cloudfront_使用CloudFront保护您的Web应用程序

cloudfront

Cybersecurity is a hot topic now. If you search on Google about how to protect your website, you may find many buzzwords, IDS, IPS, WAF, DDoS, Proxy, you name it. You may think protecting your website is difficult and expensive and it is worthless to invest in security if your website is not critical.

网络安全是当今的热门话题。 如果您在Google上搜索有关如何保护自己的网站的信息，则可能会找到许多流行词，IDS，IPS，WAF，DDoS，代理。 您可能会认为保护您的网站既困难又昂贵，如果您的网站不重要，那么在安全性上进行投资是毫无价值的。

网络攻击比您想象的更普遍 (Cyberattack is more common than you think)

A human hacker may not bother sneaking into your website and change the headline of your homepage. But in most cases, your website would be hacked by a bot which constantly guessing your login password. They can even inject code redirecting your customers to some malicious websites. The frequency of these hacks and the impact on your business are much higher than you think.

骇客可能不会费心潜入您的网站并更改首页标题。 但是在大多数情况下，您的网站会遭到不断不断猜测您的登录密码的漫游器的攻击。 他们甚至可以注入代码将您的客户重定向到某些恶意网站。 这些黑客攻击的频率及其对您业务的影响比您想象的要高得多。

使用Amazon CloudFront保护您的网站 (Using Amazon CloudFront to protect your website)

Amazon CloudFront is a CDN service which allows us to delivers web content through the AWS network. By doing so, we can lower the traffic to the server as CloudFront will cache the content. We can also hide the webserver and prevent it from direct attack.

Amazon CloudFront是一项CDN服务，使我们能够通过AWS网络交付Web内容。 这样，由于CloudFront将缓存内容，因此我们可以降低到服务器的流量。 我们还可以隐藏Web服务器并防止其受到直接攻击。

We don’t have to place the server in AWS to use CloudFront. In this article, I am going to walk you through on how to set up CloudFront as a reverse proxy to your existing website.

我们不必将服务器放置在AWS中即可使用CloudFront。 在本文中，我将引导您逐步了解如何将CloudFront设置为现有网站的反向代理。

Using CloudFront to serve your website, integrated with SSL certificate and Application Firewall

使用CloudFront服务您的网站，并与SSL证书和应用程序防火墙集成

In my architecture, I made several changes to force web traffic go through CloudFront:

在我的架构中，我进行了一些更改以强制Web流量通过CloudFront：

1. Create a new DNS record (Origin sub-domain) pointing to my server IP
   创建一个指向我的服务器IP的新DNS记录(Origin子域)
2. Create a CloudFront distribution pointing to the origin sub-domain
   创建一个指向原始子域的CloudFront分布
3. Change the existing DNS record (Public sub-domain) to the CloudFront distribution
   将现有的DNS记录(公共子域)更改为CloudFront分配
4. Block all traffic through the origin sub-domain or the server IP, except those from CloudFront
   阻止通过原始子域或服务器IP的所有流量，但来自CloudFront的流量除外

By using CloudFront, we can enable many security features:

通过使用CloudFront，我们可以启用许多安全功能：

1. CloudFront protects the website from DDoS attacks.
   CloudFront可以保护网站免受DDoS攻击。
2. AWS Certificate Manager provision SSL certificate for HTTPS connections.
   AWS Certificate Manager为HTTPS连接提供SSL证书。
3. AWS WAF block traffic from malicious IP or common OWASP attacks.
   AWS WAF阻止来自恶意IP或常见OWASP攻击的流量。
4. S3 can store the access log, allow us to analyse web traffic or root-cause incidents.
   S3可以存储访问日志，使我们能够分析Web流量或根本原因事件。

Most of the setup is so common that there are many tutorials we can find elsewhere. My focus will be on how to do the DNS routing.

大多数设置都很常见，因此我们可以在其他地方找到许多教程。 我的重点是如何进行DNS路由。

交通路线 (Traffic routing)

DNS记录集 (DNS record sets)

Because CloudFront doesn’t allow IP address as origin, we have to create a new DNS record to direct CloudFront traffic towards the IP address of the server. It can be anything we want, even in a different domain name, but it should be different