By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Virtual hosting an S3 bucket using Cloudfront + SSL

0

I would like to virtual host an S3 bucket so that users can interact with
https://mybucket.mydomain.com instead of mybucket.s3.amazonaws.com. Users would be interacting with the bucket using their own credentials via code or the s3 cli.

To do this, I created a CloudFront distribution with:

  • an origin of mybucket.s3.amazonaws.com
  • mybucket.mydomain.com and mydomain.com as CNAMEs
  • an SSL certificate for mybucket.mydomain.com and *.mydomain.com and mydomain.com (created in ACM)

However, when I try to interact with the bucket with the s3 cli, like so

aws s3api list-objects --endpoint-url https://mydomain.com --bucket mybucket

I get the following error:

SSL validation failed for https://mybucket.mydomain.com/?encoding-type=url [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:600)

Similarly when I try to put an object:

aws s3api put-object --endpoint-url https://mydomain.com --bucket mybucket --key myfile.txt

SSL validation failed for https://mybucket.mydomain.com/myfile.txt [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:600)

However, when I visit https://mybucket.mydomain.com in a web browser, I do not get an SSL error. Why do I get this SSL error when I use the S3 cli, but not a web browser?

Note, I have the following in my ~/.aws/config to tell S3 to use the virtual addressing style

s3 =
  addressing_style = virtual

Edited by: autumnbugs on Mar 21, 2019 1:51 PM

Topics
Storage
Tags
Amazon Simple Storage Service
Language
English
autumnbugs
asked 5 years ago619 views
2 Answers
0

Still having this issue, though when I try my request from a different box (the first was on a mac) I get a different failure:

aws s3api put-object --endpoint-url https://mydomain.com --bucket mybucket --key myfile.txt

An error occurred (SignatureDoesNotMatch) when calling the PutObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

The same request works from both boxes when I use the standard s3 endpoint, so I still think this must be an issue with my cloudfront configuration.

aws s3api put-object --endpoint-url https://s3.amazonaws.com --bucket mybucket --key myfile.txt
autumnbugs
answered 5 years ago
0

The issue was: The client signs the request using the custom domain; but then when S3 gets the request from CloudFront it expects the request to be signed for s3.amazonaws.com, not the custom domain.

Resolution: Depending on the client you use, you might be able to set the custom endpoint after the request (and signature) is created. See https://github.com/aws/aws-sdk-go/issues/826#issuecomment-247651352 for an example.
Unfortunately, this is not possible with the Java SDK. Our solution will be to either write a wrapper around S3's Java Rest SDK, or:
Skip CloudFront altogether and use an nginx proxy instead with a configuration that includes something like:

proxy_set_header    Host mybucket.s3.amazonaws.com
autumnbugs
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content