aws-cloudfront-cdn
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAWS CloudFront CDN
AWS CloudFront CDN
Overview
概述
Amazon CloudFront is a fast, globally distributed content delivery network (CDN). Cache content at edge locations worldwide to reduce latency, improve performance, and provide high availability with DDoS protection.
Amazon CloudFront是一款快速的全球分布式内容分发网络(CDN)。通过在全球边缘位置缓存内容,减少延迟、提升性能,并提供具备DDoS防护的高可用性。
When to Use
适用场景
- Static website hosting and assets
- API acceleration and dynamic content
- Video and media streaming
- Mobile application content
- Large file downloads
- Real-time data distribution
- DDoS protection for origins
- Origin isolation and security
- 静态网站托管与资源
- API加速与动态内容
- 视频与媒体流
- 移动应用内容
- 大文件下载
- 实时数据分发
- 源站DDoS防护
- 源站隔离与安全
Implementation Examples
实现示例
1. CloudFront Distribution with AWS CLI
1. 使用AWS CLI配置CloudFront分发
bash
undefinedbash
undefinedCreate distribution for S3 origin
Create distribution for S3 origin
aws cloudfront create-distribution
--distribution-config '{ "CallerReference": "myapp-'$(date +%s)'", "Enabled": true, "Comment": "My application distribution", "Origins": { "Quantity": 1, "Items": [{ "Id": "myS3Origin", "DomainName": "mybucket.s3.us-east-1.amazonaws.com", "S3OriginConfig": { "OriginAccessIdentity": "origin-access-identity/cloudfront/ABCDEFG1234567" } }] }, "DefaultCacheBehavior": { "AllowedMethods": { "Quantity": 3, "Items": ["GET", "HEAD", "OPTIONS"] }, "ViewerProtocolPolicy": "redirect-to-https", "TargetOriginId": "myS3Origin", "ForwardedValues": { "QueryString": false, "Cookies": {"Forward": "none"}, "Headers": {"Quantity": 0} }, "TrustedSigners": { "Enabled": false, "Quantity": 0 }, "MinTTL": 0, "DefaultTTL": 86400, "MaxTTL": 31536000, "Compress": true }, "CacheBehaviors": [ { "PathPattern": "/api/*", "AllowedMethods": { "Quantity": 7, "Items": ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"] }, "ViewerProtocolPolicy": "https-only", "TargetOriginId": "myS3Origin", "ForwardedValues": { "QueryString": true, "Cookies": {"Forward": "all"}, "Headers": {"Quantity": 0} }, "MinTTL": 0, "DefaultTTL": 0, "MaxTTL": 31536000 } ], "WebACLId": "arn:aws:wafv2:us-east-1:123456789012:global/webacl/test/a1234567" }'
--distribution-config '{ "CallerReference": "myapp-'$(date +%s)'", "Enabled": true, "Comment": "My application distribution", "Origins": { "Quantity": 1, "Items": [{ "Id": "myS3Origin", "DomainName": "mybucket.s3.us-east-1.amazonaws.com", "S3OriginConfig": { "OriginAccessIdentity": "origin-access-identity/cloudfront/ABCDEFG1234567" } }] }, "DefaultCacheBehavior": { "AllowedMethods": { "Quantity": 3, "Items": ["GET", "HEAD", "OPTIONS"] }, "ViewerProtocolPolicy": "redirect-to-https", "TargetOriginId": "myS3Origin", "ForwardedValues": { "QueryString": false, "Cookies": {"Forward": "none"}, "Headers": {"Quantity": 0} }, "TrustedSigners": { "Enabled": false, "Quantity": 0 }, "MinTTL": 0, "DefaultTTL": 86400, "MaxTTL": 31536000, "Compress": true }, "CacheBehaviors": [ { "PathPattern": "/api/*", "AllowedMethods": { "Quantity": 7, "Items": ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"] }, "ViewerProtocolPolicy": "https-only", "TargetOriginId": "myS3Origin", "ForwardedValues": { "QueryString": true, "Cookies": {"Forward": "all"}, "Headers": {"Quantity": 0} }, "MinTTL": 0, "DefaultTTL": 0, "MaxTTL": 31536000 } ], "WebACLId": "arn:aws:wafv2:us-east-1:123456789012:global/webacl/test/a1234567" }'
aws cloudfront create-distribution
