## What the project is about

Through this project, I show how to host a static website using AWS.

Along the way, I will also go through how to:
- Import a domain name on AWS;
- Create a hosted zone and manage its DNS records;
- Create S3 Buckets to host website pages;
- Configure Route 53 to link the domain name to the website;
- Create an SSL certificate for the website using AWS Certificate Manager (ACM);
- Create CloudFront distributions to secure the website in HTTPS.

Take a closer look at the infrastructure deployed with this project and the final outcome:

![Infrastructure](images/infrastructure.png)
![Nice job redirect domain](images/nice-job-redirect-domain.png ':size=200')

**Quick mention: Screenshots and example photos will show prices in $ (Dollar) and location as some place in America. Thats because I use VPN to relocate myself to USA for this project.**

Let's move straight to the project, and get a domain name to use.

## Use a domain name

To host a website, I first need a domain name in order to access it easily and safely.
To get a domain name, I have two choices: buy the domain name either from AWS or from a third-party domain registrar.

I will quickly go over the main difference betweens these two choices:

##### Never purchased or handled a domain name
The simplest and most comfortable method is to buy your domain at AWS, it is relatively simple to do and you can skip the step of creating a hosted zone and link your domain to it, which can sometimes be a bit complex.

##### Already purchased or handled domain names with a third-party domain registrar
Do as you wish, if you have a domain registrar that you care about, you are free to buy your domain from it. 
However, you will have to create a hosted zone and link your domain to it and I will not go through it in this project.


### A.	Buy a domain from AWS

For those wishing to purchase their domain name from AWS, follow these steps.

First, go to *Route 53*, then select **Register domain** in order to register a domain name with AWS:

![Route 53 Dashboard](images/route-53-dashboard.png ':size=600')

Then, choose the domain name of your choice and check if it is available via the **Check** button. 

In this example, the chosen domain is *cif-domain-name-for-aws*, and it is available for any URL extension. Choose the domain extension you want by clicking on **Add to cart**, and proceed to the purchase by pressing **Continue**:

![Choose domain name](images/choose-domain-name.png ':size=700')

To take ownership of a domain, it is necessary to provide personal information (name, first name, address ...); this information is crucial to prove that the domain belongs to you, so **make sure not to provide false information**.

For those who want to preserve their anonymity on the internet, don't worry, it is possible to activate Privacy Protection (also called WHOIS privacy) so that your data will not be visible to any user making WHOIS queries on your domain name. Personally, I recommend you to activate it, because I even used VPN to relocate myself to USA side of world.

**Fair warning**: `Some domain extensions do not benefit from this protection of private data (e.g. the .fr extension), so it is important that you select a domain extension that applies this protection (e.g. the .com extension).`

After everything filled, we can move onwards:

![Contact Details](images/contact-details-for-domain.png ':size=550')

Finally, I am asked if I want to activate the automatic renewal of your domain name; in other words, once the domain expires after one year of use, it will be automatically renewed for one year. This allows me to not forget to renew domain name, and to see it bought by someone else: I recommend you to activate the automatic renewal.
However, if you only want to use this domain for one year or once, like I did for this project, do not activate the automatic renewal.

To complete the purchase of my domain, all that remains is to accept the AWS Domain Name Registration Agreement, and to check the email sent by AWS:

![Complete Order](images/complete-order.png ':size=700')

Now I have in my possession a domain name hosted at AWS. Next step is to create a hosted zone.

### B.	Buy a domain from a third-party domain registrar

For those who prefer to buy or use their domain name from a third-party domain registrar, I couldn't give you a detailed explanation of how to do it, since there are an endless number of hosting companies offering this service.

If you don't know which third-party domain registrar to go to, I suggest you do your research on the internet and find the one that suits you best; otherwise, don't complicate things and buy a domain from AWS by following the steps above.

Once we have our domain name, it is time to create a hosted zone.


