Skip to content
This repository has been archived by the owner. It is now read-only.

Optional cf support #389

Merged
merged 4 commits into from May 27, 2014
Merged

Optional cf support #389

merged 4 commits into from May 27, 2014

Conversation

@dmp42
Copy link
Contributor

@dmp42 dmp42 commented May 26, 2014

This implements our earlier Cloudfront discussion.

I wrote this to be as simple as possible - although the impact is important.

Things to understand:

  1. to be active, this uses the following (undocumented) configuration:
    storage_redirect: true
    cloudfront:
        base: 'http://XXXXX.cloudfront.net'
        keyid: 'XXXX'
        keysecret: 'somefile.pem'

The keysecret is a keypair generated by the AMZ admin. The keyid is not the same as the S3 keyid. The base is the public domain name that hosts the cloudfront content (beware: we must use cloudfront names for now).

I don't think there is a point in documenting this feature for the current release.

  1. If only storage_redirect is true and there is no cloudfront key, S3 redirect signing will be used instead.
  2. when active, this redirects all image layers (both private and public) to a cloudfront signed url
  3. the given signed url is valid for 60 seconds
  4. once the delay has expired, that url is 403
  5. we don't keep signed urls - each time we are requested, we generate a new signed url
  6. cloudfront share the cache between signed urls. Which means the same resource signed twice will be hot the second time
  7. from a security standpoint, we need to think about the best / proper ttl for the signature (60 seconds might be too much)

@shin- @samalba

Mangled Deutz added 4 commits May 26, 2014
Mangled Deutz
Docker-DCO-1.1-Signed-off-by: Mangled Deutz <olivier@webitup.fr> (github: dmp42)
Docker-DCO-1.1-Signed-off-by: Mangled Deutz <olivier@webitup.fr> (github: dmp42)
Mangled Deutz
Docker-DCO-1.1-Signed-off-by: Mangled Deutz <olivier@webitup.fr> (github: dmp42)
Mangled Deutz
Fix test
Docker-DCO-1.1-Signed-off-by: Mangled Deutz <olivier@webitup.fr> (github: dmp42)
@samalba
Copy link
Contributor

@samalba samalba commented May 26, 2014

LGTM

@dmp42 dmp42 added the enhancement label May 26, 2014
@dmp42 dmp42 added this to the 0.7 milestone May 26, 2014
dmp42 added a commit that referenced this pull request May 27, 2014
Optional cf support
@dmp42 dmp42 merged commit be5849c into master May 27, 2014
1 check passed
1 check passed
continuous-integration/travis-ci The Travis CI build passed
Details
@dmp42 dmp42 deleted the 0.7-Cloudfront branch May 27, 2014
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.