5

if i understood well, in order to create a custom origin distribution, I need to make public those files on my custom origin server.

In my case, that will be put those files into a public dir of an apache server. My question is, is it possible to restrict access to that apache server to just cloudfront?

I know how to do it to allow only one ip, but, how to do it with cf?

Thanks in advance!

Simon
  • 855
  • 2
  • 12
  • 22
  • Did you ever find an answer to this? I am in the same situation and I want to know how to do this as well. I am planning on using the CDN as a preventative measure against DDoS and if I can hide the server from the public, all the better. – karnage Aug 29 '11 at 21:22
  • @karnage - in case you are still interested, I've provided a [late answer](http://serverfault.com/a/350107/10305) below. – Steffen Opel Jan 18 '12 at 13:13
  • Also consider that if someone visits the cloudfront URI, then there will be no access restriction. – Myster Mar 25 '13 at 00:18

2 Answers2

4

You could restrict access to the published Amazon CloudFront Public IP Ranges; however, be aware of the respective disclaimer by Amazon:

The CloudFront IP addresses change frequently and we cannot guarantee advance notice of changes. On a best-effort basis, we will provide the list of current addresses. Customers should not use these addresses for mission critical applications and must never hard code them in DNS names. [emphasis mine]

Consequently you should monitor this forum/post to take notice of respective changes as early as possible (if this constraint is acceptable for your use case in the first place of course).

Steffen Opel
  • 5,560
  • 35
  • 55
  • The published link is broken. – Shoan Sep 17 '14 at 04:57
  • 1
    You might use this Lambda function that updates the ip's automatically:: https://github.com/awslabs/aws-cloudfront-samples/tree/master/update_security_groups_lambda This uses a pretty elegant way to fix the hardcoding of the ip's since the notication is sent out by Amazon itself, so we can assume it's always accurate. – Karel May 25 '16 at 13:51
-3

On origin web servers you can create a redirection rule so that all requests to the origin URL are redirected to the website URL (which points to CloudFront).

Costas
  • 101
  • 1