--distribution-config '{ "CallerReference": "myapp-'$(date +%s)'", "Enabled": true, "Comment": "My application distribution", "Origins": { "Quantity": 1, "Items": [{ "Id": "myS3Origin", "DomainName": "mybucket.s3.us-east-1.amazonaws.com", "S3OriginConfig": { "OriginAccessIdentity": "origin-access-identity/cloudfront/ABCDEFG1234567" } }] }, "DefaultCacheBehavior": { "AllowedMethods": { "Quantity": 3, "Items": ["GET", "HEAD", "OPTIONS"] }, "ViewerProtocolPolicy": "redirect-to-https", "TargetOriginId": "myS3Origin", "ForwardedValues": { "QueryString": false, "Cookies": {"Forward": "none"}, "Headers": {"Quantity": 0} }, "TrustedSigners": { "Enabled": false, "Quantity": 0 }, "MinTTL": 0, "DefaultTTL": 86400, "MaxTTL": 31536000, "Compress": true }, "CacheBehaviors": [ { "PathPattern": "/api/*", "AllowedMethods": { "Quantity": 7, "Items": ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"] }, "ViewerProtocolPolicy": "https-only", "TargetOriginId": "myS3Origin", "ForwardedValues": { "QueryString": true, "Cookies": {"Forward": "all"}, "Headers": {"Quantity": 0} }, "MinTTL": 0, "DefaultTTL": 0, "MaxTTL": 31536000 } ], "WebACLId": "arn:aws:wafv2:us-east-1:123456789012:global/webacl/test/a1234567" }'
--distribution-config '{ "CallerReference": "myapp-'$(date +%s)'", "Enabled": true, "Comment": "My application distribution", "Origins": { "Quantity": 1, "Items": [{ "Id": "myS3Origin", "DomainName": "mybucket.s3.us-east-1.amazonaws.com", "S3OriginConfig": { "OriginAccessIdentity": "origin-access-identity/cloudfront/ABCDEFG1234567" } }] }, "DefaultCacheBehavior": { "AllowedMethods": { "Quantity": 3, "Items": ["GET", "HEAD", "OPTIONS"] }, "ViewerProtocolPolicy": "redirect-to-https", "TargetOriginId": "myS3Origin", "ForwardedValues": { "QueryString": false, "Cookies": {"Forward": "none"}, "Headers": {"Quantity": 0} }, "TrustedSigners": { "Enabled": false, "Quantity": 0 }, "MinTTL": 0, "DefaultTTL": 86400, "MaxTTL": 31536000, "Compress": true }, "CacheBehaviors": [ { "PathPattern": "/api/*", "AllowedMethods": { "Quantity": 7, "Items": ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"] }, "ViewerProtocolPolicy": "https-only", "TargetOriginId": "myS3Origin", "ForwardedValues": { "QueryString": true, "Cookies": {"Forward": "all"}, "Headers": {"Quantity": 0} }, "MinTTL": 0, "DefaultTTL": 0, "MaxTTL": 31536000 } ], "WebACLId": "arn:aws:wafv2:us-east-1:123456789012:global/webacl/test/a1234567" }'
List distributions
List distributions
aws cloudfront list-distributions
aws cloudfront list-distributions
Get distribution config
Get distribution config
aws cloudfront get-distribution-config
--id E123EXAMPLE123
--id E123EXAMPLE123
aws cloudfront get-distribution-config
--id E123EXAMPLE123
--id E123EXAMPLE123
Invalidate cache
Invalidate cache
aws cloudfront create-invalidation
--distribution-id E123EXAMPLE123
--paths "/*"
--distribution-id E123EXAMPLE123
--paths "/*"
undefinedaws cloudfront create-invalidation
--distribution-id E123EXAMPLE123
--paths "/*"
--distribution-id E123EXAMPLE123
--paths "/*"
undefined2. Terraform CloudFront Configuration
2. Terraform CloudFront配置
hcl
undefinedhcl
undefinedcloudfront.tf
cloudfront.tf
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
Origin Access Identity
Origin Access Identity
resource "aws_cloudfront_origin_access_identity" "s3" {
comment = "OAI for S3 bucket"
}
resource "aws_cloudfront_origin_access_identity" "s3" {
comment = "OAI for S3 bucket"
}
S3 bucket for CloudFront origin
S3 bucket for CloudFront origin
resource "aws_s3_bucket" "static" {
bucket = "myapp-static-${data.aws_caller_identity.current.account_id}"
}
resource "aws_s3_bucket_versioning" "static" {
bucket = aws_s3_bucket.static.id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket_public_access_block" "static" {
bucket = aws_s3_bucket.static.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket" "static" {
bucket = "myapp-static-${data.aws_caller_identity.current.account_id}"
}
