Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Virtual hosting an S3 bucket using Cloudfront + SSL

0

I would like to virtual host an S3 bucket so that users can interact with
https://mybucket.mydomain.com instead of mybucket.s3.amazonaws.com. Users would be interacting with the bucket using their own credentials via code or the s3 cli.

To do this, I created a CloudFront distribution with:

  • an origin of mybucket.s3.amazonaws.com
  • mybucket.mydomain.com and mydomain.com as CNAMEs
  • an SSL certificate for mybucket.mydomain.com and *.mydomain.com and mydomain.com (created in ACM)

However, when I try to interact with the bucket with the s3 cli, like so

aws s3api list-objects --endpoint-url https://mydomain.com --bucket mybucket

I get the following error:

SSL validation failed for https://mybucket.mydomain.com/?encoding-type=url [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:600)

Similarly when I try to put an object:

aws s3api put-object --endpoint-url https://mydomain.com --bucket mybucket --key myfile.txt

SSL validation failed for https://mybucket.mydomain.com/myfile.txt [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:600)

However, when I visit https://mybucket.mydomain.com in a web browser, I do not get an SSL error. Why do I get this SSL error when I use the S3 cli, but not a web browser?

Note, I have the following in my ~/.aws/config to tell S3 to use the virtual addressing style

s3 =
  addressing_style = virtual

Edited by: autumnbugs on Mar 21, 2019 1:51 PM

Themen
Speicher
Tags
Amazon Simple Storage Service
Sprache
English
autumnbugs
gefragt vor 5 Jahren634 Aufrufe
2 Antworten
0

Still having this issue, though when I try my request from a different box (the first was on a mac) I get a different failure:

aws s3api put-object --endpoint-url https://mydomain.com --bucket mybucket --key myfile.txt

An error occurred (SignatureDoesNotMatch) when calling the PutObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

The same request works from both boxes when I use the standard s3 endpoint, so I still think this must be an issue with my cloudfront configuration.

aws s3api put-object --endpoint-url https://s3.amazonaws.com --bucket mybucket --key myfile.txt
autumnbugs
beantwortet vor 5 Jahren
0

The issue was: The client signs the request using the custom domain; but then when S3 gets the request from CloudFront it expects the request to be signed for s3.amazonaws.com, not the custom domain.

Resolution: Depending on the client you use, you might be able to set the custom endpoint after the request (and signature) is created. See https://github.com/aws/aws-sdk-go/issues/826#issuecomment-247651352 for an example.
Unfortunately, this is not possible with the Java SDK. Our solution will be to either write a wrapper around S3's Java Rest SDK, or:
Skip CloudFront altogether and use an nginx proxy instead with a configuration that includes something like:

proxy_set_header    Host mybucket.s3.amazonaws.com
autumnbugs
beantwortet vor 5 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt