问题:
使用AWS CDK使用S3 Origin和自定义Origin(ELB)配置CloudFront发行版
梁丘德寿
我有一个应用程序使用Django和vue.js。目前,API在API.mydomain.com上提供,API.mydomain.com将流量发送到路由到Fargate服务的应用程序负载均衡器,而vue.js静态站点在mydomain.com上提供,vue.js静态站点将流量发送到存储站点静态资产的S3 bucket前的CloudFront分发版。
我希望在mydomain.com/API/*上服务API,而不使用子域,并继续在mydomain.com上服务静态站点。
ALB工作得很好,我可以转到ALB自动生成的AWS URL并从我的Fargate服务获得正确的响应。
以下是我的CloudFront发行版的CDK代码:
import os
from aws_cdk import (
aws_certificatemanager as acm,
aws_s3 as s3,
aws_cloudfront as cloudfront,
aws_route53 as route53,
aws_iam as iam,
aws_route53_targets as targets,
core,
)
class StaticSite(core.Construct):
def __init__(
self,
scope: core.Construct,
id: str,
hosted_zone: route53.IHostedZone,
certificate: acm.ICertificate,
alb: str,
**kwargs,
) -> None:
super().__init__(scope, id, **kwargs)
self.static_site_bucket = s3.Bucket(
self,
"StaticSiteBucket",
access_control=s3.BucketAccessControl.PUBLIC_READ,
bucket_name=os.environ.get("DOMAIN_NAME", "mysite.com"),
removal_policy=core.RemovalPolicy.DESTROY,
)
self.policy_statement = iam.PolicyStatement(
actions=["s3:GetObject"],
resources=[f"{self.static_site_bucket.bucket_arn}/*"],
)
self.policy_statement.add_any_principal()
self.static_site_policy_document = iam.PolicyDocument(
statements=[self.policy_statement]
)
self.static_site_bucket.add_to_resource_policy(self.policy_statement)
self.distribution = cloudfront.CloudFrontWebDistribution(
self,
"CloudFrontDistribution",
origin_configs=[
cloudfront.SourceConfiguration(
s3_origin_source=cloudfront.S3OriginConfig(
s3_bucket_source=self.static_site_bucket
),
behaviors=[cloudfront.Behavior(is_default_behavior=True)],
),
cloudfront.SourceConfiguration(
# origin_path="/test",
custom_origin_source=cloudfront.CustomOriginConfig(
domain_name=alb,
),
behaviors=[
cloudfront.Behavior(
path_pattern="/test",
# forwarded_values={"headers": ["*"], "query_string": True},
)
],
),
],
alias_configuration=cloudfront.AliasConfiguration(
acm_cert_ref=certificate.certificate_arn,
names=[
os.environ.get("DOMAIN_NAME", "mysite.com"),
f"*.{os.environ.get('DOMAIN_NAME', 'mysite.com')}",
],
),
error_configurations=[
{
"errorCode": 403,
"errorCachingMinTtl": 0,
"responseCode": 200,
"responsePagePath": "/index.html",
},
{
"errorCode": 404,
"errorCachingMinTtl": 0,
"responseCode": 200,
"responsePagePath": "/index.html",
},
],
)
route53.ARecord(
self,
"AliasRecord1",
target=route53.AddressRecordTarget.from_alias(
targets.CloudFrontTarget(self.distribution)