resource "aws_s3_bucket_versioning" "static" {
bucket = aws_s3_bucket.static.id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket_public_access_block" "static" {
bucket = aws_s3_bucket.static.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
S3 bucket policy for CloudFront
S3 bucket policy for CloudFront
resource "aws_s3_bucket_policy" "static" {
bucket = aws_s3_bucket.static.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Sid = "AllowCloudFrontAccess"
Effect = "Allow"
Principal = {
AWS = aws_cloudfront_origin_access_identity.s3.iam_arn
}
Action = "s3:GetObject"
Resource = "${aws_s3_bucket.static.arn}/*"
}]
})
}
resource "aws_s3_bucket_policy" "static" {
bucket = aws_s3_bucket.static.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Sid = "AllowCloudFrontAccess"
Effect = "Allow"
Principal = {
AWS = aws_cloudfront_origin_access_identity.s3.iam_arn
}
Action = "s3:GetObject"
Resource = "${aws_s3_bucket.static.arn}/*"
}]
})
}
WAF Web ACL
WAF Web ACL
resource "aws_wafv2_web_acl" "cloudfront" {
scope = "CLOUDFRONT"
name = "cloudfront-waf"
default_action {
allow {}
}
rule {
name = "RateLimitRule"
priority = 1
action {
block {}
}
statement {
rate_based_statement {
limit = 2000
aggregate_key_type = "IP"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "RateLimitRule"
sampled_requests_enabled = true
}}
rule {
name = "AWSManagedRulesCommonRuleSet"
priority = 2
action {
block {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWSManagedRulesCommonRuleSet"
sampled_requests_enabled = true
}}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "cloudfront-waf"
sampled_requests_enabled = true
}
}
resource "aws_wafv2_web_acl" "cloudfront" {
scope = "CLOUDFRONT"
name = "cloudfront-waf"
default_action {
allow {}
}
rule {
name = "RateLimitRule"
priority = 1
action {
block {}
}
statement {
rate_based_statement {
limit = 2000
aggregate_key_type = "IP"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "RateLimitRule"
sampled_requests_enabled = true
}}
rule {
name = "AWSManagedRulesCommonRuleSet"
priority = 2
action {
block {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWSManagedRulesCommonRuleSet"
sampled_requests_enabled = true
}}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "cloudfront-waf"
sampled_requests_enabled = true
}
}
CloudFront distribution
CloudFront distribution
resource "aws_cloudfront_distribution" "s3" {
enabled = true
is_ipv6_enabled = true
default_root_object = "index.html"
comment = "CDN for static assets"
origin {
domain_name = aws_s3_bucket.static.bucket_regional_domain_name
origin_id = "S3Origin"
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.s3.cloudfront_access_identity_path
}}
default_cache_behavior {
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "S3Origin"
forwarded_values {
query_string = false
cookies {
forward = "none"
}
headers = ["Origin", "Accept-Charset"]
}
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 86400
max_ttl = 31536000
compress = true}
cache_behavior {
path_pattern = "/api/*"
allowed_methods = ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "S3Origin"
forwarded_values {
query_string = true
cookies {
forward = "all"
}
headers = ["Authorization", "Host", "User-Agent"]
}
viewer_protocol_policy = "https-only"
min_ttl = 0
default_ttl = 0
max_ttl = 31536000}
restrictions {
geo_restriction {
restriction_type = "none"
}
}
viewer_certificate {
cloudfront_default_certificate = true
}
web_acl_id = aws_wafv2_web_acl.cloudfront.arn
tags = {
Name = "cdn-distribution"
}
}
resource "aws_cloudfront_distribution" "s3" {
enabled = true
is_ipv6_enabled = true
default_root_object = "index.html"
comment = "CDN for static assets"
origin {
domain_name = aws_s3_bucket.static.bucket_regional_domain_name