## Create a hosted zone

To understand the basics and before continuing, I wanna answer the key question: "What is a hosted zone?"

AWS explains it the following way:

*A hosted zone is a container for records, and records contain information about how you want to route traffic for a specific domain, such as example.com, and its subdomains (acme.example.com, zenith.example.com). A hosted zone and the corresponding domain have the same name.*

> https://docs.aws.amazon.com/en_en/Route53/latest/DeveloperGuide/hosted-zones-working-with.html

Now that we know little better what a hosted zone is, let's create one:

##### Domain name with AWS
A hosted zone has been automatically created and there is nothing need to do.

##### Domain name with a third-party domain registrar
Because the AWS has created a hosted zone automatically for their Domain, I will go through how to create hosted zone if third-party domain is used.

First, I created hosted zone, where it is possible to specify domain name, in the example *cif-project.com*; then I specified that I want my hosted zone to be public, otherwise it will be inaccessible from the public internet:

![Create hosted zone](images/create-hosted-zone.png ':size=500')

Hosted zone is now created, and contains DNS records of type NS (Name Server) and SOA (Start of Authority):

![Hosted zone](images/hosted-zone.png ':size=500')

Now I needed to link the domain name purchased from a third-party domain registrar with the hosted zone. To do this, I needed to map the NS records of my hosted zone to the DNS configuration of the domain purchased from the domain registrar. The DNS configuration of the purchased domain can be easily found in the domain registrar’s dashboard.

An example will clarify the situation; here is how to do it with the third-party domain registrar, *Hostinger*:

> The two following pictures have been retrieved from this link: https://support.hostinger.com/en/articles/1696789-how-to-change-nameservers-at-hostinger

First, I went to the dashboard of the domain registrar by connecting to the customer area, then clicked to change the DNS servers of the domain name:

![Change DNS Hostinger](images/change-dns-hostinger.png ':size=500')

The photos above and below are from google (if you wonder about the expiry date being 2022).

![Choose Nameservers Hostinger](images/choose-nameservers-hostinger.png ':size=500')

Then I inserted in these fields the NS records of my hosted zone:

**Fair warning:** `When you copy a NS record, delete the dot at the end !`

![Copy NS records](images/copy-ns-records.png ':size=500')

Lastly, I thought it would be good to verify that all the public DNS in the world have the information that our domain name uses the NS of our AWS hosted zone. Next, we can get down to real business: creating S3 buckets.


## Create and configure S3 Buckets

To actually host a static website, I need to create an S3 Bucket containing the actual .html pages of my website and put the Bucket in public to make it accessible to all.

In this example and project, the domain name will be *cif-project.com*.

The files that will be installed in the S3 Bucket and that will serve as pages for the website, are downloadable on GitHub to this link: [Github link](https://github.com/oulanikkinen/cloud-is-free/tree/main/projects/project-1/resources)


Did you know that when a user accesses a website, he/she does so in two ways:

- The user enters the www name of the website (e.g. *www<nolink>.cif-project.com*) in the search bar;
OR
- The user enters the non-www name of the website (e.g. *cif-project.com*) in the search bar.

So how to make a website accessible via these two names? 

It's simple, by creating two S3 Buckets: a **main** Bucket which will contain the pages of the website, and which will be in public; and a **redirect** Bucket which will redirect the traffic it receives to the main Bucket.

**Fair warning:** `S3 Buckets MUST have the same name as the corresponding website name, so that AWS can route the traffic from the website to the right Bucket!`

Before starting to create two S3 Buckets, I had to choose the main address and there were two choices:

- I could make the www name (*www<nolink>.cif-project.com*) the main address of the website;

OR

- I could make the non-www name (*cif-project.com*) the main address of the website.

This decision would impact on what the final URL displayed to the enduser will be.

For example, Amazon has chosen to have the address of its website in www :

![Amazon www](images/amazon-www.png ':size=250')

While Twitter has decided to have the address of its website in non-www :

![Twitter non-www](images/twitter-non-www.png ':size=250')

So, which one should I choose? Well… for this project it doesn't really matter and I don't waste too much time on this detail. 

