1
    You might use this Lambda function that updates the ip's automatically:: https://github.com/awslabs/aws-cloudfront-samples/tree/master/update_security_groups_lambda This uses a pretty elegant way to fix the hardcoding of the ip's since the notication is sent out by Amazon itself, so we can assume it's always accurate. – Karel May 25 '16 at 13:51
0

I'm not an AWS expert and just starting with AWS CF but I've found two ways to do this so far (maybe there are more):

  1. in your CF Distribution, you can add a Custom Header so that all requests from CF to your Custom Origin will contain that Header. Then on your Custom Origin just check for the presence of this header. However, using a custom header is not really necessary - see #2 below.
  2. all requests from the CF Distribution should contain the headers: X-Amz-Cf-Id and X-Amz-Cf-Pop. The presence of these headers will tell you the request is from CF.
Dave Black
  • 131
  • 3
-3

On origin web servers you can create a redirection rule so that all requests to the origin URL are redirected to the website URL (which points to CloudFront).

Costas
  • 101
  • 1