origin_id = "S3Origin"
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.s3.cloudfront_access_identity_path
}}
default_cache_behavior {
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "S3Origin"
forwarded_values {
query_string = false
cookies {
forward = "none"
}
headers = ["Origin", "Accept-Charset"]
}
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 86400
max_ttl = 31536000
compress = true}
cache_behavior {
path_pattern = "/api/*"
allowed_methods = ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "S3Origin"
forwarded_values {
query_string = true
cookies {
forward = "all"
}
headers = ["Authorization", "Host", "User-Agent"]
}
viewer_protocol_policy = "https-only"
min_ttl = 0
default_ttl = 0
max_ttl = 31536000}
restrictions {
geo_restriction {
restriction_type = "none"
}
}
viewer_certificate {
cloudfront_default_certificate = true
}
web_acl_id = aws_wafv2_web_acl.cloudfront.arn
tags = {
Name = "cdn-distribution"
}
}
CloudFront cache policy for static assets
CloudFront cache policy for static assets
resource "aws_cloudfront_cache_policy" "static" {
name = "static-cache-policy"
comment = "Cache policy for static assets"
default_ttl = 86400
max_ttl = 31536000
min_ttl = 0
parameters_in_cache_key_and_forwarded_to_origin {
query_strings_config {
query_string_behavior = "none"
}
headers_config {
header_behavior = "none"
}
cookies_config {
cookie_behavior = "none"
}
enable_accept_encoding_gzip = true
enable_accept_encoding_brotli = true}
}
resource "aws_cloudfront_cache_policy" "static" {
name = "static-cache-policy"
comment = "Cache policy for static assets"
default_ttl = 86400
max_ttl = 31536000
min_ttl = 0
parameters_in_cache_key_and_forwarded_to_origin {
query_strings_config {
query_string_behavior = "none"
}
headers_config {
header_behavior = "none"
}
cookies_config {
cookie_behavior = "none"
}
enable_accept_encoding_gzip = true
enable_accept_encoding_brotli = true}
}
Origin request policy
Origin request policy
resource "aws_cloudfront_origin_request_policy" "api" {
name = "api-origin-request-policy"
comment = "Forward headers for API requests"
headers_config {
header_behavior = "allViewer"
}
query_strings_config {
query_string_behavior = "all"
}
cookies_config {
cookie_behavior = "all"
}
}
resource "aws_cloudfront_origin_request_policy" "api" {
name = "api-origin-request-policy"
comment = "Forward headers for API requests"
headers_config {
header_behavior = "allViewer"
}
query_strings_config {
query_string_behavior = "all"
}
cookies_config {
cookie_behavior = "all"
}
}
Invalidation
Invalidation
resource "aws_cloudfront_invalidation" "s3" {
distribution_id = aws_cloudfront_distribution.s3.id
paths = ["/*"]
depends_on = [aws_cloudfront_distribution.s3]
}
resource "aws_cloudfront_invalidation" "s3" {
distribution_id = aws_cloudfront_distribution.s3.id
paths = ["/*"]
depends_on = [aws_cloudfront_distribution.s3]
}
CloudWatch alarms
CloudWatch alarms
resource "aws_cloudwatch_metric_alarm" "cloudfront_errors" {
alarm_name = "cloudfront-high-error-rate"
comparison_operator = "GreaterThanThreshold"
evaluation_periods = 2
metric_name = "4xxErrorRate"
namespace = "AWS/CloudFront"
period = 300
statistic = "Average"
threshold = 5
alarm_description = "Alert when error rate exceeds 5%"
dimensions = {
DistributionId = aws_cloudfront_distribution.s3.id
}
}
data "aws_caller_identity" "current" {}
output "cloudfront_domain" {
value = aws_cloudfront_distribution.s3.domain_name
description = "CloudFront domain name"
}
output "cloudfront_id" {
value = aws_cloudfront_distribution.s3.id
description = "CloudFront distribution ID"
}
undefinedresource "aws_cloudwatch_metric_alarm" "cloudfront_errors" {
alarm_name = "cloudfront-high-error-rate"
