Skip to main content

Cloudfront

The cloudfront CDN feature requires your storage mode to be set to s3. You can follow the storage guide to set up your storage solution.

note

The environment variables required for each cdn are listed below, you can set them in a .env file in the root of the project or keep them in a safe place to prepare for deployment.

Generate key pair

On your terminal type the following commands:

Generate key pair
openssl genrsa -out private_key.pem 2048
openssl rsa -in private_key.pem -pubout -out public_key.pem
https://us-east-1.console.aws.amazon.com/cloudfront/v4/home

Create Cloudfront Key Group

  • Go to the Cloudfront Public keys page on your AWS console.
  • Click on the Create public key button.
  • Enter a name for your key and upload the public key generated in the previous step.
  • Go to the Cloudfront Key groups page
  • Click on the Create key group button.
  • Enter a name for your key group and select the public key you created in the previous step.
  • You fill find the key group ID in the key groups table. This ID will be used as environment variable by the server:
.env
CLOUDFRONT_KEY_PAIR_ID=your-key-group-id

Create Cloudfront Origin Access Control Settings (OAC)

  • Go to the Cloudfront Origin Access Identity page
  • Click on the Create control setting button.
  • Enter and name and check Sign requests (recommended), leave Do not override authorization header empty.
  • Set S3 as Origin Type

Create Cloudfront distribution

Origin

  • Select the S3 bucket you created in the storage guide as the origin.
  • Leave Origin Path empty.
  • In Origin access check "Origin access control settings (recommended)"
  • In Origin access control select the OAC you created in the previous step.

Default Cache Behavior Settings

  • Check Yes for Compress objects automatically.
  • Select HTTPS only for Viewer Protocol Policy.
  • Allowed HTTP methods: GET, HEAD
  • Check Yes for Restrict Viewer Access ++ Set trusted key groups as Trusted authorization type and select the key group you created in the previous step.
  • In cache Key and origins requests set cache policy as CachingOptimized

Other settings

You are free to configure the other settings based on what you need for your application. It's recommended to use a alternate domain name for your distribution.

  • The server will use the domain name or alternate domain name as the CLOUDFRONT_DOMAIN environment variable.
.env
CLOUDFRONT_DOMAIN=your-cloudfront-domain
https://us-east-1.console.aws.amazon.com/s3/home

Setup Bucket Policy

  • Go to the S3 Buckets page
  • Click on the bucket you created in the storage guide
  • Go to the Permissions tab
  • Click on the Bucket Policy button
  • Add the following policy to the bucket policy editor:
Bucket Policy
{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::{{YOUR_BUCKET_NAME}}/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::{{AWS_ACCOUNT_ID}}:distribution/{{YOUR_CLOUDFRONT_DISTRIBUTION_ID}}"
                }
            }
        }
    ]
}

Summary of Environment Variables

General Environment Variables

.env
CLOUDFRONT_KEY_PAIR_ID=your-key-group-id
CLOUDFRONT_DOMAIN=your-cloudfront-domain

Keys Storage Environment Variables

You will need to setup the private key in the server environment variables. You can follow the keys storage guide to set up your keys storage solution.

Encode keys
echo -n "your private key" | base64
.env
KEYS_STORAGE_TYPE=environment
PRIVATE_CLOUDFRONT_KEY_B64=base64-encoded-cloudfront-private-key