For this example, the website will have the non-www name as main address: *cif-project.com*.


### A.	Main S3 Bucket

To begin with, I created the main S3 Bucket which must have the same name as the website you are hosting:

![General configuration Main](images/general-configuration-main.png ':size=700')

(Region is in the USA because I used VPN) Then allow this Bucket to be publicly available on the Internet:

![Public Access Settings Bucket](images/public-access-settings-bucket.png ':size=800')

The main Bucket is now created, next step is to install the files of for website. To do this, I go to Bucket and click on **Upload**:

![Upload Objects](images/upload-objects.png ':size=1200')

I could add my (for example) *index.html* and *error.html* files. I think those are the main files needed:

![How to Upload](images/how-to-upload.png ':size=1300')

The files are now objects in the main S3 Bucket:

![Files and Folders](images/files-and-folders.png ':size=750')

Next step is to move to **Permissions** to modify the Bucket Policy:

![Edit Bucket policy](images/edit-bucket-policy.png ':size=1000')

To be honest I googled the most basic JSON policy and modified it slightly before validating:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket_name/*"
            ]
        }
    ]
}
```

This policy allows me:
- Assign read rights to objects via the Action ''s3:GetObject'' ;

AND

- The Targeted Resources are the objects in the S3 Bucket.

**Fair warning:** `Do not forget to replace the *bucket_name* field with the name of the S3 Bucket, like I did, and keep the /* at the end of the Resource field, otherwise you won't give access to the Bucket objects and spend hours trying to figure out the mistake.`

My Bucket policy now looks like this:

![Bucket policy added](images/bucket-policy-added.png ':size=1350')

All that remains is to apply the new Bucket policy; the pages of the website will now be publicly accessible. It should be displayed *publicly accessible* below the name of the S3 Bucket:

![Publicly Available](images/publicly-available.png ':size=200')

Last step is to activate static web hosting by going to the **Static website hosting section**, at the bottom of the **Properties tab**:

![Static Web Hosting disabled](images/static-web-hosting-disabled.png ':size=1100')

Clicked Edit and choosed to host a static website:

![Edit Static Web hosting main](images/edit-static-web-hosting-main.png ':size=700')

After saving, all needed to do is check that the site is accessible from a public address. I went back to the **Static website hosting section** to get the temporary URL of the S3 Bucket:

![Copy URL main Bucket](images/copy-url-main-bucket.png ':size=1400')

Now let's see what the S3 Bucket displays:

![Nice Job main Bucket](images/nice-job-main-bucket.png ':size=600')

Just what I was looking for! I now have access to your main page of the website (*index.html*), the website is in public access on the internet.

First part for the main S3 Bucket is now accomplished, now it's time for the redirect S3 Bucket.

### B.	Redirect S3 Bucket

First, I created the redirect S3 Bucket that will redirect all the traffic it receives to the main S3 Bucket:

![General Configuration redirect](images/general-configuration-redirect.png ':size=500')

Then, I went to the **Bucket configuration** > **Properties tab** > **Static website hosting section**:

![Static Web Hosting disabled](images/static-web-hosting-disabled.png ':size=500')

Next is to activate the static website hosting, but this time by redirecting the requests. 

I specified the target Bucket (in this example *cif-project.com*), and leaved the **Protocol field** as it is for the moment (*none*):

![Edit Static Web Hosting redirect](images/edit-static-web-hosting-redirect.png ':size=500')

Then I got the URL of the redirected S3 Bucket:

![Copy URL redirect Bucket](images/copy-url-redirect-bucket.png ':size=500')

For this checkpoint, lets see the result:

![Site can't be reached](images/site-cant-be-reached.png ':size=500')

There is good news and bad news:
- The good news is that the redirection is done: I have redirected to my website (in this example *cif-project.com*);

BUT

- The bad news is that the website does not link to anything... `This site can't be reached`.

The developer meme: "Yay, it is not the same error" would describe the my situation with this project.

