Redirecting a domain with HTTPS using Amazon S3 and CloudFront
Configuring the Amazon S3 static site with SSLThe first step is to configure a site in Amazon S3 that will trigger the redirect. The site will be used as the origin for the CloudFront distribution.
Create a new Amazon S3 bucket with exactly the same name as the origin domain. For example, if the origin is
www.example-1469917820.com, then you must give the bucket the same name.
There are several ways to create a new bucket in Amazon S3, and this is beyond the scope of this article. In this particular case, I will use the Amazon AWS web console:
You can use the region you prefer. If you don't have a specific preference, leave US Standard.
Configure the bucket to redirect all requests to another host name. Select the bucket from the list, click Properties, and in the Static Website Hosting section configure the redirect.
The value of the Redirect all requests to field should be the domain or host name where you want to redirect the requests. In this example, it's the non-www version of the redirecting domain, but you can use any host name you want, even on a completely separate domain.
Press Save to confirm.
Before we move to the next step, take note of the Endpoint. We'll need this host name in our final step to configure Amazon CloudFront.
Installing the SSL certificate
As already mentioned, in order to redirect via HTTPS you need a valid SSL certificate for the redirecting host name. In this case, since I want to redirect
www.weppos.net, I need an SSL certificate for it.
If you already have an existing SSL certificate, you need to upload the server SSL certificate to IAM.
If you don't have one, the simplest way to request a certificate for CloudFront is to use the Amazon Certificate Manager (ACM).
Here's the steps to request a new SSL certificate with Amazon Certificate Manager:
Go to the ACM page and make sure to switch to the US East (N. Virginia) zone (
us-east-1). In this case, the zone is relevant: you won't be able to use the certificate in CloudFront if it was requested in a different zone.
Click Request a certificate and in the Domain name section list all the host names you want the certificate to cover. Note that you will have to validate ownership via email for each host name you enter. Keep the list short, and only add the host names you really need at this moment. You can always issue another certificate later.
For static site redirects, I generally add only the source host name, both in www and not www form. Just note that if want to redirect
example.com, it's sufficient to have only the first host in the certificate.
Click Review and request to continue. Confirm and proceed to the validation.
Read the information, and finalize the request.
At the end of the request process you'll get back to the certificate list. You will find the new certificate, with a pending validation warning. This is expected, as you still need to validate the host names in order to issue the certificate.
Monitor your inbox. You will receive a validation email like the following one for each host name you added into the certificate:
Click on the links and follow the instructions.
Once all the host name are validated, Amazon will issue the certificate. The state will change from pending validation to issued in the ACM console.
We are now ready to configure the HTTPS redirect in CloudFront.
Configuring the Amazon CloudFront HTTPS redirect
We have created a redirect via bucket, and we have an SSL certificate that covers the redirecting host name. The final step is to configure CloufFront with our HTTPS certificate.
Go to the CloudFront page and create a new distribution:
Select the Web distribution, as we want to use our Amazon AWS bucket as the distribution origin.
Configure the distribution Origin Settings. Get the Amazon S3 endpoint you saved before:
and use it as Origin Domain Name.
Make sure to use the web site endpoint and NOT the REST endpoint, since the redirect feature is only available in the web site endpoint as explained in the Amazon documentation. Don't use the endpoint auto-suggested by CloudFront.
Disable the SSLv3 protocol (as it's buggy and insecure) and leave the other options to defaults, unless you have specific needs.
Scroll down to the Distribution Settings to configure the SSL certificate.
In the CNAME section add the origin host name, the one that will be redirecting. In our case, it's
Select Custom SSL Certificate and, from the drop down, select the certificate you previously requested or imported in IAM. If the certificate is not there, go back and check that you followed all the instructions contained in this article. See common errors.
Confirm and create the distribution. It will take up to 10-15 minutes for the distribution to be fully deployed.
Each distribution in CloudFront has an unique CloudFront Domain Name.
If the configuration is correct, the response of the
cURL request should be similar to the one above. The
Location header contains the target of the redirect, which is the domain originally configured in our Amazon S3 bucket redirect.
Pointing the DNS record to CloudFront endpoint
The final step is to configure the DNS record for the redirecting host name. The host name must point to the CloudFront distribution domain name. That way when a user visits the domain, they are redirected to the target URL.
The specific steps depend on the DNS hosting you use. The following instructions assume you are using DNSimple.
There are two possible configurations:
if the host name you want to redirect is a subdomain (e.g.
blog.example.com, …) then you need to configure a CNAME that points to the Amazon CloudFront distribution endpoint
if the host name you want to redirect is the root domain (e.g.
example.com) then you can't use a CNAME. The only way to properly configure a redirect in this case is to use a DNS provider (such as DNSimple) that supports CNAME-like features for the root domain. At DNSimple we call it the ALIAS record.
Once configured, a simple
dig lookup will tell you if the DNS record resolves correctly.
This article explains how to configure the redirect for an entire domain to a different domain. It will not cover single-page redirects, that should be done by setting the redirect on a specific object uploaded to Amazon S3.