限制 ALB 連線需透過 CloudFront 來，透過自訂HTTP Heard 來實現



首先先建立ALB 測試訪問



建立 CloudFront，Origins 為 ALB

CloudFront 測試訪問



為ALB 新增 Listener rules 

轉發到指定的Target

職場

學習

國際

<p class="lexical__paragraph" dir="ltr"><span style="white-space: pre-wrap;">限制 ALB 連線需透過 CloudFront 來，透過自訂HTTP Heard 來實現</span></p><p class="lexical__paragraph" dir="ltr"><br></p><p class="lexical__paragraph" dir="ltr"><span style="white-space: pre-wrap;">首先先建立ALB 測試訪問</span></p><div class="lexical__image center"><div class="lexical__imageWrapper"><img src="https://d2a6d2ofes041u.cloudfront.net/resize?compression=6&amp;norotation=true&amp;url=https%3A%2F%2Fimages.vocus.cc%2Ff57bd6f6-70a6-4c7f-a3e1-fcc2780d7a3e.png&amp;width=740&amp;sign=y0HUL9ta5xlMxh56xzuWevP7r70i7UPKzu6XfY1ajlU" data-src="https://d2a6d2ofes041u.cloudfront.net/resize?compression=6&amp;norotation=true&amp;url=https%3A%2F%2Fimages.vocus.cc%2Ff57bd6f6-70a6-4c7f-a3e1-fcc2780d7a3e.png&amp;width=740&amp;sign=y0HUL9ta5xlMxh56xzuWevP7r70i7UPKzu6XfY1ajlU" class="lazy" data-original-src="https://images.vocus.cc/f57bd6f6-70a6-4c7f-a3e1-fcc2780d7a3e.png" data-lowquality="true" data-width="1608" data-height="578" onerror="this.onError=null;this.src=this.dataset.originalSrc;" alt="raw-image"></div><div></div></div><p class="lexical__paragraph" dir="ltr"><br></p><p class="lexical__paragraph" dir="ltr"><span style="white-space: pre-wrap;">建立 CloudFront，Origins 為 ALB</span></p><div class="lexical__image center"><div class="lexical__imageWrapper"><img src="https://d2a6d2ofes041u.cloudfront.net/resize?compression=6&amp;norotation=true&amp;url=https%3A%2F%2Fimages.vocus.cc%2Fc9c4928b-e47f-4ac7-9851-505ac6ecc420.png&amp;width=740&amp;sign=2En7oPUMFjBGNQ_l0HoNvkInD_kT7GkmNgd6gBE3Mms" data-src="https://d2a6d2ofes041u.cloudfront.net/resize?compression=6&amp;norotation=true&amp;url=https%3A%2F%2Fimages.vocus.cc%2Fc9c4928b-e47f-4ac7-9851-505ac6ecc420.png&amp;width=740&amp;sign=2En7oPUMFjBGNQ_l0HoNvkInD_kT7GkmNgd6gBE3Mms" class="lazy" data-original-src="https://images.vocus.cc/c9c4928b-e47f-4ac7-9851-505ac6ecc420.png" data-lowquality="true" data-width="2664" data-height="824" onerror="this.onError=null;this.src=this.dataset.originalSrc;" alt="raw-image"></div><div></div></div><p class="lexical__paragraph" dir="ltr"><span style="white-space: pre-wrap;">CloudFront 測試訪問</span></p><div class="lexical__image center"><div class="lexical__imageWrapper"><img src="https://d2a6d2ofes041u.cloudfront.net/resize?compression=6&amp;norotation=true&amp;url=https%3A%2F%2Fimages.vocus.cc%2F54e43e2b-45e0-4cd6-9199-5ba36af9319a.png&amp;width=740&amp;sign=37HMXjkVXmkN3D53YG56HYqIPv4B8Ue8lW3vl1dsC8c" data-src="https://d2a6d2ofes041u.cloudfront.net/resize?compression=6&amp;norotation=true&amp;url=https%3A%2F%2Fimages.vocus.cc%2F54e43e2b-45e0-4cd6-9199-5ba36af9319a.png&amp;width=740&amp;sign=37HMXjkVXmkN3D53YG56HYqIPv4B8Ue8lW3vl1dsC8c" class="lazy" data-original-src="https://images.vocus.cc/54e43e2b-45e0-4cd6-9199-5ba36af9319a.png" data-lowquality="true" data-width="1708" data-height="706" onerror="this.onError=null;this.src=this.dataset.originalSrc;" alt="raw-image"></div><div></div></div><p class="lexical__paragraph" dir="ltr"><br></p><p class="lexical__paragraph" dir="ltr"><span style="white-space: pre-wrap;">為ALB 新增 Listener rules&nbsp;</span></p><div class="lexical__image center"><div class="lexical__imageWrapper"><img