美文网首页
AWS Lambda笔记-内容分发(CDN)-7

AWS Lambda笔记-内容分发(CDN)-7

作者: lazy_zhu | 来源:发表于2020-06-13 16:17 被阅读0次

本章使用CloudFormation来实现自定义域名并且使用AWS的SSL证书。同时利用AWS的CloudFront(AWS的CDN服务)让API网关实现多点接入,让用户在最近的CDN节点连接,从而加快用户和API之间的通讯速度。

  1. 配置CloudFront
  2. 配置自定义域名
  3. 关联SSL证书

工程说明

  1. 工程目录结构及java,build.gradle文件与AWS Lambda教程-自动部署-5 差不多唯一区别是build.gradle中将us-east-2改成us-east-1,本章主要是 cloudformation.tempalte 增加几段json块。
  2. 这边使用自定义域名,并且使用ACM证书(AWS Certificate Manager (ACM) )目前支持的地区仅us-east-1(弗吉尼亚北部)

cloudformation.tempalte中AWS组件关联关系,完整配置笔记的最后部分。


cloudformation.tempalte各AWS组件关联关系图

1. 配置CloudFront(CDN)

CloudFront都是例行公事的配置,这里主要有HTTP的版本,原站信息,缓存方式,是否支持压缩,被允许的HttpMethod类型,具体Forward信息等,详细看以下配置及具体备注。

"CloudformationDistribution": {
      //CDN配置分发,它告知CloudFront 从何处传输内容,并如何跟踪和管理内容传输的详细信息。
      "Type": "AWS::CloudFront::Distribution",
      "Properties": {
          "Enabled": "true",  //启用该资源
          "HttpVersion": "http2", //支持版本
          //此分配的源信息的复杂类型。用于描述CloudFront从中获取文件的S3 存储桶、
          //HTTP服务器、或其他服务器。
          "Origins": [  
            {
              "DomainName": { //允许开发者使用内建函数Fn::Sub和其他资源变量合成域名
                "Fn::Sub": "${RestApi}.execute-api.${AWS::Region}.amazonaws.com"
              },
              "OriginPath": "/production",  //源中的目录请求内容
              "Id": "APIGATEWAY", //源或源组的唯一标识符。
              "CustomOriginConfig": { //配置为网站终端节点的自定义源或S3存储桶
                "OriginProtocolPolicy": "https-only"  //要应用至源的源协议策略
              }
            }
          ],
          //描述缓存行为
          "DefaultCacheBehavior": {
            //当请求使用默认缓存行为时,CloudFront将请求路由到的源的ID值
            "TargetOriginId": "APIGATEWAY", 
            "Compress": true, //自动压缩此缓存行为的某些文件
            "AllowedMethods": [ //被允许的方法
              "DELETE",
              "GET",
              "HEAD",
              "OPTIONS",
              "PATCH",
              "POST",
              "PUT"
            ],
            "ForwardedValues": {  //处理查询字符串、Cookie 和 HTTP 标头
              //如果为 QueryString 指定 true,并且没有为 QueryStringCacheKeys 
              //指定任何值,CloudFront 会将所有查询字符串参数转发到来源,
              //并基于所有查询字符串参数进行缓存。根据拥有的查询字符串参数的个数和值,
              //这可能对性能产生不利影响,因为 CloudFront 必须将更多的请求转发到源。
              "QueryString": "true",
              "Cookies": {  //Cookie 转发到源
                "Forward": "none" //指定希望将哪些 Cookie 转发到此缓存行为的来源
              },
              //转发到此缓存行为的源的 Headers(如有)。对于您指定的标头,
              //CloudFront 还将缓存基于查看器请求中的标头值的指定对象的各个版本。
              "Headers": [  
                "Accept",
                "Content-Type",
                "Authorization"
              ]
            },
            "DefaultTTL": 0,  //TTL值
            "MaxTTL": 0,  //保留的最长时间
            "MinTTL": 0,  //如配置为将所有标头转发到源则必须为MinTTL指定0。
            //当请求与 TargetOriginId 中的路径模式匹配时,
            //查看器可用于访问 PathPattern 指定的来源中的文件的协议
            //redirect-to-https如果查看器提交HTTP请求,则CloudFront将向查看器返回 
            //HTTP 状态代码 301(永久移动)以及 HTTPS URL。然后,查看器会使用新的 
            //URL 重新提交请求。
            "ViewerProtocolPolicy": "redirect-to-https" 
          }
        }
      }
    }