To remedy this problem, I need to indicate somewhere that my domain name redirects to the main S3 Bucket so that I can actually access my static website.

And for that, I need to use Route 53 again and reconfigure previously created hosted zone.


## Link the domain to S3 Buckets with Route 53

First, go to Route 53 and look for the DNS records of your hosted zone:

![Hosted Zone](images/hosted-zone.png ':size=1000')

Now, let's analyze the situation: if a user tries to access my website through the main and redirect web addresses, he wil have no access and will see: `This site can't be reached`.

And what I want is to:
- Forward the traffic received on the main web address to the main S3 Bucket;

AND

- Forward the traffic received on the redirect web address to the redirect S3 Bucket.

To do so, I will create new DNS records in my already done hosted zone, but not just any DNS records: more precisely A records (A for Address), which allows me to redirect all the traffic received to an IPv4 address. In this particular (fairly simple) case, I won't need to specify any IPv4 address, AWS will provide the IP address of the Bucket for me.

##### The first DNS record
I want to route traffic from your main web address (in this example *cif-project.com*):

![Create record main](images/create-record-main.png ':size=900')

1.	If my main address was www, then I would add *www* to the record name. Vice versa if my main address was non-www, I would leave the record name as it is;

2.	I select the Record type A to route the traffic to the main S3 Bucket;

3.	and activate the Alias to specify the S3 Bucket to which you want to route the traffic;

4.	and choose an Alias to S3 website endpoint in the region where the Bucket is located (here *us-east-1*), and select the Bucket that is automatically displayed in the selection;

5.	Routing policy will be simple routing;

6.	and I dont need to evaluate the target health since the website is hosted on S3.

Once the first record is created, I got following:

![Nice job main](images/nice-job-main.png ':size=600')

Finally! The website is now accessible through this URL, the first record works perfectly.

##### The second DNS record
The second DNS record in this example is *www<nolink>.cif-project.com*.

![Create record redirect](images/create-record-redirect.png ':size=900')

1.	Same logic as above. If redirect address is www, then www should be added to the record name. If redirect address is non-www, leave the record name as it is;

2.	Select again a Record type in A to route the traffic to the redirect S3 Bucket;

3.	Activate the Alias to specify the S3 Bucket to which you want to route the traffic;

4.	Choose an Alias to S3 website endpoint in the region where the Bucket is located (here actually Europe but I used *us-east-1* with VPN), and select the Bucket that is automatically displayed in the selection;

5.	Routing policy will be simple routing;

6.	No need to evaluate the target health since the site is hosted on S3.

Once the second record is created, I had to wait for several minutes before checking if website is accessible via the web redirect address:

![Nice job redirect](images/nice-job-redirect.png ':size=500')

When accessing the redirect web address, I am redirected to the main web address: everything goes as planned...

...well, almost, in fact in order to have actual users who dare to enter my domain, I have to get rid of this warning:

![Not secure](images/not-secure.png ':size=250')

Ouch, the website is not secure... it's understandable, the domain is brand new; and I still haven't generated an SSL certificate, so the website uses HTTP instead of HTTPS.

To remedy these two problems in a simple way:
- First, I will create an SSL certificate for domain by using AWS Certificate Manager (ACM);
- Then, I use CloudFront to make site issue an HTTPS connections, adding the newly created SSL certificate to website, and redirecting all HTTP traffic to HTTPS.

After that, website will be "safe" and more secure for future users :) .

## Create a SSL certificate with AWS Certificate Manager

To create a SSL certificate for the website, go to AWS Certificate Manager and **request a certificate**:

![Request certificate](images/request-certificate.png ':size=250')

The certificate will be used on a public website, so I need to actually **request a public certificate**:

![Request public certificate](images/request-public-certificate.png ':size=900')