),
zone=hosted_zone.hosted_zone,
# don't forget the '.' at the end of the record name!
record_name=f"{os.environ.get('DOMAIN_NAME', 'mysite.com')}.",
)
from aws_cdk import (
aws_iam as iam,
aws_ec2 as ec2,
aws_route53 as route53,
aws_certificatemanager as acm,
aws_elasticloadbalancingv2 as elbv2,
core,
)
class ApplicationLoadBalancer(core.Construct):
def __init__(
self,
scope: core.Construct,
id: str,
hosted_zone: route53.IHostedZone,
certificate: acm.ICertificate,
vpc: ec2.IVpc,
**kwargs
) -> None:
super().__init__(scope, id, **kwargs)
self.alb = elbv2.ApplicationLoadBalancer(
self, "ALB", internet_facing=True, vpc=vpc
)
self.alb.connections.allow_from_any_ipv4(
ec2.Port.tcp(80), "Internet access ALB 80"
)
self.alb.connections.allow_from_any_ipv4(
ec2.Port.tcp(443), "Internet access ALB 443"
)
# redirect_listener = elbv2.CfnListener(
# self,
# "RedirectListener",
# protocol="HTTP",
# port=80,
# load_balancer_arn=self.alb.load_balancer_arn,
# default_actions=[
# {
# "type": "redirect",
# "redirectConfig": {
# "host": "#{host}",
# "path": "/#{path}",
# "port": "443",
# "protocol": "HTTPS",
# "query": "#{query}",
# "statusCode": "HTTP_301",
# },
# }
# ],
# )
# I think this part is incorrect
self.redirect_response = elbv2.RedirectResponse(
status_code="HTTP_301",
host="#{host}",
path="/#{path}",
port="80",
protocol="HTTPS",
query="#{query}",
)
self.https_listener = elbv2.ApplicationListener(
self,
"HTTPSListener",
load_balancer=self.alb,
port=443,
certificates=[
elbv2.ListenerCertificate(certificate.certificate_arn)
],
)
self.default_target_group = elbv2.ApplicationTargetGroup(
self,
"DefaultTargetGroup",
port=80,
protocol=elbv2.ApplicationProtocol.HTTP,
vpc=vpc,
)
self.https_listener.add_target_groups(
"DefaultTargetGroup", target_groups=[self.default_target_group]
)
以下是CDK Synth的输出:
Resources:
SiteCert6025247C:
Type: AWS::CertificateManager::Certificate
Properties:
DomainName: mydomain.com
DomainValidationOptions:
- DomainName: mydomain.com
ValidationDomain: mydomain.com
- DomainName: "*.mydomain.com"
ValidationDomain: mydomain.com
SubjectAlternativeNames:
- "*.mydomain.com"
ValidationMethod: DNS
Metadata:
aws:cdk:path: awscdk/SiteCert/Resource
VpcC3027511:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
EnableDnsSupport: true
InstanceTenancy: default
Tags:
- Key: Name
Value: awscdk/Vpc/Vpc
Metadata:
aws:cdk:path: awscdk/Vpc/Vpc/Resource
VpcPublicSubnet1Subnet8E8DEDC0:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.0.0/24
VpcId:
Ref: VpcC3027511
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: awscdk/Vpc/Vpc/PublicSubnet1
- Key: aws-cdk:subnet-name
Value: Public
- Key: aws-cdk:subnet-type
Value: Public
Metadata:
aws:cdk:path: awscdk/Vpc/Vpc/PublicSubnet1/Subnet
VpcPublicSubnet1RouteTable431DD755:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: VpcC3027511
Tags:
- Key: Name
Value: awscdk/Vpc/Vpc/PublicSubnet1
Metadata:
aws:cdk:path: awscdk/Vpc/Vpc/PublicSubnet1/RouteTable
VpcPublicSubnet1RouteTableAssociationBBCB7AA1:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: VpcPublicSubnet1RouteTable431DD755
SubnetId:
Ref: VpcPublicSubnet1Subnet8E8DEDC0
Metadata:
aws:cdk:path: awscdk/Vpc/Vpc/PublicSubnet1/RouteTableAssociation
VpcPublicSubnet1DefaultRoute0F5C6C43:
Type: AWS::EC2::Route
Properties:
RouteTableId:
Ref: VpcPublicSubnet1RouteTable431DD755
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: VpcIGW488B0FEB
DependsOn:
- VpcVPCGW42EC8516
Metadata:
aws:cdk:path: awscdk/Vpc/Vpc/PublicSubnet1/DefaultRoute
VpcPublicSubnet2SubnetA811849C:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.1.0/24
VpcId:
Ref: VpcC3027511
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: awscdk/Vpc/Vpc/PublicSubnet2
- Key: aws-cdk:subnet-name
Value: Public
- Key: aws-cdk:subnet-type
Value: Public
Metadata:
aws:cdk:path: awscdk/Vpc/Vpc/PublicSubnet2/Subnet
