CloudFront 3 Flashcards
SSL
How does CF handle HTTP and HTTPS?
Options: “HTTP and HTTPS”, “Redirect HTTP to HTTPS”, “HTTPS only”
SSL
How can CF handle only HTTP?
Can’t
SSL
How do you enable SSL for CF?
important
On by default
SSL
Where does your distro get its default SSL cert?
important
Kinda doesn’t: uses cert for *.cloudfront.net
SSL
Where are custom certs for CF distros managed?
important
ACM in us-east-1 only
SSL
Does CF “break SSL”?
Yes, separate SSL connections for viewer–>CF and CF–>Origin
SSL
2 limitations for viewer–>CF certs?
important
Can’t be self-signed, hae to be public certificates
SSL
2 limitations for CF–>Origin certs?
important
Can’t be self-signed, hae to be public certificates
SSL
How do you use a pretty DNS name for your distro?
You own the Route53 zone, own the ACM cert, register with distro
SSL
Where do CF distros get custom ACM certs from?
us-east-1 only
SNI
What is SNI?
Server responds with the right server cert based on the incoming Host header.
SNI
Why is SNI so cool?
Use a single server/port to support multiple web servers. Saves IP + Port combinations.
SNI
What is the major requirement for SNI?
Has to use TLS, not SSL.
SNI
Why use SNI by default for CF?
CFN product can handle multiple distribitions across customers on a single IP.
SNI
What if you don’t want TLS and SNI?
Can pay extra for dedicated IP addr that only supports a single server SSL certificate.