使用SNI通过HTTPS提供服务时出现CloudFront错误

Question

亚马逊最近在CloudFront上推出了一项新功能,该功能使用SNI(服务器名称指示)免费支持自定义SSL证书.

我使用StartSSL的免费Class 1证书设置了我的发行版,当我注意到该站点在部署后的短时间内发生故障时,一切正常.运行SSL Checker会返回我的证书正常工作:

但是当我尝试通过HTTPS访问网站时,我会点击此错误页面(它将适用于第一个请求,然后在后续尝试连接时关闭).

使用ssl访问时,这是一个详细的输出(在索引上成功):

$ curl -I -v -ssl https://wikichen.is
* Adding handle: conn: 0x7f9f82804000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7f9f82804000) send_pipe: 1, recv_pipe: 0
* About to connect() to wikichen.is port 443 (#0)
*   Trying 54.230.141.222...
* Connected to wikichen.is (54.230.141.222) port 443 (#0)
* TLS 1.2 connection using TLS_RSA_WITH_RC4_128_MD5
* Server certificate: www.wikichen.is (6w984WNu7vM5OrdU)
* Server certificate: StartCom Class 1 Primary Intermediate Server CA
* Server certificate: StartCom Certification Authority
> HEAD / HTTP/1.1
> User-Agent: curl/7.30.0
> Host: wikichen.is
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Content-Length: 1153
Content-Length: 1153
< Connection: keep-alive
Connection: keep-alive
< Date: Sun, 09 Mar 2014 16:09:54 GMT
Date: Sun, 09 Mar 2014 16:09:54 GMT
< Cache-Control: max-age=120
Cache-Control: max-age=120
< Content-Encoding: gzip
Content-Encoding: gzip
< Last-Modified: Wed, 05 Mar 2014 20:40:48 GMT
Last-Modified: Wed, 05 Mar 2014 20:40:48 GMT
< ETag: "34685bc45353d1030d3a515ddba78f3e"
ETag: "34685bc45353d1030d3a515ddba78f3e"
* Server AmazonS3 is not blacklisted
< Server: AmazonS3
Server: AmazonS3
< Age: 4244
Age: 4244
< X-Cache: Hit from cloudfront
X-Cache: Hit from cloudfront
< Via: 1.1 4f672256eaca5524999342dc8678cdd2.cloudfront.net (CloudFront)
Via: 1.1 4f672256eaca5524999342dc8678cdd2.cloudfront.net (CloudFront)
< X-Amz-Cf-Id: h4TEULH44TCi7m2lL42A8lO-5-Gmx8iY2M2C1AOmRlK543zFN6jCtQ==
X-Amz-Cf-Id: h4TEULH44TCi7m2lL42A8lO-5-Gmx8iY2M2C1AOmRlK543zFN6jCtQ==

<
* Connection #0 to host wikichen.is left intact

然后在其他页面上失败:

$ curl -i -v https://wikichen.is/writing/index.html
* Adding handle: conn: 0x7fa153804000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fa153804000) send_pipe: 1, recv_pipe: 0
* About to connect() to wikichen.is port 443 (#0)
*   Trying 54.230.140.160...
* Connected to wikichen.is (54.230.140.160) port 443 (#0)
* TLS 1.2 connection using TLS_RSA_WITH_RC4_128_MD5
* Server certificate: www.wikichen.is (6w984WNu7vM5OrdU)
* Server certificate: StartCom Class 1 Primary Intermediate Server CA
* Server certificate: StartCom Certification Authority
> GET /writing/index.html HTTP/1.1
> User-Agent: curl/7.30.0
> Host: wikichen.is
> Accept: */*
>
< HTTP/1.1 502 Bad Gateway
HTTP/1.1 502 Bad Gateway
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 472
Content-Length: 472
< Connection: keep-alive
Connection: keep-alive
* Server CloudFront is not blacklisted
< Server: CloudFront
Server: CloudFront
< Date: Sun, 09 Mar 2014 17:54:41 GMT
Date: Sun, 09 Mar 2014 17:54:41 GMT
< Age: 6
Age: 6
< X-Cache: Error from cloudfront
X-Cache: Error from cloudfront
< Via: 1.1 9096435f28f91f92bacdf76122de09ee.cloudfront.net (CloudFront)
Via: 1.1 9096435f28f91f92bacdf76122de09ee.cloudfront.net (CloudFront)
< X-Amz-Cf-Id: iAUOQbP8O4A0pI9KGvVz0VgBT1TW-j0yVDa7vdSvIAuxnKOyQghtnw==
X-Amz-Cf-Id: iAUOQbP8O4A0pI9KGvVz0VgBT1TW-j0yVDa7vdSvIAuxnKOyQghtnw==

<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
</BODY></HTML>

<BR clear="all">
<HR noshade size="1px">
<ADDRESS>
Generated by cloudfront (CloudFront)
</ADDRESS>
* Connection #0 to host wikichen.is left intact
</BODY></HTML>%

希望能从哪里开始排除故障.

Answer 1

来自AWS CloudFront论坛的Alastair @ AWS名称代表解决了这个问题:

我已确定您的CloudFront分配和S3存储桶充当此分发的来源.

我可以重新创建并解释您收到的间歇性"502 Bad Gateway"响应.

当您尝试使用CloudFront当前未缓存的HTTPS协议访问URL时,CloudFront会返回此响应.出现此错误的原因是CloudFront正在尝试使用HTTPS协议联系您的源,这是失败的.

出现此故障的原因是您已将源配置为S3存储桶,但您使用的是"自定义源"类型并指向此存储桶的S3网站URL.如果您尝试使用HTTPS访问S3网站URL,您会注意到这不起作用.S3网站托管仅支持使用HTTP协议提供内容(http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteEndpoints.html#WebsiteRestEndpointDiff).

现在,您看到的间歇性页面加载行为是由于CloudFront返回其当前在其缓存中具有的页面.您应该能够重新创建此方案,如下所示:

1. 使用HTTPS在您的网站上点击一个页面.您应该收到'502 Bad Gateway'错误.
2. 使用HTTP命中同一页面.你应该看到这个页面.
3. 使用HTTPS再次点击该页面.您现在应该得到预期的结果,因为CF已从其缓存中提供内容而不是尝试联系您的源.

要解决此问题,请尝试以下操作:

1. 打开CloudFront管理控制台并打开您的发行版.
2. 导航到"起源"选项卡,选择您的原点并单击"编辑"
3. 将"原始协议策略"修改为"仅HTTP".
4. 保存更改并等待大约15分钟以使更改生效.
5. 测试

我的期望是这将迫使CloudFront仅使用HTTP联系您的源.我已经在我的环境中使用S3网站托管存储桶测试了这个,我可以通过HTTP和HTTPS成功加载内容.

这是原始论坛帖子的链接.