VpcPublicSubnet2RouteTable77FB35FC:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: VpcC3027511
Tags:
- Key: Name
Value: awscdk/Vpc/Vpc/PublicSubnet2
Metadata:
aws:cdk:path: awscdk/Vpc/Vpc/PublicSubnet2/RouteTable
VpcPublicSubnet2RouteTableAssociation3AFE92E6:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: VpcPublicSubnet2RouteTable77FB35FC
SubnetId:
Ref: VpcPublicSubnet2SubnetA811849C
Metadata:
aws:cdk:path: awscdk/Vpc/Vpc/PublicSubnet2/RouteTableAssociation
VpcPublicSubnet2DefaultRouteD629179A:
Type: AWS::EC2::Route
Properties:
RouteTableId:
Ref: VpcPublicSubnet2RouteTable77FB35FC
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: VpcIGW488B0FEB
DependsOn:
- VpcVPCGW42EC8516
Metadata:
aws:cdk:path: awscdk/Vpc/Vpc/PublicSubnet2/DefaultRoute
VpcIsolatedSubnet1SubnetDC3C6AF8:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.2.0/24
VpcId:
Ref: VpcC3027511
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: awscdk/Vpc/Vpc/IsolatedSubnet1
- Key: aws-cdk:subnet-name
Value: Isolated
- Key: aws-cdk:subnet-type
Value: Isolated
Metadata:
aws:cdk:path: awscdk/Vpc/Vpc/IsolatedSubnet1/Subnet
VpcIsolatedSubnet1RouteTableF057227C:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: VpcC3027511
Tags:
- Key: Name
Value: awscdk/Vpc/Vpc/IsolatedSubnet1
Metadata:
aws:cdk:path: awscdk/Vpc/Vpc/IsolatedSubnet1/RouteTable
VpcIsolatedSubnet1RouteTableAssociation0FC379C3:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: VpcIsolatedSubnet1RouteTableF057227C
SubnetId:
Ref: VpcIsolatedSubnet1SubnetDC3C6AF8
Metadata:
aws:cdk:path: awscdk/Vpc/Vpc/IsolatedSubnet1/RouteTableAssociation
VpcIsolatedSubnet2SubnetB479B99C:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.3.0/24
VpcId:
Ref: VpcC3027511
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: awscdk/Vpc/Vpc/IsolatedSubnet2
- Key: aws-cdk:subnet-name
Value: Isolated
- Key: aws-cdk:subnet-type
Value: Isolated
Metadata:
aws:cdk:path: awscdk/Vpc/Vpc/IsolatedSubnet2/Subnet
VpcIsolatedSubnet2RouteTableBAB510EF:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: VpcC3027511
Tags:
- Key: Name
Value: awscdk/Vpc/Vpc/IsolatedSubnet2
Metadata:
aws:cdk:path: awscdk/Vpc/Vpc/IsolatedSubnet2/RouteTable
VpcIsolatedSubnet2RouteTableAssociation8E8989F5:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: VpcIsolatedSubnet2RouteTableBAB510EF
SubnetId:
Ref: VpcIsolatedSubnet2SubnetB479B99C
Metadata:
aws:cdk:path: awscdk/Vpc/Vpc/IsolatedSubnet2/RouteTableAssociation
VpcIGW488B0FEB:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: awscdk/Vpc/Vpc
Metadata:
aws:cdk:path: awscdk/Vpc/Vpc/IGW
VpcVPCGW42EC8516:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: VpcC3027511
InternetGatewayId:
Ref: VpcIGW488B0FEB
Metadata:
aws:cdk:path: awscdk/Vpc/Vpc/VPCGW
ApplicationLoadBalancerALBE88818A8:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Scheme: internet-facing
SecurityGroups:
- Fn::GetAtt:
- ApplicationLoadBalancerALBSecurityGroup0D676F12
- GroupId
Subnets:
- Ref: VpcPublicSubnet1Subnet8E8DEDC0
- Ref: VpcPublicSubnet2SubnetA811849C
Type: application
DependsOn:
- VpcPublicSubnet1DefaultRoute0F5C6C43
- VpcPublicSubnet2DefaultRouteD629179A
Metadata:
aws:cdk:path: awscdk/ApplicationLoadBalancer/ALB/Resource
ApplicationLoadBalancerALBSecurityGroup0D676F12:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Automatically created Security Group for ELB awscdkApplicationLoadBalancerALB81FD6B77
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
Description: Internet access ALB 80
FromPort: 80
IpProtocol: tcp
ToPort: 80
- CidrIp: 0.0.0.0/0
Description: Internet access ALB 443
FromPort: 443
IpProtocol: tcp
ToPort: 443
VpcId:
Ref: VpcC3027511
Metadata:
aws:cdk:path: awscdk/ApplicationLoadBalancer/ALB/SecurityGroup/Resource
ApplicationLoadBalancerALBSecurityGrouptoawscdkBackendBackendServiceSecurityGroupD69D8DD280A0C3942C:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId:
Fn::GetAtt:
