Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SsrSite: Enable support for Origin Shield on CloudFront origins #3732

Open
6 tasks
leclairmael opened this issue Mar 29, 2024 · 4 comments
Open
6 tasks

SsrSite: Enable support for Origin Shield on CloudFront origins #3732

leclairmael opened this issue Mar 29, 2024 · 4 comments

Comments

@leclairmael
Copy link

Origin Shield is a CloudFront feature that can be very helpful to improve cache hit ratio, performance and/or reduce load on the origin.

In the context of a SsrSite, this feature only makes sense when deploying in regional mode.

API

regional?: {
  originShield?: ('s3' | 'function' | 'image-optimization-function')[]
}

Origin Shield can be enabled on an origin type basis; depending on each use case it may or may not make sense to enable it for each origin type. This also provides stability if new origin types are added.
The Origin Shield region should be the same as the one the app is deployed to.

Steps

  • Validate initial proposal
  • Implement: make all origins configurable with the regional.originShield prop
  • Test: ensure the CloudFront origins are properly configured upon creation/update
  • Test: ensure Origin Shield is disabled when removing the prop after initial creation
  • Test: ensure the proper region is used when enabling Origin Shield
  • Doc: add examples and API information
@jayair
Copy link
Contributor

jayair commented Mar 29, 2024

How do you do this in CDK on a CloudFront distribution?

@leclairmael
Copy link
Author

@jayair basically something like this:

distribution: {
  additionalBehaviors: {
    '/path': {
      origin: new HttpOrigin(url, {
        originShieldEnabled: true,
        originShieldRegion: 'us-east-1',
      })
    }
  }
}

@jayair
Copy link
Contributor

jayair commented Mar 29, 2024

I wonder if you could configure it with the plan option, for example: https://docs.sst.dev/constructs/NextjsSite#configuring-basic-auth

@leclairmael
Copy link
Author

@jayair I'm pretty sure it's not possible, because origins in SsrSite are created like this:

    function createFunctionOrigin(props: FunctionOriginConfig) {
      // ...
      return new HttpOrigin(Fn.parseDomainName(fnUrl.url), {
        readTimeout:
          typeof timeout === "string"
            ? toCdkDuration(timeout)
            : CdkDuration.seconds(timeout),
      });
    }

    function createImageOptimizationFunctionOrigin(
      props: ImageOptimizationFunctionOriginConfig
    ) {
      // ...
      return new HttpOrigin(Fn.parseDomainName(fnUrl.url));
    }

So there's no way to pass any custom options to HttpOrigin.

And createOrigins() is called after the plan is already transformed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jayair @leclairmael