8.2 KiB
CloudFront
Web service speeding up distribution of static and dynamic web content such as .html, .css, .js, and image files.
TL;DR
Glossary
| Term | Summary |
|---|---|
| Distribution | FIXME |
| Origin | Location where the original version of one's content is stored |
| Viewer | End user or otherwise client that make requests |
Caches web content from one's defined origins and delivers it through edge locations.
When requesting content served with CloudFront, requests are routed to the edge location with the lowest latency for the
client.
If the content is already in the edge location with the lowest latency, CloudFront delivers it immediately.
If the content is not in that edge location, CloudFront retrieves it from the origin defined for it.
Origins can be S3 buckets, MediaPackage channels, or HTTP servers.
Each distribution can have by default up to 25 origins.
Every origin that is not an AWS service is a custom origin.
Custom origins require configuring their ports' and protocols' settings.
Create Distributions
- Set up one or more origins so that they serve their content normally.
- Create a CloudFront Distribution.
This usually takes 15 to 30 minutes.
[optional] Avoid using the provided Distribution's domain name
- Configure alternate domain names so that the Distribution accepts requests for those aliases.
- Provide a SSL/TLS certificate for the alternate domain names.
- Create DNS records of type CNAME pointing to the provided Distribution's domain name.
Adding the SSL/TLS certificate verifies the requirement that one owns the domain name or has authorization to use it.
One cannot configure CloudFront to add specific headers to requests that it forwards to origins.
Refer Custom headers that CloudFront can't add to origin requests for the updated list.
Cache-ControlConnectionContent-LengthCookieHostIf-MatchIf-Modified-SinceIf-None-MatchIf-RangeIf-Unmodified-SinceMax-ForwardsPragmaProxy-AuthenticateProxy-AuthorizationProxy-ConnectionRangeRequest-RangeTETrailerTransfer-EncodingUpgradeViaHeaders that begin with X-Amz-Headers that begin with X-Edge-X-Real-Ip
To make changes to those headers, leverage edge functions.
When deleting an origin, first edit or delete all cache behaviors that are associated with that origin.
Edge functions
Refer Customize at the edge with functions.
Code that one writes and attaches to one or more CloudFront distributions.
It customizes how attached CloudFront distributions process HTTP requests and responses.
Examples include manipulating requests and responses flowing through CloudFront, performing basic authentication and
authorization, and generating HTTP responses at the edge.
The functions run close to viewers to minimize latency.
One will not need to manage servers or other infrastructure for them.
Functions are served as:
- CloudFront Functions: lightweight functions in JavaScript executed as a native feature of CloudFront.
They offer sub-millisecond startup times, immediate scale-up to millions of requests per second, execution in a highly secure environment, and code development entirely within CloudFront.
Those functions are supposed to be simple and lightweight. - Lambda@Edge: extension of the Lambda service.
It offers computing for complex functions and full application logic closer to viewers, executed in a highly secure environment.
Those functions can run in Node.js or Python runtime environments, and are replicated to all regions when associated with a distribution.
If running AWS WAF on CloudFront, one can use WAF's inserted headers for both CloudFront Functions and Lambda@Edge.
This works for both viewer and origin, both for requests and responses.
Each event type (viewer request, origin request, origin response, and viewer response) can be associated to one and only one edge function.
One cannot combine CloudFront Functions and Lambda@Edge in viewer events.
CloudFront does not invoke edge functions for viewer response events when the origin returns HTTP status code 400
or higher.
Lambda@Edge functions for origin response events are invoked for all origin responses, including when the origin
returns HTTP status code 400 or higher.
Certain HTTP headers are not exposed to edge functions, and functions cannot add them.
Should a function add such a disallowed header, requests will fail CloudFront's validation and CloudFront will return
HTTP status code 502 (Bad Gateway) to the viewer.
Certain headers are can be read by functions, but functions cannot add, modify, nor delete them.
Should a function add or edit such a read-only header, requests will fail CloudFront's validation and CloudFront will
return HTTP status code 502 (Bad Gateway) to the viewer.
Host is one of those headers.
Refer Restrictions on all edge functions - HTTP headers for the updated list of disallowed and read-only headers.
Disallowed headers
For all function types:
-
Connection -
Expect -
Keep-Alive -
Proxy-Authenticate -
Proxy-Authorization -
Proxy-Connection -
Trailer -
Upgrade -
X-Accel-Buffering -
X-Accel-Charset -
X-Accel-Limit-Rate -
X-Accel-Redirect -
X-Amz-Cf-* -
X-Amzn-Auth -
X-Amzn-Cf-Billing -
X-Amzn-Cf-Id -
X-Amzn-Cf-Xff -
X-Amzn-Errortype -
X-Amzn-Fle-Profile -
X-Amzn-Header-Count -
X-Amzn-Header-Order -
X-Amzn-Lambda-Integration-Tag -
X-Amzn-RequestId -
X-Cache -
X-Edge-* -
X-Forwarded-Proto -
X-Real-IP
Read-only headers
In viewer request events
For all function types:
-
Content-Length -
Host -
Transfer-Encoding -
Via
In viewer response events
For all function types:
WarningVia
Lambda@Edge only:
-
Content-Length -
Content-Encoding -
Transfer-Encoding
In origin request events
Lambda@Edge only:
-
Accept-Encoding -
Content-Length -
If-Modified-Since -
If-None-Match -
If-Range -
If-Unmodified-Since -
Transfer-Encoding -
Via
In origin response events
Lambda@Edge only:
-
Transfer-Encoding -
Via