chore(kb/jq): add source

2026-02-09 05:44:23 +00:00 · 2025-03-08 21:32:53 +01:00
parent 7f6856568b
commit 844941947b
3 changed files with 265 additions and 24 deletions
--- a/computing/aws/README.md
+++ b/computing/aws/README.md
@@ -5,7 +5,6 @@
   1. [Elastic IP addresses](#elastic-ip-addresses)
 1. [Services](#services)
   1. [Billing and Cost Management](#billing-and-cost-management)
-   1. [CloudFront](#cloudfront)
   1. [CloudWatch](#cloudwatch)
   1. [Config](#config)
   1. [Detective](#detective)
@@ -122,28 +121,6 @@ Costs can be grouped by Tags applied on resources.<br/>
 Tags to use for this kind of grouping need to be activated in the _Cost allocation tags_ section.<br/>
 New tags might take 24 or 48 hours to appear there.

-### CloudFront
-
-Web service speeding up distribution of static and dynamic web content such as `.html`, `.css`, `.js`, and image files.
-
-Caches web content from one's defined _origins_ and delivers it through edge locations.<br/>
-When requesting content served with CloudFront, requests are routed to the edge location with the lowest latency for the
-client.
-
-If the content is already in the edge location with the lowest latency, CloudFront delivers it immediately.<br/>
-If the content is not in that edge location, CloudFront retrieves it from the _origin_ defined for it.
-
-_Origins_ are location where the original version of one's content is stored.<br/>
-They can be S3 buckets, MediaPackage channels, or HTTP servers.<br/>
-Each distribution can have by default up to 25 origins.
-
-1. Set up one or more origins so that they serve their content normally.
-1. Create a CloudFront Distribution.<br/>
-   This usually takes 15 to 30 minutes.
-1. \[optional] Avoid using the provided Distribution's domain name by:
-   1. Configuring alternate domain names so that the Distribution accepts requests for those aliases, **and**
-   1. Creating DNS records of type CNAME pointing to the provided Distribution's domain name.
-
 ### CloudWatch

 Observability service. with functions for logging, monitoring and alerting.
@@ -652,7 +629,6 @@ machine if not.

 <!-- In-article sections -->
 [billing and cost management]: #billing-and-cost-management
-[cloudfront]: #cloudfront
 [cloudwatch]: #cloudwatch
 [config]: #config
 [detective]: #detective
@@ -665,6 +641,7 @@ machine if not.