comparison_operator = "GreaterThanThreshold"
evaluation_periods = 2
metric_name = "4xxErrorRate"
namespace = "AWS/CloudFront"
period = 300
statistic = "Average"
threshold = 5
alarm_description = "Alert when error rate exceeds 5%"
dimensions = {
DistributionId = aws_cloudfront_distribution.s3.id
}
}
data "aws_caller_identity" "current" {}
output "cloudfront_domain" {
value = aws_cloudfront_distribution.s3.domain_name
description = "CloudFront domain name"
}
output "cloudfront_id" {
value = aws_cloudfront_distribution.s3.id
description = "CloudFront distribution ID"
}
undefined3. Custom Headers and Security Configuration
3. 自定义标头与安全配置
bash
undefinedbash
undefinedAdd custom headers for security
Add custom headers for security
aws cloudfront create-response-headers-policy
--response-headers-policy-config '{ "Name": "SecurityHeadersPolicy", "SecurityHeadersConfig": { "StrictTransportSecurity": { "Enabled": true, "AccessControlMaxAgeSec": 63072000, "IncludeSubdomains": true, "Preload": true }, "ContentTypeOptions": { "Enabled": true }, "XSSProtection": { "Enabled": true, "ModeBlock": true }, "ReferrerPolicy": { "Enabled": true, "ReferrerPolicy": "strict-origin-when-cross-origin" }, "FrameOptions": { "Enabled": true, "FrameOption": "DENY" } } }'
--response-headers-policy-config '{ "Name": "SecurityHeadersPolicy", "SecurityHeadersConfig": { "StrictTransportSecurity": { "Enabled": true, "AccessControlMaxAgeSec": 63072000, "IncludeSubdomains": true, "Preload": true }, "ContentTypeOptions": { "Enabled": true }, "XSSProtection": { "Enabled": true, "ModeBlock": true }, "ReferrerPolicy": { "Enabled": true, "ReferrerPolicy": "strict-origin-when-cross-origin" }, "FrameOptions": { "Enabled": true, "FrameOption": "DENY" } } }'
undefinedaws cloudfront create-response-headers-policy
--response-headers-policy-config '{ "Name": "SecurityHeadersPolicy", "SecurityHeadersConfig": { "StrictTransportSecurity": { "Enabled": true, "AccessControlMaxAgeSec": 63072000, "IncludeSubdomains": true, "Preload": true }, "ContentTypeOptions": { "Enabled": true }, "XSSProtection": { "Enabled": true, "ModeBlock": true }, "ReferrerPolicy": { "Enabled": true, "ReferrerPolicy": "strict-origin-when-cross-origin" }, "FrameOptions": { "Enabled": true, "FrameOption": "DENY" } } }'
--response-headers-policy-config '{ "Name": "SecurityHeadersPolicy", "SecurityHeadersConfig": { "StrictTransportSecurity": { "Enabled": true, "AccessControlMaxAgeSec": 63072000, "IncludeSubdomains": true, "Preload": true }, "ContentTypeOptions": { "Enabled": true }, "XSSProtection": { "Enabled": true, "ModeBlock": true }, "ReferrerPolicy": { "Enabled": true, "ReferrerPolicy": "strict-origin-when-cross-origin" }, "FrameOptions": { "Enabled": true, "FrameOption": "DENY" } } }'
undefinedBest Practices
最佳实践
✅ DO
✅ 建议
- Use Origin Access Identity (OAI) for S3
- Enable HTTPS only for viewers
- Compress content at CloudFront
- Set appropriate cache TTLs
- Use cache invalidation cautiously
- Enable WAF for protection
- Monitor CloudWatch metrics
- Use multiple origins for redundancy
- 为S3使用Origin Access Identity (OAI)
- 仅为查看器启用HTTPS
- 在CloudFront上压缩内容
- 设置合适的缓存TTL
- 谨慎使用缓存失效
- 启用WAF防护
- 监控CloudWatch指标
- 使用多源站实现冗余
❌ DON'T
❌ 不建议
- Make S3 buckets public
- Cache sensitive data
- Use HTTP for production
- Ignore cache headers
- Create excessive invalidations
- Skip WAF protection
- 将S3存储桶设为公开
- 缓存敏感数据
- 生产环境使用HTTP
- 忽略缓存标头
- 创建过多的失效请求
- 跳过WAF防护
Monitoring
监控
- CloudWatch metrics (requests, bytes, errors)
- CloudWatch Alarms for errors and latency
- WAF metrics and blocked requests
- Cache hit/miss ratios
- Origin latency metrics
- CloudWatch指标(请求量、流量、错误率)
- 针对错误和延迟的CloudWatch告警
- WAF指标与拦截请求
- 缓存命中/未命中比率
- 源站延迟指标