Skip to content

Latest commit

 

History

History
157 lines (149 loc) · 8.03 KB

CLOUDFRONT.md

File metadata and controls

157 lines (149 loc) · 8.03 KB
Raw

Create AWS bucket

  1. Login to AWS console https://aws.amazon.com/console/
  2. Navigate to Services -> S3.
  3. Click Create bucket.
  4. Fill out the bucket name and region
  5. Ensure Block all public access is ticked
  6. Enable Server-side encryption with Amazon S3 key (SSE-S3)
  7. Click Create bucket.
  8. Set the following as Cross-origin resource sharing (CORS):
[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "HEAD"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": [],
        "MaxAgeSeconds": 3000
    }
]
9. Navigate to _My Security Credentials_.
10. In the _Access keys_ section click on the _Create New Access Key_ button.

Configure Objectfs

  1. Run the following commands via CLI:
php admin/cli/cfg.php --component=tool_objectfs --name=enabletasks --set=1
php admin/cli/cfg.php --component=tool_objectfs --name=deletelocal --set=1
php admin/cli/cfg.php --component=tool_objectfs --name=consistencydelay --set=0
php admin/cli/cfg.php --component=tool_objectfs --name=sizethreshold --set=0
php admin/cli/cfg.php --component=tool_objectfs --name=minimumage --set=0
php admin/cli/cfg.php --component=tool_objectfs --name=filesystem --set='\tool_objectfs\s3_file_system'
php admin/cli/cfg.php --component=tool_objectfs --name=s3_key --set='your key'
php admin/cli/cfg.php --component=tool_objectfs --name=s3_secret --set='your secret'
php admin/cli/cfg.php --component=tool_objectfs --name=s3_bucket --set='your bucket'
php admin/cli/cfg.php --component=tool_objectfs --name=s3_region --set='your region'
  1. Put the following line into your config.php:
$CFG->alternative_file_system_class = '\tool_objectfs\s3_file_system';
  1. Access the /admin/settings.php?section=tool_objectfs_settings page.
  2. Confirm, that there is a green notification message Could establish connection to the external object storage. under the Amazon S3 Settings section.
  3. Run the following scheduled tasks:
php admin/cli/scheduled_task.php --execute='\tool_objectfs\task\check_objects_location'
php admin/cli/scheduled_task.php --execute='\tool_objectfs\task\push_objects_to_storage'
php admin/cli/scheduled_task.php --execute='\tool_objectfs\task\delete_local_objects'
php admin/cli/scheduled_task.php --execute='\tool_objectfs\task\generate_status_report'
  1. Access the /admin/tool/objectfs/object_status.php page.
  2. Confirm, that all files have been moved to the external storage: Marked as only in filedir and Duplicated in filedir and external storage should be 0.

Generate CloudFront keys

ObjectFS can use a CloudFront key from either the local filesystem or an admin setting. If using an admin setting, the key may be generated outside of the Moodle environment.

  1. Make a directory $CFG->dataroot . '/objectfs/'.
  2. Make it readable and writable:
chmod 777 objectfs
  1. Generate an RSA key pair with a length of 2048 bits:
cd objectfs/
openssl genrsa -out cloudfront.pem 2048
chmod 777 cloudfront.pem
  1. Extract the public key:
openssl rsa -pubout -in cloudfront.pem -out public_key.pem
  1. Navigate to https://console.aws.amazon.com/cloudfront/v3/home#/publickey.
  2. Click Create public key.
  3. Enter key name.
  4. Enter key value. Use the following command to get the public key:
cat public_key.pem
  1. Click Create public key.
  2. Write down key ID from the https://console.aws.amazon.com/cloudfront/v3/home#/publickey page.
  3. Navigate to https://console.aws.amazon.com/cloudfront/v3/home#/keygrouplist
  4. Create a key group and select the public key created previously
  5. Store the public and private key files somewhere secure

Create CloudFront response headers policy

  1. Navigate to https://console.aws.amazon.com/cloudfront/v3/home#/policies/responseHeaders
  2. Click on Create response headers policy
  3. Name: CORS-with-preflight-and-SecurityHeadersPolicy-ReadOnly
  4. Configure CORS: disabled
  5. Strict-Transport-Security: Enabled, origin override enabled
  6. X-Content-Type-Options: Enabled, origin override enabled
  7. X-Frame-Options: Enabled, SAMEORIGIN, origin override enabled
  8. X-XSS-Protection: Enabled, block, origin override enabled
  9. Referrer-Policy: Enabled, strict-origin-when-cross-origin, origin override enabled
  10. Content-Security-Policy: disabled

