이 페이지는 귀하의 언어로 번역되지 않았습니다. 번역 요청

Custom origin with CloudFront

PDFRSS

Unlike Amazon S3, which is a static object storage system, custom origins such as web servers can inspect incoming HTTP requests and decide to discard the request. You can allow only trusted CloudFront distribution to access your origin by adding a custom header with a secret value to the origin request in CloudFront, and setting up header inspection from the origin side. ALB has a rule that can be used for this header inspection purpose, if the origin web server is on AWS.

Figure 2 — Adding a secret header from the CloudFront console

CloudFront publishes its IP address ranges along with other Amazon services, which enables you to allowlist CloudFront IP address ranges in your origin firewall, or add them into security groups. You may need more than one security group to allow all CloudFront IP ranges.

To find the IP address ranges that are associated with CloudFront edge servers, search ip-ranges.json for the following string: "service": "CLOUDFRONT". Or directly, you can view only the CloudFront IP ranges. Alternatively, when your origin is hosted on AWS and protected by an Amazon VPC security group, you can use the CloudFront managed prefix list that contains the IP address ranges of all of CloudFront's globally distributed origin-facing servers. With the prefix list, you don't need to read or maintain a list of IP address ranges yourself. The CloudFront managed prefix list is named com.amazonaws.global.cloudfront.origin-facing.

By using an IP allowed list and header inspection together, your custom origin allows only traffic from chosen CloudFront distributions to access your private content.