 <!-- Knowledge base -->
 [cli]: cli.md
+[cloudfront]: cloudfront.md
 [ec2]: ec2.md
 [ecr]: ecr.md
 [ecs]: ecs.md
--- a/computing/aws/cloudfront.md
+++ b/computing/aws/cloudfront.md
@@ -0,0 +1,262 @@
+# CloudFront
+
+Web service speeding up distribution of static and dynamic web content such as `.html`, `.css`, `.js`, and image files.
+
+1. [TL;DR](#tldr)
+1. [Edge functions](#edge-functions)
+1. [Further readings](#further-readings)
+   1. [Sources](#sources)
+
+## TL;DR
+
+<details style="padding-bottom: 1em;">
+  <summary>Glossary</summary>
+
+| Term         | Summary                                                        |
+| ------------ | -------------------------------------------------------------- |
+| Distribution | FIXME                                                          |
+| Origin       | Location where the original version of one's content is stored |
+| Viewer       | End user or otherwise client that make requests                |
+
+</details>
+
+Caches web content from one's defined _origins_ and delivers it through edge locations.<br/>
+When requesting content served with CloudFront, requests are routed to the edge location with the lowest latency for the
+client.
+
+If the content is already in the edge location with the lowest latency, CloudFront delivers it immediately.<br/>
+If the content is not in that edge location, CloudFront retrieves it from the _origin_ defined for it.
+
+Origins can be S3 buckets, MediaPackage channels, or HTTP servers.<br/>
+Each distribution can have by default up to 25 origins.
+
+Every origin that is **not** an AWS service is a _custom origin_.<br/>
+Custom origins **require** configuring their ports' and protocols' settings.
+
+<details>
+  <summary>Create Distributions</summary>
+
+1. Set up one or more origins so that they serve their content normally.
+1. Create a CloudFront Distribution.<br/>
+   This usually takes 15 to 30 minutes.
+
+</details>
+
+<details style="padding: 0 0 1em 0;">
+  <summary>[optional] Avoid using the provided Distribution's domain name</summary>
+
+1. Configure _alternate domain names_ so that the Distribution accepts requests for those aliases.
+1. Provide a SSL/TLS certificate for the alternate domain names.
+1. Create DNS records of type CNAME pointing to the provided Distribution's domain name.
+
+Adding the SSL/TLS certificate verifies the requirement that one owns the domain name or has authorization to use it.
+
+</details>
+
+One **cannot** configure CloudFront to add specific headers to requests that it forwards to origins.<br/>
+Refer [Custom headers that CloudFront can't add to origin requests] for the updated list.
+
+<details style="padding: 0 0 1em 1em;">
+
+- `Cache-Control`
+- `Connection`
+- `Content-Length`
+- `Cookie`
+- `Host`
+- `If-Match`
+- `If-Modified-Since`
+- `If-None-Match`
+- `If-Range`
+- `If-Unmodified-Since`
+- `Max-Forwards`
+- `Pragma`
+- `Proxy-Authenticate`
+- `Proxy-Authorization`
+- `Proxy-Connection`
+- `Range`
+- `Request-Range`
+- `TE`
+- `Trailer`
+- `Transfer-Encoding`
+- `Upgrade`
+- `Via`
+- `Headers that begin with X-Amz-`
+- `Headers that begin with X-Edge-`
+- `X-Real-Ip`
+
+</details>
+
+To make changes to _those_ headers, leverage [edge functions].
+
+When deleting an origin, first edit or delete all cache behaviors that are associated with that origin.
+
+## Edge functions
+
+Refer [Customize at the edge with functions].
+
+Code that one writes and attaches to one or more CloudFront distributions.<br/>
+It customizes how attached CloudFront distributions process HTTP requests and responses.<br/>
+Examples include manipulating requests and responses flowing through CloudFront, performing basic authentication and
+authorization, and generating HTTP responses at the edge.
+
+The functions run close to viewers to minimize latency.<br/>
+One will **not** need to manage servers or other infrastructure for them.
+
+Functions are served as:
+
+- _CloudFront Functions_: lightweight functions in JavaScript executed as a native feature of CloudFront.<br/>
+  They offer sub-millisecond startup times, immediate scale-up to millions of requests per second, execution in a highly
+  secure environment, and code development entirely within CloudFront.<br/>
+  Those functions are supposed to be **simple** and **lightweight**.
+- _Lambda@Edge_: extension of the Lambda service.<br/>
