Ref: https://learn.cantrill.io/courses/1820301/lectures/41301525

• Summary:
• Contents:

SSL in CF

• Every CF distribution has a default domain name (CNAME)
  • e.g. d111111abcdef8.cloudfront.net
  • CF is supplied with a default SSL cert, with name *.cloudfront.net → covers all CF distributions using default name → SSL & HTTPS supported by default if using this name
• Alternate domain names (CNAMEs) allow custom names for CF distributions
  • e.g. cdn.catagram.io can point to a CF distribution using DNS provider (like R53)
  • ‼️ MUST apply an SSL cert (with matching domain name) to the CF distribution!
    • Allows optional use of SSL & HTTPS
    • Even if SSL/HTTPS not desired, this cert is still needed to verify domain ownership
  • Generate/import matching cert using ACM
    • ❗ Region = us-east-1 (since CF is a global service)
• Options to handle HTTP and HTTPS (set at CF behavior level):
  • HTTP or HTTPS: no restrictions, both allowed
  • HTTP → HTTPS: redirect HTTP connections to HTTPS (encourages HTTPS)
  • HTTPS only: HTTP connections will fail entirely
• ❗ Two SSL connections → at least two SSL certificates needed:
  1. Viewer protocol: Viewer → CF (edge location)
  2. Origin protocol: CF → origin
  • ‼️ BOTH need valid PUBLIC certificates (as well as intermediate certs in the chain)
    • Self-signed certs do NOT work with CF!! Certs must be publicly trusted!

Server Name Indication (SNI)

• A single web server can host many websites of different names, using a single IP address
  • 💡 e.g. catagram.io and doggogram.io hosted in same server, i.e. with same IP
  • Web browser tells server which website it wants via HTTP host headers → OSI-L7
  • ❗ Encryption (SSL/TLS) starts at TCP layer (L4), much lower than HTTP's L7
    • Host headers can't inform server which site to serve before encryption, server can't know which SSL certificate to serve
    • Historically (before 2003) every SSL-enabled site needed its own IP
• 🔧 Server Name Indication (SNI) → can tell which domain name to serve within TLS handshake (before HTTP gets involved) → server can respond with appropriate cert
  • TLS extension (added in 2003)
  • Allows many SSL certs/HTTPS hosts to use a shared IP

SNI in CF

• SNI mode in CF is free & part of the service
• Old browsers (pre-2003) don't support SNI:
  • CF must provide dedicated IPs at edge locations to support old browsers
  • ❗ Extra charges for dedicated IPs → $600/month per distribution!

SSL and SNI architecture in CF

Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/1700-GLOBAL_CONTENT_DELIVERY_AND_OPTIMIZATION/00_LEARNINGAIDS/CloudFrontArchitectureSSL-1.png

• Publicly trusted certificates required for both viewers and origins
  • Issued by major CAs (Commodo, DigiCert, Symantec, ACM…)
  • ❗ No self-signed certificates allowed!