How to restrict access just to cloudfront from a custom origin server?
You could restrict access to the published Amazon CloudFront Public IP Ranges; however, be aware of the respective disclaimer by Amazon:
The CloudFront IP addresses change frequently and we cannot guarantee advance notice of changes. On a best-effort basis, we will provide the list of current addresses. Customers should not use these addresses for mission critical applications and must never hard code them in DNS names. [emphasis mine]
Consequently you should monitor this forum/post to take notice of respective changes as early as possible (if this constraint is acceptable for your use case in the first place of course).
Related videos on Youtube
Simon
Updated on September 17, 2022Comments
-
Simon over 1 year
if i understood well, in order to create a custom origin distribution, I need to make public those files on my custom origin server.
In my case, that will be put those files into a public dir of an apache server. My question is, is it possible to restrict access to that apache server to just cloudfront?
I know how to do it to allow only one ip, but, how to do it with cf?
Thanks in advance!
-
karnage over 12 yearsDid you ever find an answer to this? I am in the same situation and I want to know how to do this as well. I am planning on using the CDN as a preventative measure against DDoS and if I can hide the server from the public, all the better.
-
Steffen Opel over 12 years@karnage - in case you are still interested, I've provided a late answer below.
-
Myster about 11 yearsAlso consider that if someone visits the cloudfront URI, then there will be no access restriction.
-
-
Shoan over 9 yearsThe published link is broken.
-
Karel almost 8 yearsYou might use this Lambda function that updates the ip's automatically:: github.com/awslabs/aws-cloudfront-samples/tree/master/… This uses a pretty elegant way to fix the hardcoding of the ip's since the notication is sent out by Amazon itself, so we can assume it's always accurate.