src="https://d2a6d2ofes041u.cloudfront.net/resize?compression=6&amp;norotation=true&amp;url=https%3A%2F%2Fimages.vocus.cc%2Fc0120ba6-9238-447f-8b79-1c37593f6d31.png&amp;width=740&amp;sign=Ji9pRTaG-x6ChKWvq47cyXY7wU2yP_BHz8eE9QyUY3Y" data-src="https://d2a6d2ofes041u.cloudfront.net/resize?compression=6&amp;norotation=true&amp;url=https%3A%2F%2Fimages.vocus.cc%2Fc0120ba6-9238-447f-8b79-1c37593f6d31.png&amp;width=740&amp;sign=Ji9pRTaG-x6ChKWvq47cyXY7wU2yP_BHz8eE9QyUY3Y" class="lazy" data-original-src="https://images.vocus.cc/c0120ba6-9238-447f-8b79-1c37593f6d31.png" data-lowquality="true" data-width="1814" data-height="1318" onerror="this.onError=null;this.src=this.dataset.originalSrc;" alt="raw-image"></div><div></div></div><p class="lexical__paragraph" dir="ltr"><span style="white-space: pre-wrap;">轉發到指定的Target group</span></p><div class="lexical__image center"><div class="lexical__imageWrapper"><img src="https://d2a6d2ofes041u.cloudfront.net/resize?compression=6&amp;norotation=true&amp;url=https%3A%2F%2Fimages.vocus.cc%2F3b4dbf91-7d8b-4f24-b861-5010b15f44da.png&amp;width=740&amp;sign=gXu4iQxk2Od1STpcDlMAfyrPC0etFCf1sOmoqBsxG2w" data-src="https://d2a6d2ofes041u.cloudfront.net/resize?compression=6&amp;norotation=true&amp;url=https%3A%2F%2Fimages.vocus.cc%2F3b4dbf91-7d8b-4f24-b861-5010b15f44da.png&amp;width=740&amp;sign=gXu4iQxk2Od1STpcDlMAfyrPC0etFCf1sOmoqBsxG2w" class="lazy" data-original-src="https://images.vocus.cc/3b4dbf91-7d8b-4f24-b861-5010b15f44da.png" data-lowquality="true" data-width="2052" data-height="1438" onerror="this.onError=null;this.src=this.dataset.originalSrc;" alt="raw-image"></div><div></div></div><p class="lexical__paragraph" dir="ltr"><br></p><p class="lexical__paragraph" dir="ltr"><span style="white-space: pre-wrap;">Default rule 修改為 Return fixed response 403</span></p><div class="lexical__image center"><div class="lexical__imageWrapper"><img src="https://d2a6d2ofes041u.cloudfront.net/resize?compression=6&amp;norotation=true&amp;url=https%3A%2F%2Fimages.vocus.cc%2F51e01684-a33f-4df7-935a-aacbe74de285.png&amp;width=740&amp;sign=48qbNBJLlCtSGb_NLoTiarG7l_h0FC70DtDQatb1JTY" data-src="https://d2a6d2ofes041u.cloudfront.net/resize?compression=6&amp;norotation=true&amp;url=https%3A%2F%2Fimages.vocus.cc%2F51e01684-a33f-4df7-935a-aacbe74de285.png&amp;width=740&amp;sign=48qbNBJLlCtSGb_NLoTiarG7l_h0FC70DtDQatb1JTY" class="lazy" data-original-src="https://images.vocus.cc/51e01684-a33f-4df7-935a-aacbe74de285.png" data-lowquality="true" data-width="2332" data-height="822" onerror="this.onError=null;this.src=this.dataset.originalSrc;" alt="raw-image"></div><div></div></div><p class="lexical__paragraph" dir="ltr"><br></p><p class="lexical__paragraph" dir="ltr"><span style="white-space: pre-wrap;">實測直接訪問會阻擋</span></p><div class="lexical__image center"><div class="lexical__imageWrapper"><img src="https://d2a6d2ofes041u.cloudfront.net/resize?compression=6&amp;norotation=true&amp;url=https%3A%2F%2Fimages.vocus.cc%2Fff80419e-da7b-407c-8e1c-a0385c361e21.png&amp;width=740&amp;sign=ReNZ12t7VSmqvib7Mnx2avsvPkkrvurwuhnkV2Lbp4Q" data-src="https://d2a6d2ofes041u.cloudfront.net/resize?compression=6&amp;norotation=true&amp;url=https%3A%2F%2Fimages.vocus.cc%2Fff80419e-da7b-407c-8e1c-a0385c361e21.png&amp;width=740&amp;sign=ReNZ12t7VSmqvib7Mnx2avsvPkkrvurwuhnkV2Lbp4Q" class="lazy" data-original-src="https://images.vocus.cc/ff80419e-da7b-407c-8e1c-a0385c361e21.png" data-lowquality="true" data-width="1836" data-height="394" onerror="this.onError=null;this.src=this.dataset.originalSrc;" alt="raw-image"></div><div></div></div><p