I read this:
"I can't use this until I can serve my root domain without redirection to "www". Can Amazon designate an IP address (or set of IP addresses) for S3 that I can point my root A record to?"
Is it still true that I need to have a domain host just as a proxy to S3 and setup CNAME to point a subdomain to S3 bucket? And there is no better way?
There are no better ways, only most costly ways.
You can set up an EC2 image with a proxy, and allow the proxy to access S3 on your behalf, while accessing the remainder of your web site somewhere else. Since scalability is a concern of yours, you'll also want to use the automatic scaling tools for EC2 as access to your proxy grows.
Or, just re-architect your application to use the CNAME-based approach for all content located in S3.
Related
I have an application hosted on EC2 instance.
Now I want to fetch all the static content used in application from Cloudfront.
Read from a source that Cloudfront uses S3/EC2 or private servers to get the static files.
I can't come to solution what exactly to use? Can I use same EC2 instance for this purpose? Any better option for this implementation?
Amazon CloudFront sits "in front" of your application on Amazon EC2 and/or your content in Amazon S3. It caches content in 50+ locations when people access your application.
For example, let's say you had a web app running on an EC2 instance serving HTML pages, and also some pictures in S3.
You would create a CloudFront distribution and configure two origins: one for your web server and one for your S3 bucket. Behaviours can be configured to tell CloudFront when to use each origin -- for example, serve *.htm URLs from EC2 and *.jpg URLs from S3.
Your users would then access your application via the supplied CloudFront URL. Content will be cached (if appropriate) at one of the 50+ CloudFront locations around the world that is closest to each of your users, resulting in faster response times for your user.
You can also use your own domain name with CloudFront so that it has a more-friendly URL than the one supplied on the CloudFront distribution (which looks like d3i7tv8nzqzfbt.cloudfront.net).
simply Amazon s3 is used for cloud storage where as Amazon EC2(elastic cloud) is used to server web pages(hosting) same as like godaddy.com.
I have a site with a root domain (mysite.com) as a jekyll static page, hosted on Amazon S3 and Cloudfront. I'd like to add a sub-domain such as purchase.mysite.com which would be located on another provider such as Heroku. The intention here is to have a landing page backed with Amazons CDN and the services somewhere else as at that point I don't think the speed is as important. Has anyone else gone this route? How and what was involved with it's implementation? Is there a better way to accomplish the same goal?
This setup is pretty common I'd imagine.
You need to create a subdomain on your DNS using a CNAME record type pointing at the .herokuapp.com address that Heroku will give your application and then add the custom domain to your Heroku application.
Though similar to Amazon EC2 How Do I Host a PDF File on my Instance? this is not a simple case of case sensitivity.
I currently have the file I'd like to be publicly available in /var/www/html which is the DocumentRoot (though note we've also got amazon EBS set up) but nonetheless going to ourinstance/file.pdf gives 404 not found.
I'd like to avoid having to use S3.
You need to setup a web server (apache/nginx) and configure it to serve the file (from a domain). In order to do that, you need to setup a virtual host (or its equivalent in nginx).
Once done, you start the server and assuming DNS settings are correctly setup, your file should be served.
I think this question is better suited to be asked on serverfault rather than stackoverflow.
Is it possible to host mysite.com/ from ec2 and mysite.com/logo.gif from cloudfront?
No, you won't be able to make the part of the URL after the domain name influence the DNS lookup for mysite.com. However, if you're willing to settle for something like "images.mysite.com/logo.gif", you can easily resolve images.mysite.com to your CloudFront distribution using a CNAME.
You could also configure the web server on your EC2 instance to redirect or proxy to CloudFront - but then your server is still getting hit every time that resource is loaded, which eliminates most of the benefit to using a CDN in the first place.
In a way, you can. You would need to use a reverse proxy on your web server at mysite.com.
http://en.wikipedia.org/wiki/Reverse_proxy
To agree with David (above), you can set up a DNS CNAME for your CloudFront distribution, but the best you could do would be a subdomain of your site. It's a better way to do things anyway, if you follow Yahoo! or Google website performance guidelines.
developer.yahoo.com/performance/rules.html
code.google.com/speed/page-speed/docs/rules_intro.html
We usually blacklist IPs address with iptables. But in Amazon EC2, if a connection goes through the Elastic Load Balancer, the remote address will be replaced by the load balancer's address, rendering iptables useless. In the case for HTTP, apparently the only way to find out the real remote address is to look at the HTTP header HTTP_X_FORWARDED_FOR. To me, blocking IPs at the web application level is not an effective way.
What is the best practice to defend against DoS attack in this scenario?
In this article, someone suggested that we can replace Elastic Load Balancer with HAProxy. However, there are certain disadvantages in doing this, and I'm trying to see if there is any better alternatives.
I think you have described all the current options. You may want to chime in on some of the AWS forum threads to vote for a solution - the Amazon engineers and management are open to suggestions for ELB improvements.
If you deploy your ELB and instances using VPC instead of EC2-classic, you can use Security Groups and Network ACLs to restrict access to the ELB.
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/USVPC_ApplySG.html
It's common to run an application server behind a reverse proxy. Your reverse proxy is layer you can use to add DoS protection before traffic gets to your application server. For Nginx, you can look at the rate limiting module as something that could help.
You could set up an EC2 host and run haproxy there by yourself (that's what Amazon is using anyways!). Then you can apply your iptables-filters on that system.
Here's a tool I made for those looking to use Fail2Ban on aws with apache, ELB, and ACL: https://github.com/anthonymartin/aws-acl-fail2ban