以上配置好,我们可以部署(./gradlew deploy), 可以登陆CloudFront的控制台
,获取域名(d3se3kgs51ey11.cloudfront.net),可以dig测试下,我们的域名是否已经全球解析。第一个是国内dig的结果,域名解析到日本IP。第二个代理到美国域名解析的是美国IP。可以看出域名已经成功解析到各个区域。我们访问:https://d3se3kgs51ey11.cloudfront.net/test?value=hello+world,(d3se3kgs51ey11.cloudfront.net替换成你自己在CloudFront中域名)会相对会快一点点。

CloudFront的控制台
dig域名的结果:

dig d3se3kgs51ey11.cloudfront.net
;; ANSWER SECTION:
d3se3kgs51ey5f.cloudfront.net. 36 IN A 13.225.157.24
d3se3kgs51ey5f.cloudfront.net. 36 IN A 13.225.157.84
d3se3kgs51ey5f.cloudfront.net. 36 IN A 13.225.157.145
d3se3kgs51ey5f.cloudfront.net. 36 IN A 13.225.157.197

dig d3se3kgs51ey11.cloudfront.net
;; ANSWER SECTION:
d3se3kgs51ey5f.cloudfront.net. 300 IN A 13.227.53.123
d3se3kgs51ey5f.cloudfront.net. 300 IN A 13.227.53.231
d3se3kgs51ey5f.cloudfront.net. 300 IN A 13.227.53.49
d3se3kgs51ey5f.cloudfront.net. 300 IN A 13.227.53.61

2. 配置自定义域名

CloudFront配置成功后,我需要手动配置自定义域名的NS记录和SSL证书的认证。这些也可以通过CloudFormation模版自动化,不过这些操作都是一次性的,所有就不增加CloudFormation内容的复杂度,同时该域名没有配置邮箱,也不方面在申请SSL证书时通过邮件认证。

1)配置域名NS记录

进入AWS Route 53 管理页面https://console.aws.amazon.com/route53/home,点击左侧菜单“托管区域”。
重点:这边我们需要保存下, 托管区域:Z09377931HZWDHZB7ST9N,在后续配置中需要使用到。

创建托管区域

点击域名,可以看到该域名的NS,SOA记录。


NS记录

在自己的域名解析管理中增加NS记录


添加NS记录
配置生效后,我们为保障下一步顺利完成,验证下NS记录是否生效。
//dig ns 确认解析出来的为刚才配置的ns记录
dig ns serverless.kkkkkk.com
2)申请SSL证书并通过DNS认证

进入AWS Certificate Manger 页面 https://us-east-2.console.aws.amazon.com/acm/home ,点击“请求证书” ,按照提示
步骤 1: 添加域名
步骤 2:选择验证方法 (选择DNS验证)
步骤 3: 添加标签 (可以不操作)
步骤 4:审核并请求
步骤 5:验证
按步骤操作完成,回到“证书管理”页面,查看申请证书的域名,点击“在Route 53中创建记录” 这时会自动创建一个NS记录,等待一会儿域名状态从“等待审核” 变成 “已颁发”。

证书管理
成功之后,我们需要记录下ACM的ARN记录,如图:
image.png
接下来我们需要继续在cloudformation.template文件添加配置域名的A记录。
 "DNSRecord": {
      //可选注释、要更改的托管区域的名称和 ID,以及要创建的记录的值
      "Type": "AWS::Route53::RecordSetGroup",
      "Properties": {
        "Comment": "Z09377931HZWDHZB7ST9N在Route53上创建托管区域",
        ////要在其中创建记录的托管区域的ID,在“配置域名NS记录”中重点说明过
        "HostedZoneId": "Z09377931HZWDHZB7ST9N",
        "RecordSets": [ //一条记录的信息
          {
            "Name": {
              "Ref": "DomainName"
            },
            "Type": "A",  //DNS记录类型
            //仅限别名记录:有关您要将流量路由到的 AWS 资源
            //例如 CloudFront 分配或 Amazon S3 存储桶的信息。
            "AliasTarget": {  //CloudFront 分配
              //CloudFront分配,指定Z2FDTNDATAQYW2。
              //在创建将流量路由到CloudFront 分配的别名记录时,它始终是托管区域ID。
              "HostedZoneId": "Z2FDTNDATAQYW2", 
              "DNSName": {
                "Fn::GetAtt": [
                  "CloudformationDistribution",
                  "DomainName"
                ]
              }
            }
          }
        ]
      }
    }

Alias(别名)是Route53提供的强大功能之一,相比CName记录,别名记录可以直接指向AWS资源,例如ELB,CloudFront。别名在DNS中没有对应的概念,使用别名免费,而CName是付费服务。另外一个有点是Alias比CName少一步获取最终IP地址,减少解析的负担,继续发布工程(./gradlew deploy)发布成功后,我dig配置的域名可以发现解析的A记录多很多,到此自定义域名配置成功。但是使用http访问http://serverless.kkkkkk.com//test?value=hello+world,将放回403信息,提醒:The request could not be satisfied. 接下来我们将继续SSL证书配置。

dig serverlessbook.kkkkkk.com

; <<>> DiG 9.10.6 <<>> serverlessbook.kkkkkk.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29231
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;serverlessbook.kkkkkk.com. IN A

;; ANSWER SECTION:
serverlessbook.kkkkkk.com. 59 IN A 13.225.157.197
serverlessbook.kkkkkk.com. 59 IN A 13.225.157.84
serverlessbook.kkkkkk.com. 59 IN A 13.225.157.24
serverlessbook.kkkkkk.com. 59 IN A 13.225.157.145

;; Query time: 2468 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Sun Jun 07 15:33:07 CST 2020
;; MSG SIZE rcvd: 107

3. 关联SSL证书

这里只需要在 AWS::CloudFront::Distribution 的 Properties 增加:

"Aliases": [  //分配的 CNAME(备用域名)
{
  "Ref": "DomainName"
}
],
"ViewerCertificate": {  // SSL/TLS 配置
 //指定 ACM 证书 ARN,必须指定 MinimumProtocolVersion 和 SslSupportMethod 的值。 
 //使用 Aliases(备用域名或 CNAME),请指定分配接受来自哪些查看器的 HTTPS 连接.
 //分为sni-only(免费,到部分浏览器都支持,推荐) 和 vip(付费且需要单独申请)
"SslSupportMethod": "sni-only",
  //SSL证书申请中的ARN
"AcmCertificateArn": "arn:aws:acm:us-east-1:083845954160:certificate/0cc193a9-9489-47ce-b7b3-8213a4c434d1"
},

执行

~/.gradlew deploy

发布成功后,我们访问API就变成:https://serverless.kkkkkk.com/test?value=hello+world
现在这个API使用自定义域名且配置SSL,但是还没有权限控制,后续我们需要对该方法进行权限控制。



发布异常一

FAILURE: Build failed with an exception.

  • What went wrong:
    Execution failed for task ':awsCfnWaitStackComplete'.
    Status of stack serverlessbook is UPDATE_ROLLBACK_COMPLETE. It seems to be failed.

查看CloudFormation
]的“事件”提示具体的错误信息:

Property validation failure: [Encountered unsupported properties in {/DistributionConfig/ViewerCertificate}: [ACMCertificateArn]]
这个原因是ACMCertificateArn数名名的正确写法AcmCertificateArn,这说明CloudFormtion严格区分大小写。



cloudformation.tempalte 完整配置

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Parameters": {
        "DeploymentBucket": {
            "Type": "String",
            "Description": "S3 bucket name where built artifacts are deployed"
        },
        "ProjectVersion": {
            "Type": "String",
            "Description": "Project Version"
        },
        "DeploymentTime": {
            "Type": "String",
            "Description": "It is a timestamp value which shows the deployment time. Used to rotate sources."
        },
        "DomainName": {
            "Type": "String",
            "Description": "Domain Name to serve the application"
        }
    },
    "Resources": {
        "DeploymentLambdaRole": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "Service": [
                                    "lambda.amazonaws.com"
                                ]
                            },
                            "Action": [
                                "sts:AssumeRole"
                            ]
                        }
                    ]
                },
                "Path": "/",
                "ManagedPolicyArns": [
                    "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
                ],
                "Policies": [
                    {
                        "PolicyName": "LambdaExecutionPolicy",
                        "PolicyDocument": {
                            "Version": "2012-10-17",
                            "Statement": [
                                {
                                    "Effect": "Allow",
                                    "Action": [
                                        "lambda:PublishVersion",
                                        "apigateway:POST"
                                    ],
                                    "Resource": [
                                        "*"
                                    ]
                                }
                            ]
                        }
                    }
                ]
            }
        },
        "DeploymentLambda": {
            "Type": "AWS::Lambda::Function",
            "Properties": {
                "Role": {
                    "Fn::GetAtt": [
                        "DeploymentLambdaRole",
                        "Arn"
                    ]
                },
                "Handler": "serverless.handler",
                "Runtime": "nodejs12.x",
                "Code": {
                    "S3Bucket": {
                        "Fn::Sub": "serverless-arch-${AWS::Region}"
                    },
                    "S3Key": "serverless.zip"
                }
            }
        },
        "ApiGatewayCloudwatchRole": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "Service": [
                                    "apigateway.amazonaws.com"
                                ]
                            },
                            "Action": "sts:AssumeRole"
                        }
                    ]
                },
                "Path": "/",
                "ManagedPolicyArns": [
                    "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
                ]
            }
        },
        "ApiGatewayAccount": {
            "Type": "AWS::ApiGateway::Account",
            "Properties": {
                "CloudWatchRoleArn": {
                    "Fn::GetAtt": [
                        "ApiGatewayCloudwatchRole",
                        "Arn"
                    ]
                }
            }
        },
        "RestApi": {
            "Type": "AWS::ApiGateway::RestApi",
            "Properties": {
                "Name": {
                    "Ref": "AWS::StackName"
                }
            }
        },
        "LambdaExecutionRole": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "Path": "/",
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "Service": [
                                    "lambda.amazonaws.com"
                                ]
                            },
                            "Action": [
                                "sts:AssumeRole"
                            ]
                        }
                    ]
                },
                "ManagedPolicyArns": [
                    "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
                ]
            }
        },
        "LambdaCustomPolicy": {
            "Type": "AWS::IAM::Policy",
            "Properties": {
                "PolicyName": "LambdaCustomPolicy",
                "PolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Action": [
                                "s3:ListBuckets"
                            ],
                            "Resource": "*"
                        }
                    ]
                },
                "Roles": [
                    {
                        "Ref": "LambdaExecutionRole"
                    }
                ]
            }
        },
        "TestLambda": {
            "Type": "AWS::Lambda::Function",
            "Properties": {
                "Handler": "com.serverlessbook.lambda.test.Handler",
                "Runtime": "java8",
                "Timeout": "300",
                "MemorySize": "1024",
                "Description": "Test lambda",
                "Role": {
                    "Fn::GetAtt": [
                        "LambdaExecutionRole",
                        "Arn"
                    ]
                },
                "Code": {
                    "S3Bucket": {
                        "Ref": "DeploymentBucket"
                    },
                    "S3Key": {
                        "Fn::Sub": "artifacts/lambda-test/${ProjectVersion}/${DeploymentTime}.jar"
                    }
                }
            }
        },
        "TestResource": {
            "Type": "AWS::ApiGateway::Resource",
            "Properties": {
                "PathPart": "test",
                "RestApiId": {
                    "Ref": "RestApi"
                },
                "ParentId": {
                    "Fn::GetAtt": [
                        "RestApi",
                        "RootResourceId"
                    ]
                }
            }
        },
        "TestGetMethod": {
            "Type": "AWS::ApiGateway::Method",
            "Properties": {
                "HttpMethod": "GET",
                "RestApiId": {
                    "Ref": "RestApi"
                },
                "ResourceId": {
                    "Ref": "TestResource"
                },
                "AuthorizationType": "NONE",
                "RequestParameters": {
                    "method.request.querystring.value": "True",
                    "method.request.header.Accept": "True"
                },
                "MethodResponses": [
                    {
                        "StatusCode": "200"
                    }
                ],
                "Integration": {
                    "Type": "AWS",
                    "Uri": {
                        "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${TestLambda.Arn}/invocations"
                    },
                    "IntegrationHttpMethod": "POST",
                    "RequestParameters": {
                        "integration.request.querystring.value": "method.request.querystring.value",
                        "integration.request.header.Accept": "method.request.header.Accept"
                    },
                    "RequestTemplates": {
                        "application/json": "{\"value\":\"$input.params('value')\"}"
                    },
                    "PassthroughBehavior": "NEVER",
                    "IntegrationResponses": [
                        {
                            "SelectionPattern": ".*",
                            "StatusCode": "200"
                        }
                    ]
                }
            }
        },
        "TestLambdaPermission": {
            "Type": "AWS::Lambda::Permission",
            "Properties": {
                "Action": "lambda:InvokeFunction",
                "FunctionName": {
                    "Ref": "TestLambda"
                },
                "Principal": "apigateway.amazonaws.com",
                "SourceArn": {
                    "Fn::Sub": "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${RestApi}/*"
                }
            }
        },
        "ApiDeployment": {
            "DependsOn": [
                "TestGetMethod"
            ],
            "Type": "Custom::ApiDeployment",
            "Properties": {
                "ServiceToken": {
                    "Fn::GetAtt": [
                        "DeploymentLambda",
                        "Arn"
                    ]
                },
                "RestApiId": {
                    "Ref": "RestApi"
                },
                "StageName": "production",
                "DeploymentTime": {
                    "Ref": "DeploymentTime"
                }
            }
        },
        "CloudformationDistribution": {
            "Type": "AWS::CloudFront::Distribution",
            "Properties": {
                "DistributionConfig": {
                    "Aliases": [
                        {
                            "Ref": "DomainName"
                        }
                    ],
                    "ViewerCertificate": {
                        "SslSupportMethod": "sni-only",
                        "AcmCertificateArn": "arn:aws:acm:us-east-1:083845954160:certificate/0cc193a9-9489-47ce-b7b3-8213a4c434d1"
                    },
                    "Enabled": "true",
                    "HttpVersion": "http2",
                    "Origins": [
                        {
                            "DomainName": {
                                "Fn::Sub": "${RestApi}.execute-api.${AWS::Region}.amazonaws.com"
                            },
                            "OriginPath": "/production",
                            "Id": "APIGATEWAY",
                            "CustomOriginConfig": {
                                "OriginProtocolPolicy": "https-only"
                            }
                        }
                    ],
                    "DefaultCacheBehavior": {
                        "TargetOriginId": "APIGATEWAY",
                        "Compress": true,
                        "AllowedMethods": [
                            "DELETE",
                            "GET",
                            "HEAD",
                            "OPTIONS",
                            "PATCH",
                            "POST",
                            "PUT"
                        ],
                        "ForwardedValues": {
                            "QueryString": "true",
                            "Cookies": {
                                "Forward": "none"
                            },
                            "Headers": [
                                "Accept",
                                "Content-Type",
                                "Authorization"
                            ]
                        },
                        "DefaultTTL": 0,
                        "MaxTTL": 0,
                        "MinTTL": 0,
                        "ViewerProtocolPolicy": "redirect-to-https"
                    }
                }
            }
        },
        "DNSRecord": {
            "Type": "AWS::Route53::RecordSetGroup",
            "Properties": {
                "Comment": "Z09377931HZWDHZB7ST9N在Route53上创建托管区域",
                "HostedZoneId": "Z09377931HZWDHZB7ST9N",
                "RecordSets": [
                    {
                        "Name": {
                            "Ref": "DomainName"
                        },
                        "Type": "A",
                        "AliasTarget": {
                            "HostedZoneId": "Z2FDTNDATAQYW2",
                            "DNSName": {
                                "Fn::GetAtt": [
                                    "CloudformationDistribution",
                                    "DomainName"
                                ]
                            }
                        }
                    }
                ]
            }
        } 
    }
}