+  It offers computing for **complex** functions and **full** application logic closer to viewers, executed in a highly
+  secure environment.<br/>
+  Those functions can run in Node.js or Python runtime environments, and are replicated to all regions when associated
+  with a distribution.
+
+If running AWS WAF on CloudFront, one can use WAF's inserted headers for both CloudFront Functions and Lambda@Edge.<br/>
+This works for both viewer and origin, both for requests and responses.
+
+Each event type (_viewer request_, _origin request_, _origin response_, and _viewer response_) can be associated to
+**one and only one** edge function.
+
+One **cannot** combine CloudFront Functions and Lambda@Edge in _viewer_ events.
+
+CloudFront does **not** invoke edge functions for _viewer response_ events when the origin returns HTTP status code 400
+or higher.<br/>
+Lambda@Edge functions for _origin response_ events are invoked for **all** origin responses, including when the origin
+returns HTTP status code 400 or higher.
+
+Certain HTTP headers are **not** exposed to edge functions, and functions **cannot** add them.<br/>
+Should a function add such a _disallowed header_, requests will fail CloudFront's validation and CloudFront will return
+HTTP status code 502 (Bad Gateway) to the viewer.
+
+Certain headers are _can_ be read by functions, but functions **cannot** add, modify, nor delete them.<br/>
+Should a function add or edit such a _read-only header_, requests will fail CloudFront's validation and CloudFront will
+return HTTP status code 502 (Bad Gateway) to the viewer.<br/>
+`Host` is one of those headers.
+
+Refer [Restrictions on all edge functions - HTTP headers] for the updated list of disallowed and read-only headers.
+
+<details style="padding-left: 1em;">
+
+  <details style="padding-left: 1em;">
+    <summary>Disallowed headers</summary>
+
+For all function types:
+
+- `Connection`
+- `Expect`
+- `Keep-Alive`
+- `Proxy-Authenticate`
+- `Proxy-Authorization`
+- `Proxy-Connection`
+- `Trailer`
+- `Upgrade`
+- `X-Accel-Buffering`
+- `X-Accel-Charset`
+- `X-Accel-Limit-Rate`
+- `X-Accel-Redirect`
+- `X-Amz-Cf-*`
+- `X-Amzn-Auth`
+- `X-Amzn-Cf-Billing`
+- `X-Amzn-Cf-Id`
+- `X-Amzn-Cf-Xff`
+- `X-Amzn-Errortype`
+- `X-Amzn-Fle-Profile`
+- `X-Amzn-Header-Count`
+- `X-Amzn-Header-Order`
+- `X-Amzn-Lambda-Integration-Tag`
+- `X-Amzn-RequestId`
+- `X-Cache`
+- `X-Edge-*`
+- `X-Forwarded-Proto`
+- `X-Real-IP`
+
+  </details>
+
+  <details style="padding-left: 1em;">
+    <summary>Read-only headers</summary>
+
+    <details style="padding-left: 1em;">
+      <summary>In <i>viewer request</i> events</summary>
+
+For all function types:
+
+- `Content-Length`
+- `Host`
+- `Transfer-Encoding`
+- `Via`
+
+    </details>
+
+    <details style="padding-left: 1em;">
+      <summary>In <i>viewer response</i> events</summary>
+
+For all function types:
+
+- `Warning`
+- `Via`
+
+Lambda@Edge only:
+
+- `Content-Length`
+- `Content-Encoding`
+- `Transfer-Encoding`
+
+    </details>
+
+    <details style="padding-left: 1em;">
+      <summary>In <i>origin request</i> events</summary>
+
+Lambda@Edge only:
+
+- `Accept-Encoding`
+- `Content-Length`
+- `If-Modified-Since`
+- `If-None-Match`
+- `If-Range`
+- `If-Unmodified-Since`
+- `Transfer-Encoding`
+- `Via`
+
+    </details>
+
+    <details style="padding-left: 1em;">
+      <summary>In <i>origin response</i> events</summary>
+
+Lambda@Edge only:
+
+- `Transfer-Encoding`
+- `Via`
+
+    </details>
+
+  </details>
+
+</details>
+
+## Further readings
+
+### Sources
+
+- [Customize at the edge with functions]
+- [Restrictions on all edge functions]
+
+<!--
+  Reference
+  ═╬═Time══
+  -->
+
+<!-- In-article sections -->
+[edge functions]: #edge-functions
+
+<!-- Knowledge base -->
+<!-- Files -->
+<!-- Upstream -->
+[custom headers that cloudfront can't add to origin requests]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/add-origin-custom-headers.html#add-origin-custom-headers-denylist
+[customize at the edge with functions]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/edge-functions.html
+[restrictions on all edge functions - http headers]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/edge-function-restrictions-all.html#function-restrictions-headers
+[restrictions on all edge functions]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/edge-function-restrictions-all.html
+
+<!-- Others -->