This tutorial will walk you through setting up Amazon CloudFront on a WordPress website (or any other type of website for that matter – it doesn’t have to be a WordPress site). This is part of a multipart series working towards setting up Amazon’s Web Application Firewall (WAF). See the first post giving a high level architecture to AWF.
Create an S3 Bucket for Logs
For our Web Application Firewall that we are ultimately working towards, we want somewhere we can write logs to. S3 is great choice for this. Notice in the picture below when setting up the S3 bucket, there is a Set Up Logging button. We can ignore this as the bucket is for logs. We don’t need logs for logs.
Create CloudFront Distribution
Now we need to create a CloudFront instance that the Web Application Firewall can sit on top of. When setting up this step, make sure you select a region that makes sense. Notice in the screenshot I’ve supplied Alternate Domain Names (CNAMEs) to link Route 53 and our Instance. Also note at this point in time the Dropdown box AWS WAF Web ACL, will be empty. Select your bucket for logs as the bucket you created in the previous step.
To avoid frustration when building this CloudFront distribution, when you make any changes, CloudFront goes off and rebuilds its index. This makes sense as CloudFront is a series of Edge servers with logical copies stored around the world. Changes made need to be distributed out. So if you make a change – be advised – wait a while before expecting to see anything happen.
Within the distribution we have 2 areas we really care about. Origins and Behaviours. Origins list all of the places we get our content to store in CloudFront. We can pull from many places. Behaviours map a series of rules onto that set of origins. To simplify: Behaviours tell CloudFront to cache this, don’t cache that.
When building your origin name, you can put many different values in here. I pasted my long, Amazon style EC2 instance name in. e.g. ec2-54-203-xxx-xxx.us-west-2.compute.amazonaws.com.
The default behaviour is * – a catch all for everything when a specialized rule is not met. In the image below Forward Headers is set to All, which states that CloudFront will not store any objects. All requests are forwarded to the origin server (The server that your website is being hosted from). My server is WordPress running on EC2.
This condition tells CloudFront to cache all wp-content (there is also another one for wp-includes/*). Notice we’ve also got IPV6 enabled, which is also enabled at a Route 53 level.
Route 53 Setup
Route 53 has a proprietary Alias routing function that is similar to CNAME, but is free. In the screenshot below, I’ve got mapping for IPv4 denoted by Type A and IPv6 denoted by Type AAAA. Notice that I am routing to a CloudFront Alias Target.
When I hit the website from Chrome (with Developer Tools open), a 301 Redirect is triggered from the above routing from www.sebastianpatten.com to sebastianpatten.com. I want all of my content to be coming from 1 domain (sebastianpatten.com) and not from www.sebastianpatten.com.
Optionally follow the next steps on how to how to install the Web Application Firewall for improved security over WordFence.