- ApplicationLoadBalancerALBSecurityGroup0D676F12
- GroupId
IpProtocol: tcp
Description: Load balancer to target
DestinationSecurityGroupId:
Fn::GetAtt:
- BackendBackendServiceSecurityGroupA039445A
- GroupId
FromPort: 80
ToPort: 80
Metadata:
aws:cdk:path: awscdk/ApplicationLoadBalancer/ALB/SecurityGroup/to awscdkBackendBackendServiceSecurityGroupD69D8DD2:80
ApplicationLoadBalancerHTTPSListenerC96D73F5:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- TargetGroupArn:
Ref: ApplicationLoadBalancerDefaultTargetGroupF1B3D7D1
Type: forward
LoadBalancerArn:
Ref: ApplicationLoadBalancerALBE88818A8
Port: 443
Protocol: HTTPS
Certificates:
- CertificateArn:
Ref: SiteCert6025247C
Metadata:
aws:cdk:path: awscdk/ApplicationLoadBalancer/HTTPSListener/Resource
ApplicationLoadBalancerHTTPSListenerBackendTargetGroupA4042837:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
Port: 80
Protocol: HTTP
TargetType: ip
VpcId:
Ref: VpcC3027511
Metadata:
aws:cdk:path: awscdk/ApplicationLoadBalancer/HTTPSListener/BackendTargetGroup/Resource
ApplicationLoadBalancerHTTPSListenerBackendTargetRuleA3A291E2:
Type: AWS::ElasticLoadBalancingV2::ListenerRule
Properties:
Actions:
- TargetGroupArn:
Ref: ApplicationLoadBalancerHTTPSListenerBackendTargetGroupA4042837
Type: forward
Conditions:
- Field: path-pattern
Values:
- "*"
ListenerArn:
Ref: ApplicationLoadBalancerHTTPSListenerC96D73F5
Priority: 1
Metadata:
aws:cdk:path: awscdk/ApplicationLoadBalancer/HTTPSListener/BackendTargetRule/Resource
ApplicationLoadBalancerDefaultTargetGroupF1B3D7D1:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
Port: 80
Protocol: HTTP
VpcId:
Ref: VpcC3027511
Metadata:
aws:cdk:path: awscdk/ApplicationLoadBalancer/DefaultTargetGroup/Resource
StaticSiteStaticSiteBucket442CE34F:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicRead
BucketName: mydomain.com
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
Metadata:
aws:cdk:path: awscdk/StaticSite/StaticSiteBucket/Resource
StaticSiteStaticSiteBucketPolicyC8E62485:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: StaticSiteStaticSiteBucket442CE34F
PolicyDocument:
Statement:
- Action: s3:GetObject
Effect: Allow
Principal: "*"
Resource:
Fn::Join:
- ""
- - Fn::GetAtt:
- StaticSiteStaticSiteBucket442CE34F
- Arn
- /*
Version: "2012-10-17"
Metadata:
aws:cdk:path: awscdk/StaticSite/StaticSiteBucket/Policy/Resource
StaticSiteCloudFrontDistributionCFDistributionA70E78CD:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Aliases:
- mydomain.com
- "*.mydomain.com"
CacheBehaviors:
- AllowedMethods:
- GET
- HEAD
CachedMethods:
- GET
- HEAD
Compress: true
ForwardedValues:
Headers:
- "*"
QueryString: true
PathPattern: /test
TargetOriginId: origin2
ViewerProtocolPolicy: redirect-to-https
CustomErrorResponses:
- ErrorCachingMinTTL: 0
ErrorCode: 403
ResponseCode: 200
ResponsePagePath: /index.html
- ErrorCachingMinTTL: 0
ErrorCode: 404
ResponseCode: 200
ResponsePagePath: /index.html
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
CachedMethods:
- GET
- HEAD
Compress: true
ForwardedValues:
Cookies:
Forward: none
QueryString: false
TargetOriginId: origin1
ViewerProtocolPolicy: redirect-to-https
DefaultRootObject: index.html
Enabled: true
HttpVersion: http2
IPV6Enabled: true
Origins:
- DomainName:
Fn::GetAtt:
- StaticSiteStaticSiteBucket442CE34F
- RegionalDomainName
Id: origin1
S3OriginConfig: {}
- CustomOriginConfig:
HTTPPort: 80
HTTPSPort: 443
OriginKeepaliveTimeout: 5
OriginProtocolPolicy: https-only
OriginReadTimeout: 30
OriginSSLProtocols:
- TLSv1.2
DomainName:
Fn::GetAtt:
- ApplicationLoadBalancerALBE88818A8
- DNSName
Id: origin2
PriceClass: PriceClass_100
ViewerCertificate:
AcmCertificateArn:
Ref: SiteCert6025247C
SslSupportMethod: sni-only
Metadata:
aws:cdk:path: awscdk/StaticSite/CloudFrontDistribution/CFDistribution
StaticSiteAliasRecord4F27A661:
Type: AWS::Route53::RecordSet
Properties:
Name: "*.mydomain.com."
