Mobile app version of vmapp.org
Login or Join
Reiling115

: Is there a way of using HTTPS with Amazon's CloudFront CDN and CNAMEs? We use Amazon's CloudFront CDN with custom CNAMEs hanging under the main domain (static1.example.com). Although we can break

@Reiling115

Posted in: #AmazonCloudfront #Cdn #Https

We use Amazon's CloudFront CDN with custom CNAMEs hanging under the main domain (static1.example.com). Although we can break this uniform appearance and use the original whatever123wigglyw00.cloudfront.net URLs to utilise HTTPS, is there another way?

Do Amazon or any other similar provider offer HTTPS CDN hosting?

Is TLS and its selective encryption available for use somewhere (SNI: Server Name Indication)?

Foot note: assuming that the answer is no, but just in the hope someone knows.

EDIT: Now using Google App Engine developers.google.com/appengine/docs/ssl for CDN hosting with SSL support.

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Reiling115

2 Comments

Sorted by latest first Latest Oldest Best

 

@Odierno851

PLEASE NOTE THE EDITS & UPDATES BELOW

As of me writing this (May 23 2012), SSL is supported via the CloudFront distribution URL only. Meaning, you cannot CNAME the SSL URL. Concretely, you can reference an item via SSL as:
[distribution].cloudfront.net/picture.jpg

but not:
cdn.mydomain.com/picture.jpg

where cdn.mydomain.com is a CNAME to [distribution].cloudfront.net. At present you will get SSL errors.

This means you are unable to use your domain name or SSL cert. This can cause problems with crossdomain policies in the browser as well as add undo complexity to the maintenance of a site.

I have been assured by AWS staff that HTTPS support for distribution CNAMEs is on their feature list but that it needs community support for prioritization. To help in this effort please fill out the CloudFront survey (see below) and note this feature request. AWS staff use data gathered from the survey for planning and prioritizing the CloudFront roadmap.

Be sure to note that HTTPS CNAME support is needed when you take the CloudFront Survey: aws.qualtrics.com/SE/?SID=SV_9yvAN5PK8abJIFK
EDIT: Noticed a post from June 11, 2012 that AWS had updated the survey link:

New Survey Link: aws.qualtrics.com/SE/?SID=SV_e4eM1cRblPaccFS
I think it is worth the time to provide them feedback about making CNAME + SSL a supported feature.

EDIT: Announced on June 11, 2013, custom SSL Certs with dedicated IPs are now supported with CloudFront on AWS:

See the feature announcement on the AWS Blog: aws.typepad.com/aws/2013/06/custom-ssl-domain-names-root-domain-hosting-for-amazon-cloudfront.html
One item of consideration before counting on going this route, you need to see significant value from deviating from the [distribution].cloudfront.net route as the pricing is 0 USD per month for hosting custom SSL certs.

EDIT: Announced on March 5, 2014, custom SSL Certs using Server Name Indication (SNI) are now supported with CloudFront on AWS -- NO ADDITIONAL CHARGE:

AWS now supports custom SSL Certs via SNI. This is HUGE as it opens the possibility of leveraging AWS' existing infrastructure (IP addresses). As such, AWS does not charge extra for this service! To learn more, read about it on the AWS blog post: aws.typepad.com/aws/2014/03/server-name-indication-sni-and-http-redirection-for-amazon-cloudfront.html
One item that should be noted though, Server Name Indication (SNI) does have some drawbacks that should be considered before relying on it completely. In particular it is not supported by some older browsers. If want to understand this better, see: stackoverflow.com/questions/5154596/is-ssl-sni-actually-used-and-supported-in-browsers
EDIT: AWS announced on January 21, 2016, they will provide custom SSL Certs for FREE!

To read about the full announcement on the AWS site: aws.amazon.com/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/
Amazon has announced a new service called AWS Certificate Manager, offering free SSL/TLS certificates for AWS resources.

These certificates are usually purchased from third-party certificate providers like Symantec, Comodo and RapidSSL and can cost anywhere from to hundreds of dollars, depending on the level of identity verification performed.

The process of obtaining a new certificate has always been a bit messy, requiring the generation of a Certificate Signing Request on the server being protected, sending that request to a certificate provider, and then installing the certificate once it is received. Since Amazon is managing the whole process, all of that goes away and certificates can be quickly issued and provisioned on AWS resources automatically.

There are a few limitations to the certificates. Amazon only provides domain validated certificates, a simple verification where domain validation takes place via email. If you want an Extended Validation certificate, you may stick with their current certificate providers. In addition, the certificates cannot be used for code signing or email encryption.

10% popularity Vote Up Vote Down


 

@Shelley277

CloudFront with CNAMEs and HTTPS is not supported, see the first note in the CloudFront CNAME documentation.

I don't think any of the low cost CDNs have support for CNAMEs and HTTPS together, to do that they would have to have some way for you to upload your unencrypted certificate to their CDN network.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme