CloudFront as a reverse proxy
Sometimes I need a tool to implement quick fix for a problem. I recently had an opportunity to use CloudFront as such tool. The AWS CLoudFront is described as a “content delivery network”, a CDN. That’s the first sentence on in the AWS overview. And so, it is. It is a very powerful infrastructure that facilitates delivery of content from both static and dynamic sources.
I was trying to solve a very limited problem. My on-site server environment was limited by a single public IP address. I wanted to run multiple servers with multiple sub-domains on non-standard ports in order to get around the issues of the single publicly routable IP address. Initially, I started to setup a reverse proxy using NGINX web server. I was also going to add ModSecurity application firewall. Sounds reasonable, but maybe I was making too much work for myself.
As it turns out, CloudFront solves this problem nicely.
Here is how.
In the CloudFront tab of the Management Console select Create Distribution button. In step 1 select the web delivery method
In step 2, create the configuration for the distribution as follows.
1. Set the origin domain name. This is the domain name of the origin server which has a publicly routable IP address but is only accessible on the non-standard port. If you already have an A record for your main server, it will do nicely. If not, go ahead and create one. It does not matter if you already have a web site associated with it because the distribution will point to a different port.
2. Origin ID will be generated automatically by CloudFront, but you can change it if you like.
3. Set the non-standard HTTP port of your origin server. This is optional if you redirect all traffic to HTTPS instead (as configured below in step 5). That’s what I do.
4. Set the non-standard HTTPS port of your origin server. Not required if you run HTTP only (but who does?).
5. Redirect HTTP to HTTPS to make sure all traffic goes to the secure port.
6. Set allowed HTTP methods. Methods can be restricted but I allow all.
7. Configure caching based on request headers. You can configure caching of content by CloudFront to improve performance. I want to forward all requests to my application server, so I select All. This seems confusing, but CloudFront does not cache if All is selected.
8. Set cookie forwarding. Similarly, I want to forward all cookies because my application needs them.
9. Query string forwarding is likewise forwarded in all cases.
10. CloudFront automatically generates its own domain name. But I want to use a friendly name. So I add it to my domain hosting configuration as a CNAME record and enter it here.
11. Finally, there is the SSL certificate for the server. Since all traffic is via HTTPS, a server certificate is required. One can be requested by using the AWS Certificate Manager (ACM). I happen to have a certificate which I imported into ACM so that it is available for use.
Click the Create Distribution button.
Once distribution state shows Enabled, you can access your server via the URL configured in step 10.
This is a minimum configuration used to quickly bring up a web site using an existing server. Obviously, there is a lot more that can be done with CloudFront. For example, now that the distribution is running, it would be quite easy to add the AWS Web Application Firewall (WAF).
References