Type: A
AliasTarget:
DNSName:
Fn::GetAtt:
- StaticSiteCloudFrontDistributionCFDistributionA70E78CD
- DomainName
HostedZoneId: Z2FDTNDATAQYW2
HostedZoneId: Z1EJVU8DMBV0XG
Metadata:
aws:cdk:path: awscdk/StaticSite/AliasRecord/Resource
StaticSiteAliasRecord1B2F1F710:
Type: AWS::Route53::RecordSet
Properties:
Name: mydomain.com.
Type: A
AliasTarget:
DNSName:
Fn::GetAtt:
- StaticSiteCloudFrontDistributionCFDistributionA70E78CD
- DomainName
HostedZoneId: Z2FDTNDATAQYW2
HostedZoneId: Z1EJVU8DMBV0XG
Metadata:
aws:cdk:path: awscdk/StaticSite/AliasRecord1/Resource
ElasticContainerRepo2908E7AA:
Type: AWS::ECR::Repository
Properties:
RepositoryName: mydomain.com/backend
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
Metadata:
aws:cdk:path: awscdk/ElasticContainerRepo/Resource
EcsEcsCluster51C39CA0:
Type: AWS::ECS::Cluster
Metadata:
aws:cdk:path: awscdk/Ecs/EcsCluster/Resource
BackendBackendTaskTaskRoleD7BBECAE:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Version: "2012-10-17"
Metadata:
aws:cdk:path: awscdk/Backend/BackendTask/TaskRole/Resource
BackendBackendTask22B2DD1D:
Type: AWS::ECS::TaskDefinition
Properties:
ContainerDefinitions:
- Essential: true
Image: nginx:alpine
Name: nginx
PortMappings:
- ContainerPort: 80
Protocol: tcp
Cpu: "256"
Family: awscdkBackendBackendTask594F440A
Memory: "512"
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
TaskRoleArn:
Fn::GetAtt:
- BackendBackendTaskTaskRoleD7BBECAE
- Arn
Metadata:
aws:cdk:path: awscdk/Backend/BackendTask/Resource
BackendBackendService9DB18AD9:
Type: AWS::ECS::Service
Properties:
Cluster:
Ref: EcsEcsCluster51C39CA0
DeploymentConfiguration:
MaximumPercent: 200
MinimumHealthyPercent: 50
DesiredCount: 1
EnableECSManagedTags: false
HealthCheckGracePeriodSeconds: 60
LaunchType: FARGATE
LoadBalancers:
- ContainerName: nginx
ContainerPort: 80
TargetGroupArn:
Ref: ApplicationLoadBalancerHTTPSListenerBackendTargetGroupA4042837
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: ENABLED
SecurityGroups:
- Fn::GetAtt:
- BackendBackendServiceSecurityGroupA039445A
- GroupId
Subnets:
- Ref: VpcPublicSubnet1Subnet8E8DEDC0
- Ref: VpcPublicSubnet2SubnetA811849C
TaskDefinition:
Ref: BackendBackendTask22B2DD1D
DependsOn:
- ApplicationLoadBalancerHTTPSListenerBackendTargetRuleA3A291E2
Metadata:
aws:cdk:path: awscdk/Backend/BackendService/Service
BackendBackendServiceSecurityGroupA039445A:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: awscdk/Backend/BackendService/SecurityGroup
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
Description: Allow all outbound traffic by default
IpProtocol: "-1"
VpcId:
Ref: VpcC3027511
Metadata:
aws:cdk:path: awscdk/Backend/BackendService/SecurityGroup/Resource
BackendBackendServiceSecurityGroupfromawscdkApplicationLoadBalancerALBSecurityGroup5E233E2F80CC189352:
Type: AWS::EC2::SecurityGroupIngress
Properties:
IpProtocol: tcp
Description: Load balancer to target
FromPort: 80
GroupId:
Fn::GetAtt:
- BackendBackendServiceSecurityGroupA039445A
- GroupId
SourceSecurityGroupId:
Fn::GetAtt:
- ApplicationLoadBalancerALBSecurityGroup0D676F12
- GroupId
ToPort: 80
Metadata:
aws:cdk:path: awscdk/Backend/BackendService/SecurityGroup/from awscdkApplicationLoadBalancerALBSecurityGroup5E233E2F:80
CDKMetadata:
Type: AWS::CDK::Metadata
Properties:
...
