I wanted to deliver images on my website through a secure CDN (in case of AWS, it is CloudFront) to improve performance of my website.
Synopsis: It’s covered in 4 steps.
- Get class 1 free SSL from StartSSL
- Upload certificate to aws for CloudFront
- Configure Secure CloudFront to deliver images stored on AWS S3 bucket.
- Setup Route 53 to use cdn subdomain with CloudFront
But since I have enabled HTTP Strict Transport Security (HSTS) for all my website subdomains.
==add_header Strict-Transport-Security “max-age=31536000; includeSubdomains;”;==
It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. After enabling HTTPS my domain is not allowed to serve images over http.
Step 1: Let’s get a free SSL first. I got SSL for my domain https://ashishapy.com and one sub domain https://www.ashishapy.com for free. Check my other blog get-ssl-certificate-free to know, how to get it. Now I want another subdomain https://cdn.ashishapy.com to be served using SSL. Free SSL allows to add only one subdomain along with root domain.
I had two options A. Go for costly and exhaustive process to get class 2 SSL to add more than one subdomain. B. Or Get another Class 1 SSL Free for subdomain cdn.ashishapy.com.
Being an individual blogger, I wanted to go for cheapest option without compromising security. I choose option 2, get it using same process explained get-ssl-certificate-free. I have three files Private Key (cdn_ssl_private.key), Certificate (cdn_ssl.crt) and intermediate CA certificate (sub.class1.server.ca.pem)
Upload these files to AWS. You are gonna need AWS command line tool. If you haven’t already installed it then follow AWS cli installtion guide.
you need to associate your Amazon Access key and ID by running
Once AWS cli tool configured, upload the certificate to AWS using following command.
aws iam upload-server-certificate --server-certificate-name cdnashishpy --certificate-body file://cdn-ssl.crt --private-key file://cdn_ssl_private.key --certificate-chain file://sub.class1.server.ca.pem --path /cloudfront/
I named certificate name as ‘cdnashishapy’, please use your own name to recognise easily in future. The extra –-path /cloudfront/ to let Amazon know we will be using this on CloudFront otherwise certificate won’t show for CloudFront.
Test it, if all is well by running command
aws iam get-server-certificate --server-certificate-name cdnashishapy
It should return uploaded certificate information.
Step 3: Sign in to your AWS account and go to CloudFront home. Click on ‘Create Distribution’.
In ‘Web’ section click on ‘Get Started’ button
In the next screen fill ‘Origin Settings’ & ‘Default Cache Behaviour Settings’ as below screen shot.
Origin Settings: I choose a S3 bucket as origin. This should be your source of content.
Default Cache Behaviour Settings:
Distribution Settings: Here comes the critical part of the setup.
Price Class: Choose it based on your most users’ geolocation. Alternate Domain Names (CNAMEs): Give your cdn subdomain name. SSL Certificate: Select Custom SSL Certificate and choose certificate name from drop down option.
==Custom SSL Client Support: I choose ‘Only Clients that Support Server Name Indication (SNI)’. This option limits the browsers you can serve. Check what browser supports SNI. Mostly, it’s not supported in IE at all on Windows XP and earlier and Android 2.2 default browser. Still recommended to do your own analysis.== You can choose ‘All Clients’ but there are charges for that.
Click on ‘Create Distribution’ button to create Secure CloudFront Distribution. This will take 15-20 mins to get status as ‘Enabled’. Copy ‘Domain Name’ value, you will need it to set up DNS in next step.
You are just one step away from setting up you secure CDN.
Step 4: Go to your AWS Route53 Hosted Zones. Create a Record Set. Paste CloudFront DomainName copied from Step 3 in Value. Save the record set and wait for couple of mins.
Congratulations! You have successfully created a secure CDN.
Please leave your comments here or discuss on Twitter.