CloudFront 支援 Wildcard Invalidation

在「Amazon CloudFront Makes it Easier to Invalidate Multiple Objects」這邊看到的消息,Amazon CloudFront 總算是支援 Wildcard Invalidation 了。價錢與 Single Object Invalidation 相同,都是每次 USD$0.005。

依照 Invalidating Objects (Web Distributions Only) 這邊的說明,Wildcard 的部份只能用在結尾:

To invalidate objects, you can specify either the path for individual objects or a path that ends with the * wildcard, which might apply to one object or to many, as shown in the following examples:

  • /images/image1.jpg
  • /images/image*
  • /images/*

不過還是有些限制,包括了 Single Object Invalidation 的同時最多 3000 條的限制:

If you're invalidating objects individually, you can have invalidation requests for up to 3,000 objects per distribution in progress at one time. This can be one invalidation request for up to 3,000 objects, up to 3,000 requests for one object each, or any other combination that doesn't exceed 3,000 objects. For example, you can submit 30 invalidation requests that invalidate 100 objects each. As long as all 30 invalidation requests are still in progress, you can't submit any more invalidation requests. If you exceed the limit, CloudFront returns an error message.

以及 Wildcard Invalidation 的同時 15 條限制:

If you're using the * wildcard, you can have requests for up to 15 invalidation paths in progress at one time.

而且每次 invalidate 可能都要 10~15 分鐘:

It usually takes 10 to 15 minutes for CloudFront to complete your invalidation request, depending on the number of invalidation paths that you included in the request.

所以也不是付錢就可以解決所有事情... :o

設定 CloudFront 的 Wildcard SSL (SNI)

不知道為什麼網路上一堆文章寫的超複雜 XD

目前必須使用 CLI 才能上傳 key 與 SSL certificate,所以乖乖的裝上 aws-cli 吧 :p

而通常在買 Wildcard SSL 時會 *.example.com 的時候會簽成 example.com + *.example.com,這時候用 example.com 當名字掛進去:

aws iam upload-server-certificate --server-certificate-name example.com --certificate-body file://server.crt --private-key file://server.key --certificate-chain file://intermediate.crt --path /cloudfront/

一樣可以確認:

aws iam get-server-certificate --server-certificate-name example.com

會改到的幾個部份用粗體標出來了。

上傳完成後就可以到 Web Console 上的 CloudFront 部份設定了。

主要是參考「Building a CDN over SSL with CloudFront and SNI」這篇文章的說明,再加上一些亂試後去翻文件確認的結果 :o

Wildcard EV Certificate...

Netcraft 這篇「Wildcard EV certificates supported by major browsers」提到幾個重點...

首先是 EV 規範內禁止使用 Wildcard certificate (出自「Guidelines ForThe IssuanceAnd Management Of ExtendedValidationCertificates」):

Wildcard certificates are not allowed for EV Certificates.

然後還是有人發 *.cclearning.accenture.com,而且主流瀏覽器會正常照 EV 模式顯示出來:(這邊拿 Google Chrome 的範例,原文有所有截圖)

只有 Safari 的手機版本當作普通 certificate 處理的:(下面兩張圖,上圖是桌機版,下圖是手機版)

被抓出來鞭後應該會修正... 吧?

Update:感謝 comment 的糾正,Safari 的地方寫錯了...

Amazon CloudFront 支援 Wildcard 了...

Amazon CloudFront 在 CNAME 的地方可以填 *.example.com 表示這個 distribution 要吃所有 domain:「CNAME Wildcard Support for Amazon CloudFront」。

這用在 asset 類的服務很好用,可以設定 *.asset.example.com,然後就可以用 {1,2,3,4}.asset.example.com 打散掉。以往則是要手動設多個 domain,沒辦法隨便調整...