When applying for an SSL certificate, I was asked to fill in **Fully Qualified Domain Names** (known as FQDN). In my project case, I have two FQDNs: the www domain name (e.g. *www<nolink>.cif-project.com*) and the non-www domain name (e.g. *cif-project.com*). I filled them both in this same certificate so that the connections by these two addresses are in HTTPS.

Next, I needed to choose a validation method, proving that the domain you are creating a certificate for is really yours: imagine if anyone could create an SSL certificate for your site instead of you… The website would face huge security issues. I advise you to choose the recommended choice, **DNS validation**.

After that, all I had to do is validate the SSL Certificate creation request:

![FQDN & DNS validation](images/fqdn-dns-validation.png ':size=500')

The certificate is created, but not yet validated; let's check its configuration:

![Select certificate](images/select-certificate.png ':size=1300')

In the configuration of the certificate, I needed to add two DNS records of type CNAME in my hosted zone. Lucky, AWS takes care of this: all I had to do is, first, select **Create records in Route 53**:

![Create records in Route 53](images/create-records-route-53.png ':size=1300')

Then select the two FQDNs and finally **Create records**:

![Auto-creation records](images/auto-creation-records.png ':size=900')

All needed to do was to wait a few minutes until **Success status** was showing:

![Records created](images/records-created.png ':size=1300')

It's done, AWS has filled in the CNAME records for me. I can verify it by moving to the hosted zone:

![Hosted zone DNS records](images/hosted-zone-dns-records.png ':size=1100')

Here they are, the two freshly added CNAME records, allowing me to validate the SSL certificate I just created.

Now that the certificate is ready: it's time to apply it to the static website, and for that, I will need the CloudFront, mentioned above.


## Create and configure CloudFront distributions

By using CloudFront, I will be able to deploy the website in HTTPS, and get other benefits as using Microsoft Edge locations to provide faster access to the website for the users.

CloudFront will act as a stepping stone between Route 53 and S3. In other words, the traffic from the website will be routed to a CloudFront distribution that will deliver it to the corresponding S3 Bucket.
I will create a CloudFront distribution for each of S3 Bucket, two in total.

### A.	Main CloudFront distribution

**Tip in advance: Before creating the main CloudFront distribution, go to the main S3 Bucket, and copy the Bucket URL into **Properties tab**, **static website hosting section**:

![Copy URL main](images/copy-url-main.png ':size=1200')

Now, create CloudFront distribution:

![Create distribution](images/create-distribution.png ':size=1100')

I can have a first look at the **Origin section**.
When clicked on the **Origin domain field**, a drop-down panel appears, where links can be selected to the S3 Buckets:

![Origin domain list](images/origin-domain-list.png ':size=600')

**Fair warning:** `Do not select them! Strange as it may seem, those are incorrectly filled in (there is a syntax error); instead, paste the Bucket URL you previously copied.`

I will disable the **Origin Shield** to avoid additional charges (poor student). This is what the **Origin section** configuration should look like:

![Origin section](images/origin-section.png ':size=700')

Let's move to the **Default cache behavior section**.
The only field to modify here is the **Viewer protocol policy**, where I choose to *Redirect HTTP to HTTPS*. All the traffic received in HTTP on port 80 will be redirected to HTTPS on port 443, so all connections made on both ports will be secure.

The **Default cache behavior section** should look like this:

![Default cache behavior](images/default-cache-behavior.png ':size=700')

Now let’s focus on the **Settings section**, and put some attention to **Price Classes**.

> There are three types of Price Class: **Price Class 100** (Edge locations from North America and Europe), **Price Class 200** (Edge locations North America, Europe, Asia, Middle East and Africa), and **Price Class All** (all Edge locations). The choice of the Price Class is therefore interesting since fewer Edge locations will be used in places where they cost less (see: https://aws.amazon.com/cloudfront/pricing/).