下面是我试图用CDK https://gitlab.com/verbose-equals-true/django-postgres-vue-gitlab-ecs/-/tree/feature-aws-cdk实现IaC的分支的完整repo。我正在尝试将这个项目从CloudFormation移到CDK
共有1个答案
朱华皓
您需要在指向ALB原点的任何行为中转发所有cookie、头和查询字符串。如果您打算将数据发送到此后端,您可能还希望允许所有方法。
下面是一个我目前正在为一个项目工作的TypeScript示例(它看起来与你的略有不同,但应该很容易适应)
const cdn = new cf.CloudFrontWebDistribution(this, 'SPACloudFrontDistribution', {
originConfigs: [
{
customOriginSource: {
domainName: alb.loadBalancerDnsName,
originProtocolPolicy: cf.OriginProtocolPolicy.MATCH_VIEWER
},
behaviors : [
{
isDefaultBehavior: true,
allowedMethods: cf.CloudFrontAllowedMethods.ALL,
forwardedValues: {
queryString: true,
cookies: {
forward: 'all'
},
headers: ['*']
}
}
]
},
{
s3OriginSource: {
s3BucketSource: bucket
},
behaviors: [
{
pathPattern: '/static/*',
allowedMethods: cf.CloudFrontAllowedMethods.GET_HEAD,
cachedMethods: cf.CloudFrontAllowedCachedMethods.GET_HEAD
}
]
}
],
aliasConfiguration: {
acmCertRef: sslCert.certificateArn,
names: domains
},
defaultRootObject: ''
});
类似资料:
-
如果我使用Cloudfront坐在Web服务器前面,而Web服务器本身就在ELB后面,那么下面的内容适用吗? > 我使用Route53为CF域创建域名记录并将SSL证书应用于该域以保护分发 如果CF不能提供来自缓存的内容,那么SSL连接将被转发到ELB(它将web服务器作为源服务器) 因此,我还需要在ELB上使用相同的域名(FQDN)(通过Route53 CNAME)并在那里申请相同的证书? 当C
-
我目前正在尝试设置一个从DB2读取配置值的自定义。由于ConfigSources是通过ServiceLoader加载的,因此看起来没有办法通过JPA访问数据库,因为ServiceLoader很早就在扫描自定义ConfigSources。 有什么想法吗?
-
我有一个ListView和一个自定义适配器。问题是我看不到listview和数据,只看到一个白色页面。 在片段中我有: 在CustomAdapter中,我有: 我错在哪里? 更新: 谢谢,如果我想在ImageButton上设置onClickListener,我该怎么做?。。我尝试: 但问题是,当我单击例如第一个项目viewHolder时。mNomeView。getText()。toString()
-
我在EKS集群上部署了Kubeflow,但想使用自定义ACM证书配置HTTPS监听。Kubeflow利用Istio的入口网关接收外部流量,默认情况下仅配置为HTTP流量。 当我检查<代码>入口时。创建Ingress对象的yaml文件,我看到它仅配置为HTTP: Istio网关也是如此: 我能找到的唯一一篇关于接受TLS流量的文章来自Istio documentation tutorial for
-
问题内容: 我有一个Dockerfile和自定义Nginx配置文件(与Dockerfile位于同一目录中),如下所示: Dockerfile: nginx.conf文件: 我运行以下两个命令: 然后,我签出了所有正在运行的容器,但没有显示出来。当我搜索nginx容器的日志时,发现以下错误消息: [emerg] 1#1:/etc/nginx/nginx.conf中的未知指令“上游”:1 nginx:
-
问题内容: 我有一个Java类,它在启动时基于javassist类加载器创建自定义类加载器,然后运行实际的程序类。我收到以下错误: 该问题与以下事实有关:一个对象是由原始类加载器创建的,而另一个是由自定义类创建的。 有没有办法解决此错误? 在此先感谢 Avner 问题答案: 请尝试将-Dlog4j.ignoreTCL =true设置为希望有帮助。关于log4j的类似问题