class="lexical__paragraph" dir="ltr"><span style="white-space: pre-wrap;">自帶Head 就可以訪問</span></p><div class="lexical__image center"><div class="lexical__imageWrapper"><img src="https://d2a6d2ofes041u.cloudfront.net/resize?compression=6&amp;norotation=true&amp;url=https%3A%2F%2Fimages.vocus.cc%2F2d7452f4-32f1-46a2-9138-5ca8a62c0ed7.png&amp;width=740&amp;sign=xWScF_lwFySOeUwDiPyctl7MlI65qE2zVk33N5k022g" data-src="https://d2a6d2ofes041u.cloudfront.net/resize?compression=6&amp;norotation=true&amp;url=https%3A%2F%2Fimages.vocus.cc%2F2d7452f4-32f1-46a2-9138-5ca8a62c0ed7.png&amp;width=740&amp;sign=xWScF_lwFySOeUwDiPyctl7MlI65qE2zVk33N5k022g" class="lazy" data-original-src="https://images.vocus.cc/2d7452f4-32f1-46a2-9138-5ca8a62c0ed7.png" data-lowquality="true" data-width="2298" data-height="540" onerror="this.onError=null;this.src=this.dataset.originalSrc;" alt="raw-image"></div><div></div></div><p class="lexical__paragraph" dir="ltr"><br></p><p class="lexical__paragraph" dir="ltr"><span style="white-space: pre-wrap;">現在需修改CloudFront origin 增加 custom header </span></p><div class="lexical__image center"><div class="lexical__imageWrapper"><img src="https://d2a6d2ofes041u.cloudfront.net/resize?compression=6&amp;norotation=true&amp;url=https%3A%2F%2Fimages.vocus.cc%2F7fafa734-0a26-4741-a214-2da0a13bfbf4.png&amp;width=740&amp;sign=6LIMbU7iQ6hnv8uNJVr57urP-oVStr7liJqZWqd-tPo" data-src="https://d2a6d2ofes041u.cloudfront.net/resize?compression=6&amp;norotation=true&amp;url=https%3A%2F%2Fimages.vocus.cc%2F7fafa734-0a26-4741-a214-2da0a13bfbf4.png&amp;width=740&amp;sign=6LIMbU7iQ6hnv8uNJVr57urP-oVStr7liJqZWqd-tPo" class="lazy" data-original-src="https://images.vocus.cc/7fafa734-0a26-4741-a214-2da0a13bfbf4.png" data-lowquality="true" data-width="1566" data-height="762" onerror="this.onError=null;this.src=this.dataset.originalSrc;" alt="raw-image"></div><div></div></div><p class="lexical__paragraph" dir="ltr"><span style="white-space: pre-wrap;">那現在可以正常訪問CloudFront</span></p><div class="lexical__image center"><div class="lexical__imageWrapper"><img src="https://d2a6d2ofes041u.cloudfront.net/resize?compression=6&amp;norotation=true&amp;url=https%3A%2F%2Fimages.vocus.cc%2F49a05d49-b3fe-4b95-a8e2-3fa88a682d7b.png&amp;width=740&amp;sign=FrcoZE_x6V_gWHUcmmsZGi-SVu74VARKaS58slFYNNo" data-src="https://d2a6d2ofes041u.cloudfront.net/resize?compression=6&amp;norotation=true&amp;url=https%3A%2F%2Fimages.vocus.cc%2F49a05d49-b3fe-4b95-a8e2-3fa88a682d7b.png&amp;width=740&amp;sign=FrcoZE_x6V_gWHUcmmsZGi-SVu74VARKaS58slFYNNo" class="lazy" data-original-src="https://images.vocus.cc/49a05d49-b3fe-4b95-a8e2-3fa88a682d7b.png" data-lowquality="true" data-width="1168" data-height="536" onerror="this.onError=null;this.src=this.dataset.originalSrc;" alt="raw-image"></div><div></div></div><p class="lexical__paragraph" dir="ltr"><br></p><p class="lexical__paragraph" dir="ltr"><span style="white-space: pre-wrap;">這樣的設置可以保護 ALB 只能透過密鑰驗證才能訪問。</span></p>

限制 ALB 連線需透過 CloudFront 來，透過自訂HTTP Heard 來實現

Default rule 修改為 Return fixed response 403

現在需修改CloudFront origin 增加 custom header 

這樣的設置可以保護 ALB 只能透過密鑰驗證才能訪問。

AWS CloudFront 與 ALB 連接需要密鑰驗證（實驗）