相关文章

  • AWS Lambda笔记-内容分发(CDN)-7

    本章使用CloudFormation来实现自定义域名并且使用AWS的SSL证书。同时利用AWS的CloudFron...

  • CDN

    简介:CDN(Content Delivery Network),内容分发网络。CDN是构建在网络之上的内容分发网...

  • 什么是【CDN】

    CDN 叫做内容分发网络(Content Delivery Network)。CDN是构建在网络之上的内容分发网络...

  • CDN

    CDN的全称是Content Delivery Network,即内容分发网络。CDN是构建在网络之上的内容分发网...

  • 啥子是cdn

    CDN的全称是Content Delivery Network,即内容分发网络。CDN是构建在网络之上的内容分发网...

  • 什么是CDN

    CDN的全称是Content Delivery Network,即内容分发网络。CDN是构建在网络之上的内容分发网...

  • 免费CDN:jsDelivr + Github

    CDN的全称是Content Delivery Network,即内容分发网络。CDN是构建在网络之上的内容分发网...

  • CDN相关资料

    什么是CDN,CDN即(content distribute/delivery network)内容分发网络CDN...

  • CDN

    CDN即是内容分发网络

  • 02.Element UI 之安装使用(CDN)

    一、CDN方式安装使用 |--CDN:content delivery network内容分发网络,CDN是构...

网友评论

      本文标题:AWS Lambda笔记-内容分发(CDN)-7

      本文链接:https://www.haomeiwen.com/subject/fzxztktx.html