**Fair warning:** `The choice of Price Class has no impact on the Free Tier since you are allowed 2,000,000 HTTP and HTTPS requests from anywhere. As long as you don't exceed this value, no cost will be generated. But in best practice, choose the Price Class that suits your needs.`

In this example, since the use case is only for Europe and North America, the choice made is **Price Class 100**:

![Price Class](images/price-class.png ':size=500')

I filled in an **Alternate domain name (CNAME)** by inserting main domain name:

![Alternate domain name main](images/alternate-domain-name-main.png ':size=600')

In the **custom SSL certificate field**, I selected the newly created certificate:

![Custom SSL certificate](images/custom-ssl-certificate.png ':size=700')

The **Legacy clients support** *unselected* should be leaved alone to avoid a nice bill of $600 at the end of the month :D :

![Legacy clients support](images/legacy-clients-support.png ':size=700')

Once all the necessary information are filled, I validated the creation of main CloudFront distribution, and moved on to creating the redirect CloudFront distribution.

### B.	Redirect CloudFront distribution

As I did earlier, before creating redirect CloudFront distribution, I should go to the redirect S3 Bucket, and copy the Bucket URL again into **Properties tab**, **static website hosting section**:

![Copy URL redirect](images/copy-url-redirect.png ':size=700')

Then I created the second CloudFront distribution. The configuration of the redirect CloudFront distribution will be almost the same, except for two details:


- The **Origin domain** will be the URL of the redirect S3 Bucket:

![Origin domain redirect](images/origin-domain-redirect.png ':size=600')

- The **Alternate domain name (CNAME)** will be the redirect domain:

![Alternate domain name redirect](images/alternate-domain-name-redirect.png ':size=600')

Once the configuration of the redirect distribution is complete, its creation can be validated.

I now have two CloudFront distributions. Distributions should be validated and enabled. If not... In the meantime, I hopped over to redirect S3 Bucket, **Properties tab**, **static website hosting section**, not to copy the URL this time but to make one last modification: change the used **protocol** from HTTP to HTTPS:

![Activate HTTPS](images/activate-https.png ':size=800')

Then I went back to CloudFront, where I copied the web addresses of the CloudFront distributions (**Domain name field**) in the navigator search bar, in order to verify that I can access your site through these web addresses:

![Copy distributions domain name](images/copy-distributions-domain-name.png ':size=1400')


Copied the URL of the main CloudFront distribution:

![Nice job main distribution](images/nice-job-main-distribution.png ':size=700')

The website is accessible, and in HTTPS (secure) this time.
What about the redirect CloudFront distribution?:

![Nice job redirect distribution](images/nice-job-redirect-distribution.png ':size=700')

It works too, my lovely website is now accessible in HTTPS.

**Last fair warning:** `If the redirect CloudFront distribution displays the site in HTTP: keep in mind that you recently changed your redirect S3 Bucket to HTTPS. Wait ten good minutes and remember to clear your browser's cache before trying again.`

To finalize, I headed to Route 53 to make changes to the A records, so that the web addresses route traffic to my freshly created Cloudfront distributions:

![Modify A records](images/modify-a-records.png ':size=1300')

The record for the main domain name should look like this:

![A record main](images/a-record-main.png ':size=350')

And the record for the redirect domain name should look like this:

![A record redirect](images/a-record-redirect.png ':size=350')

Time to make the final tests by accessing the website through HTTP URLs, to verify that the redirection to HTTPS is applied.

Let's check out the main domain in HTTP (*http<nolink>://cif-project.com*):

![Nice job main domain](images/nice-job-main-domain.png ':size=600')

And now the redirect domain in HTTP (*http<nolink>://www<nolink>.cif-project.com*):

![Nice job redirect domain](images/nice-job-redirect-domain.png ':size=600')

#### This photo is the final and confirming one that my static website is now being, thank you for reading this far. Now also you know how to set up a static website in HTTPS on AWS!
