Skip to content

Commit

Permalink
Merge pull request catalyst#450 from mpalimaka/cloudfront-modernise
Browse files Browse the repository at this point in the history
Use newer CloudFront setup options
  • Loading branch information
golenkovm authored Nov 24, 2021
2 parents 57009a6 + c8f33d2 commit 35951fd
Showing 1 changed file with 53 additions and 34 deletions.
87 changes: 53 additions & 34 deletions CLOUDFRONT.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,11 @@
1. Login to AWS console https://aws.amazon.com/console/
2. Navigate to _Services -> S3_.
3. Click _Create bucket_.
4. Fill out bucket name, region and click _Create bucket_.
5. Navigate to _My Security Credentials_.
6. In the _Access keys_ section click on the _Create New Access Key_ button.
7. Write down your bucket name, region, key and secret.
8. Edit the bucket again.
9. Set _Default encryption_ to _Enabled_ with _Amazon S3 master-key (SSE-S3)_ server-side encryption.
10. Set the following as _Cross-origin resource sharing (CORS)_:
4. Fill out the bucket name and region
5. Ensure _Block all public access_ is ticked
6. Enable _Server-side encryption_ with _Amazon S3 key (SSE-S3)_
7. Click _Create bucket_.
8. Set the following as _Cross-origin resource sharing (CORS)_:
```
[
{
Expand All @@ -26,6 +24,8 @@
"MaxAgeSeconds": 3000
}
]
9. Navigate to _My Security Credentials_.
10. In the _Access keys_ section click on the _Create New Access Key_ button.
```

### Configure Objectfs
Expand All @@ -48,7 +48,7 @@ $CFG->alternative_file_system_class = '\tool_objectfs\s3_file_system';
```
3. Access the _/admin/settings.php?section=tool_objectfs_settings_ page.
4. Confirm, that there is a green notification message _Could establish connection to the external object storage._ under the _Amazon S3 Settings_ section.
5. Run the fllowing scheduled tasks:
5. Run the following scheduled tasks:
```
php admin/cli/scheduled_task.php --execute='\tool_objectfs\task\check_objects_location'
php admin/cli/scheduled_task.php --execute='\tool_objectfs\task\push_objects_to_storage'
Expand All @@ -58,26 +58,9 @@ php admin/cli/scheduled_task.php --execute='\tool_objectfs\task\generate_status_
6. Access the _/admin/tool/objectfs/object_status.php_ page.
7. Confirm, that all files have been moved to the external storage: _Marked as only in filedir_ and _Duplicated in filedir and external storage_ should be 0.

### Create CloudFront distribution
1. Navigate to [https://console.aws.amazon.com/cloudfront/v3/home?region=ap-southeast-2#/welcome].
2. Click on _Create a CloudFront distribution_.
3. Choose your Amazon S3 bucket from _Origin domain_ dropdown menu.
4. _S3 bucket access_: Choose _Yes use OAI (bucket can restrict access to only CloudFront)_ and click _Create new OAI_.
5. _S3 bucket access -> Bucket policy_: Choose _Yes, update the bucket policy_.
6. _Viewer protocol policy_: Choose _Redirect HTTP to HTTPS_.
7. _Allowed HTTP methods_: Choose _GET, HEAD, OPTIONS_ and tick _OPTIONS_ under _Cache HTTP methods_.
8. _Restrict viewer access_: Choose _Yes -> Trusted signer -> Self_.
9. _Cache key and origin requests_: Choose _Legacy cache settings_.
10. _Legacy cache settings -> Headers_: Choose _Include the following headers_ and add _Origin_, _Access-Control-Request-Method_, _Access-Control-Request-Headers_ headers from the dropdown menu.
11. _Legacy cache settings -> Query strings_: Choose _All_.
12. Click _Create distribution_.
13. Navigate to [https://console.aws.amazon.com/cloudfront/v3/home?region=ap-southeast-2#/distributions].
14. Confirm, that _Status_ is _Enabled_ and _Last modified_ is changed from _Deploying_ to the date the distribution was created.
15. Open your distribution.
16. Write down _Distribution domain name_ (with https://).
> Note: If you have already setup Moodle behind a CloudFront distribution, it is also possible to use that same CloudFront distribution to serve files from objectfs. In this scenario, a specific prefix in the URL path directs traffic to the S3 Bucket (moodle.domain/objectfs/ for example). To achieve that, use the key_prefix option to add a prefix on your Bucket, and configure a second Origin on your existing CloudFront distribution that points to your Bucket. Setup a Behavior that uses that new Origin with the same prefix as the one you used as key_prefix in your Bucket. Follow all other instructions.
### Generate CloudFront keys
ObjectFS can use a CloudFront key from either the local filesystem or an admin setting. If using an admin setting, the key may be generated outside of the Moodle environment.

