0

I have hosted my static website in S3 bucket using angular5 and mapped to a custom domain using Route53. I want to have SSL/TLS(HTTPS) for my site, so I used ACM to generate the certificate and mapped it to my site using CloudFront. The ACM status is issued and it says it's in use. but my website is not HTTPS enabled.

Everything is hosted in us-east-1, I am accessing my site from East-Asia. Is this an issue?

Am I missing something?

Mullaly
  • 320
  • 4
  • 18

1 Answers1

0

The ACM certificate for CloudFront should have been generated in the N.Virginia region. Then you should be able to assign it to your CloudFront distribution.

In your CloudFront distribution Origin, you should set the "Origin Protocol Policy" parameter to "HTTPS Only" if you want to use HTTPS between CloudFront and your S3 bucket.

enter image description here

In your CloudFront distribution Cache Behavior, you should set the "Viewer Protocol Policy" parameter to "Redirect HTTP to HTTPS" so that every HTTP communication between the clients and your CloudFront distribution is redirected to use HTTPS.

enter image description here

Then you would have to change your DNS record to point to the CloudFront distribution CNAME.

Additionally you could configure your CloudFront distribution and your S3 bucket to restrict access directly from the clients to the S3 buckets, so that every request goes through your ClouddFront distribution.

Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content

Typically, if you're using an Amazon S3 bucket as the origin for a CloudFront distribution, you grant everyone permission to read the objects in your bucket. This allows anyone to access your objects either through CloudFront or using the Amazon S3 URL. CloudFront doesn't expose Amazon S3 URLs, but your users might have those URLs if your application serves any objects directly from Amazon S3 or if anyone gives out direct links to specific objects in Amazon S3

Luis
  • 595
  • 2
  • 7
  • 16
  • I cannot see the Origin Protocol policy in my CloudFront under AWS console. – Mullaly Mar 15 '18 at 09:53
  • CloudFront distribution -> Origins -> select your Origin -> Edit -> Origin Protocol Policy – Luis Mar 15 '18 at 11:43
  • If I have the domain name as example.com then I can see the Origin Protocol policy. But If I select the Bucket name from drop down in origin, then its not visible. – Mullaly Mar 15 '18 at 11:56
  • Actually, can you direct me to any precise document of how it works? I have an S3 bucket in us-east-1 (example.com, which I have bought in GoDaddy), Now using Route53 I had custom Namespace for using it on Amazon. Until now, when I browse example.com, I can view my site but its HTTP only. To make it HTTPS registered ACM under us-east-1. Now I Used CloudFront to create distribution. Select the bucket name in Origin, not able to see any Origin Protocol Policy. though i tried my domain (example.com, i can see the Origin Protocol Policy). However, in both cases its still HTTP. – Mullaly Mar 15 '18 at 12:04
  • https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginProtocolPolicy – Luis Mar 17 '18 at 11:29
  • Origin SSL Protocols (Amazon EC2, Elastic Load Balancing, and Other Custom Origins Only) Choose the SSL protocols that CloudFront can use when establishing an HTTPS connection with your origin. The SSLv3 protocol is less secure, so we recommend that you choose SSLv3 only if your origin doesn't support TLSv1 or later. Note If you select SSLv3, CloudFront does not attempt to make a connection to the Origin using TLS. If the origin is an Amazon S3 bucket, CloudFront always uses TLSv1.2 – Luis Mar 17 '18 at 11:30
  • Origin Protocol Policy (Amazon EC2, Elastic Load Balancing, and Other Custom Origins Only) The protocol policy that you want CloudFront to use when fetching objects from your origin server. Important If your Amazon S3 bucket is configured as a website endpoint, you must specify HTTP Only. Amazon S3 doesn't support HTTPS connections in that configuration. – Luis Mar 17 '18 at 11:30
  • So, with using S3 Buckets I can never have a custom domain with HTTPS connections? Am I right in saying so? – Mullaly Mar 19 '18 at 03:00