Create CloudFront distribution

  1. Navigate to https://console.aws.amazon.com/cloudfront/.
  2. Click on Create a CloudFront distribution.
  3. Choose your Amazon S3 bucket from Origin domain dropdown menu.
  4. S3 bucket access: Choose Yes use OAI (bucket can restrict access to only CloudFront) and click Create new OAI.
  5. S3 bucket access -> Bucket policy: Choose Yes, update the bucket policy.
  6. Viewer protocol policy: Choose Redirect HTTP to HTTPS.
  7. Allowed HTTP methods: Choose GET, HEAD, OPTIONS and tick OPTIONS under Cache HTTP methods.
  8. Restrict viewer access: Choose Yes -> Trusted key groups (recommended).
  9. Add key group created earlier
  10. Cache key and origin requests: Choose Cache policy and origin request policy (recommended).
  11. Cache policy: Choose CachingOptimized
  12. Origin request policy: Choose CORS-S3Origin
  13. Response headers policy: Choose CORS-with-preflight-and-SecurityHeadersPolicy-ReadOnly
  14. Click Create distribution.
  15. Navigate to https://console.aws.amazon.com/cloudfront/v3/home#/distributions.
  16. Confirm, that Status is Enabled and Last modified is changed from Deploying to the date the distribution was created.
  17. Open your distribution.
  18. Write down Distribution domain name (with https://).

Note: If you have already setup Moodle behind a CloudFront distribution, it is also possible to use that same CloudFront distribution to serve files from objectfs. In this scenario, a specific prefix in the URL path directs traffic to the S3 Bucket (moodle.domain/objectfs/ for example). To achieve that, use the key_prefix option to add a prefix on your Bucket, and configure a second Origin on your existing CloudFront distribution that points to your Bucket. Setup a Behavior that uses that new Origin with the same prefix as the one you used as key_prefix in your Bucket. Follow all other instructions.

Configure CloudFront signing method in Objectfs:

  1. Run the following commands from the CLI to configure Objectfs:
php admin/cli/cfg.php --component=tool_objectfs --name=enablepresignedurls --set=1
php admin/cli/cfg.php --component=tool_objectfs --name=expirationtime --set=172800
php admin/cli/cfg.php --component=tool_objectfs --name=presignedminfilesize --set=0
php admin/cli/cfg.php --component=tool_objectfs --name=signingwhitelist --set='*'
php admin/cli/cfg.php --component=tool_objectfs --name=signingmethod --set='cf'
php admin/cli/cfg.php --component=tool_objectfs --name=cloudfrontresourcedomain --set='your cloudfrom domain'
php admin/cli/cfg.php --component=tool_objectfs --name=cloudfrontkeypairid --set='your key pair id'
php admin/cli/cfg.php --component=tool_objectfs --name=cloudfrontprivatekey --set='cloudfront.pem'
  1. Please note that cloudfrontprivatekey setting can can be one of the following:
  • a file name with the pem extension (described in this wiki), or
  • a PEM formatted string, eg:
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAynfONnizsVKXwuoXXWZC948QFsZme3zXUJ7PDrd4fKBpDCPr
...
TPdsThtG51qIzZxYw4jlle2jCArTEta9meJRwpU9X32omvHLdENBnw==
-----END RSA PRIVATE KEY-----
  1. Open Dev Tool Network tab and navigate to the /admin/tool/objectfs/presignedurl_tests.php page.
  2. Confirm, that file requests like /pluginfile.php/1/tool_objectfs/settings/0/testvideo.mp4 get redirected to pre-signed CloudFront URL (HTTP status 303).
  3. Confirm, that requests to pre-signed CloudFront URL return requested data (HTTP status 200).

A fix for MDL-70323 and mod_hvp

  1. Put the following lines into your config.php to make sure H5P activities are displayed correctly:
$CFG->h5pcrossorigin = 'anonymous';
$CFG->mod_hvp_crossorigin = 'anonymous';