### Generate keys
1. Make a directory _$CFG->dataroot . '/objectfs/'_.
2. Make it readable and writable:
```
Expand All @@ -93,16 +76,52 @@ chmod 777 cloudfront.pem
```
openssl rsa -pubout -in cloudfront.pem -out public_key.pem
```
5. Navigate to [https://console.aws.amazon.com/cloudfront/v3/home#/distributions].
6. In the navigation menu, choose _Public keys_.
7. Click _Create public key_.
8. Enter key name.
9. Enter key value. Use the following command to get the public key:
5. Navigate to https://console.aws.amazon.com/cloudfront/v3/home#/publickey.
6. Click _Create public key_.
7. Enter key name.
8. Enter key value. Use the following command to get the public key:
```
cat public_key.pem
```
10. Click _Create public key_.
11. Write down key ID from the [https://console.aws.amazon.com/cloudfront/v3/home#/publickey] page.
9. Click _Create public key_.
10. Write down key ID from the https://console.aws.amazon.com/cloudfront/v3/home#/publickey page.
11. Navigate to https://console.aws.amazon.com/cloudfront/v3/home#/keygrouplist
12. Create a key group and select the public key created previously
13. Store the public and private key files somewhere secure

### Create CloudFront response headers policy

1. Navigate to https://console.aws.amazon.com/cloudfront/v3/home#/policies/responseHeaders
2. Click on _Create response headers policy_
3. _Name_: CORS-with-preflight-and-SecurityHeadersPolicy-ReadOnly
4. _Configure CORS_: disabled
5. _Strict-Transport-Security_: Enabled, origin override enabled
6. _X-Content-Type-Options_: Enabled, origin override enabled
7. _X-Frame-Options_: Enabled, SAMEORIGIN, origin override enabled
8. _X-XSS-Protection_: Enabled, block, origin override enabled
9. _Referrer-Policy_: Enabled, strict-origin-when-cross-origin, origin override enabled
10. _Content-Security-Policy_: disabled

### Create CloudFront distribution
1. Navigate to https://console.aws.amazon.com/cloudfront/.
2. Click on _Create a CloudFront distribution_.
3. Choose your Amazon S3 bucket from _Origin domain_ dropdown menu.
4. _S3 bucket access_: Choose _Yes use OAI (bucket can restrict access to only CloudFront)_ and click _Create new OAI_.
5. _S3 bucket access -> Bucket policy_: Choose _Yes, update the bucket policy_.
6. _Viewer protocol policy_: Choose _Redirect HTTP to HTTPS_.
7. _Allowed HTTP methods_: Choose _GET, HEAD, OPTIONS_ and tick _OPTIONS_ under _Cache HTTP methods_.
8. _Restrict viewer access_: Choose _Yes -> Trusted key groups (recommended)_.
9. Add key group created earlier
10. _Cache key and origin requests_: Choose _Cache policy and origin request policy (recommended)_.
11. _Cache policy_: Choose CachingOptimized
12. _Origin request policy_: Choose CORS-S3Origin
13. _Response headers policy_: Choose CORS-with-preflight-and-SecurityHeadersPolicy-ReadOnly
14. Click _Create distribution_.
15. Navigate to https://console.aws.amazon.com/cloudfront/v3/home#/distributions.
16. Confirm, that _Status_ is _Enabled_ and _Last modified_ is changed from _Deploying_ to the date the distribution was created.
17. Open your distribution.
18. Write down _Distribution domain name_ (with https://).
> Note: If you have already setup Moodle behind a CloudFront distribution, it is also possible to use that same CloudFront distribution to serve files from objectfs. In this scenario, a specific prefix in the URL path directs traffic to the S3 Bucket (moodle.domain/objectfs/ for example). To achieve that, use the key_prefix option to add a prefix on your Bucket, and configure a second Origin on your existing CloudFront distribution that points to your Bucket. Setup a Behavior that uses that new Origin with the same prefix as the one you used as key_prefix in your Bucket. Follow all other instructions.
### Configure CloudFront signing method in Objectfs:
1. Run the following commands from the CLI to configure Objectfs:
Expand Down

0 comments on commit 35951fd

Please sign in to comment.