5

I have AWS CloudFront serving content (from EC2/etc), this works fine. The content I have is 'multi-tenant' in that it adjusts its branding/theme based on the domain being used. In theory I would just want to have a single CloudFront distro serving all the different domains.

The issue is that CloudFront only supports a single certificate per distro. I need all the sites to be secure (as HTTP is essentially deprecated). Also I need to easily support scaling to hundreds or even thousands of domains!

I can use a SAN certificate to have multiple domains per certificate, but there are limits that certificate authorities impose (plus it is generally suggested that certificates not be too large), and would be a maintenance hassle when adding/removing domains.

So how to manage many secure domains (possibly 1000+) with CloudFront? It seems to be impossible without creating a new distro per certificate :/

I could try to create my own CDN, which is a non-trivial project that I don't have time for. Alternatively, I hear some CDNs (CloudFlare) charge exorbitant rates for multi-cert distros - but they seem too expensive, plus I'd rather stick with AWS since everything else I have is there.

devlop
  • 151
  • 1
  • 1
    *"In theory I would just want to have a single CloudFront distro serving all the different domains."* There are several reasons why this would not be a good idea, if it were possible... but for the sake of clarity, I'm curious what motivation you have for trying to serve them all from one distro. – Michael - sqlbot Jul 06 '19 at 03:51
  • 2
    @Michael-sqlbot Since all the distros would be identical (apart from the certificate) it seems like a single distro would be just as good. Also every time I hit the max distros limit I would need to request more. What are the reasons for not having a single distro (apart from the certificate issues)? – devlop Jul 08 '19 at 03:14
  • I'm drafting an answer but have not had sufficient time to finish it, yet. Sorry for the delay. – Michael - sqlbot Jul 08 '19 at 04:20
  • did you find any way to go around to it? @devlop – Siddharth Apr 08 '20 at 12:45
  • @devlop did you ever find a solution? – Mike Stop Continues Jul 17 '21 at 09:59
  • 1
    @MikeStopContinues Nope, unfortunately I didn't find any straight forward solution. – devlop Jul 22 '21 at 03:36
  • can you not have a wildcard certificate which can support all CNAMEs and add all CNAMEs as alternate names in the same distro – gaurav5430 Jul 25 '21 at 18:37
  • 2
    @gaurav5430 Wildcard certs would allow lots of subdomains, but not different domain names. SAN certs do allow multiple domains (as mentioned in question) but these have limits (AWS limits to 10 per cert if I remember correctly). – devlop Jul 28 '21 at 18:41
  • @devlop got it, i misunderstood, thanks for explaining – gaurav5430 Jul 28 '21 at 18:42

0 Answers0