0

I was looking for a cheap AWS service that would terminate TLS and also take care of signing an Amazon certificate for an internal application. I found that I can use Cloudfront with a custom origin pointing to the public IP of an EC2 instance.

I have built the mentioned setup and it works just fine, but I had to open the application port on my EC2 instance to the world and it speaks http. Is that safe or does my cost optimization make no sense?

Thanks for any help! :)

User9123
  • 111
  • 4

2 Answers2

2

IIRC, if Cloudfront is terminating SSL, then you can't use HTTPS on the back-end and it has to be HTTP from Cloudfront<-->EC2.

If you have opened that same web app/server directly to the Internet on HTTP, then that is bypassing Cloudfront and you're losing whatever caching/protection/SSL-termination/cost-savings that Cloudfront provides.

You can also use the AWS Classic Load Balancer to reverse-proxy HTTP (forwarding HTTP to your EC2) and provide a layer of abstraction and provide a little further protection that HTTP directly to your EC2 instance.

PSn00b
  • 59
  • 2
  • I think it is possible to talk https between EC2 and Cloudfront but CF only accepts certificates from a trusted CA. Thanks for your reply! – User9123 Feb 28 '20 at 06:41
1

You can specify the Origin Protocol Policy you want CloudFront to use when fetching objects from the origin server. You can specify HTTPS. Caveats are:-

  1. Has to be a custom origin (Amazon EC2 instances, Elastic Load Balancing load balancers, MediaPackage origins, MediaStore containers, or your own web server)
  2. For HTTPS viewer requests that CloudFront forwards to this origin, one of the domain names in the SSL certificate on your origin server must match the domain name that you specify for Origin Domain Name. Otherwise, CloudFront responds to the viewer requests with an HTTP status code 502 (Bad Gateway) instead of returning the requested object

Note the text in bold.

See AWS docs here for more info

Deanflyer
  • 11
  • 2