Skip to content

Latest commit

 

History

History
138 lines (133 loc) · 7.18 KB

CLOUDFRONT.md

File metadata and controls

138 lines (133 loc) · 7.18 KB

Create AWS bucket

  1. Login to AWS console https://aws.amazon.com/console/
  2. Navigate to Services -> S3.
  3. Click Create bucket.
  4. Fill out bucket name, region and click Create bucket.
  5. Navigate to My Security Credentials.
  6. In the Access keys section click on the Create New Access Key button.
  7. Write down your bucket name, region, key and secret.
  8. Edit the bucket again.
  9. Set Default encryption to Enabled with Amazon S3 master-key (SSE-S3) server-side encryption.
  10. Set the following as Cross-origin resource sharing (CORS):
[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "HEAD"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": [],
        "MaxAgeSeconds": 3000
    }
]

Configure Objectfs

  1. Run the following commands via CLI:
php admin/cli/cfg.php --component=tool_objectfs --name=enabletasks --set=1
php admin/cli/cfg.php --component=tool_objectfs --name=deletelocal --set=1
php admin/cli/cfg.php --component=tool_objectfs --name=consistencydelay --set=0
php admin/cli/cfg.php --component=tool_objectfs --name=sizethreshold --set=0
php admin/cli/cfg.php --component=tool_objectfs --name=minimumage --set=0
php admin/cli/cfg.php --component=tool_objectfs --name=filesystem --set='\tool_objectfs\s3_file_system'
php admin/cli/cfg.php --component=tool_objectfs --name=s3_key --set='your key'
php admin/cli/cfg.php --component=tool_objectfs --name=s3_secret --set='your secret'
php admin/cli/cfg.php --component=tool_objectfs --name=s3_bucket --set='your bucket'
php admin/cli/cfg.php --component=tool_objectfs --name=s3_region --set='your region'
  1. Put the following line into your config.php:
$CFG->alternative_file_system_class = '\tool_objectfs\s3_file_system';
  1. Access the /admin/settings.php?section=tool_objectfs_settings page.
  2. Confirm, that there is a green notification message Could establish connection to the external object storage. under the Amazon S3 Settings section.
  3. Run the fllowing scheduled tasks:
php admin/cli/scheduled_task.php --execute='\tool_objectfs\task\check_objects_location'
php admin/cli/scheduled_task.php --execute='\tool_objectfs\task\push_objects_to_storage'
php admin/cli/scheduled_task.php --execute='\tool_objectfs\task\delete_local_objects'
php admin/cli/scheduled_task.php --execute='\tool_objectfs\task\generate_status_report'
  1. Access the /admin/tool/objectfs/object_status.php page.
  2. Confirm, that all files have been moved to the external storage: Marked as only in filedir and Duplicated in filedir and external storage should be 0.

Create CloudFront distribution

  1. Navigate to [https://console.aws.amazon.com/cloudfront/v3/home?region=ap-southeast-2#/welcome].
  2. Click on Create a CloudFront distribution.
  3. Choose your Amazon S3 bucket from Origin domain dropdown menu.
  4. S3 bucket access: Choose Yes use OAI (bucket can restrict access to only CloudFront) and click Create new OAI.
  5. S3 bucket access -> Bucket policy: Choose Yes, update the bucket policy.
  6. Viewer protocol policy: Choose Redirect HTTP to HTTPS.
  7. Allowed HTTP methods: Choose GET, HEAD, OPTIONS and tick OPTIONS under Cache HTTP methods.
  8. Restrict viewer access: Choose Yes -> Trusted signer -> Self.
  9. Cache key and origin requests: Choose Legacy cache settings.
  10. Legacy cache settings -> Headers: Choose Include the following headers and add Origin, Access-Control-Request-Method, Access-Control-Request-Headers headers from the dropdown menu.
  11. Legacy cache settings -> Query strings: Choose All.
  12. Click Create distribution.
  13. Navigate to [https://console.aws.amazon.com/cloudfront/v3/home?region=ap-southeast-2#/distributions].
  14. Confirm, that Status is Enabled and Last modified is changed from Deploying to the date the distribution was created.
  15. Open your distribution.
  16. Write down Distribution domain name (with https://).

Note: If you have already setup Moodle behind a CloudFront distribution, it is also possible to use that same CloudFront distribution to serve files from objectfs. In this scenario, a specific prefix in the URL path directs traffic to the S3 Bucket (moodle.domain/objectfs/ for example). To achieve that, use the key_prefix option to add a prefix on your Bucket, and configure a second Origin on your existing CloudFront distribution that points to your Bucket. Setup a Behavior that uses that new Origin with the same prefix as the one you used as key_prefix in your Bucket. Follow all other instructions.

Generate keys

  1. Make a directory $CFG->dataroot . '/objectfs/'.
  2. Make it readable and writable:
chmod 777 objectfs
  1. Generate an RSA key pair with a length of 2048 bits:
cd objectfs/
openssl genrsa -out cloudfront.pem 2048
chmod 777 cloudfront.pem
  1. Extract the public key:
openssl rsa -pubout -in cloudfront.pem -out public_key.pem
  1. Navigate to [https://console.aws.amazon.com/cloudfront/v3/home#/distributions].
  2. In the navigation menu, choose Public keys.
  3. Click Create public key.
  4. Enter key name.
  5. Enter key value. Use the following command to get the public key:
cat public_key.pem
  1. Click Create public key.
  2. Write down key ID from the [https://console.aws.amazon.com/cloudfront/v3/home#/publickey] page.

Configure CloudFront signing method in Objectfs:

  1. Run the following commands from the CLI to configure Objectfs:
php admin/cli/cfg.php --component=tool_objectfs --name=enablepresignedurls --set=1
php admin/cli/cfg.php --component=tool_objectfs --name=expirationtime --set=172800
php admin/cli/cfg.php --component=tool_objectfs --name=presignedminfilesize --set=0
php admin/cli/cfg.php --component=tool_objectfs --name=signingwhitelist --set='*'
php admin/cli/cfg.php --component=tool_objectfs --name=signingmethod --set='cf'
php admin/cli/cfg.php --component=tool_objectfs --name=cloudfrontresourcedomain --set='your cloudfrom domain'
php admin/cli/cfg.php --component=tool_objectfs --name=cloudfrontkeypairid --set='your key pair id'
php admin/cli/cfg.php --component=tool_objectfs --name=cloudfrontprivatekey --set='cloudfront.pem'
  1. Please note that cloudfrontprivatekey setting can can be one of the following:
  • a file name with the pem extension (described in this wiki), or
  • a PEM formatted string, eg:
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAynfONnizsVKXwuoXXWZC948QFsZme3zXUJ7PDrd4fKBpDCPr
...
TPdsThtG51qIzZxYw4jlle2jCArTEta9meJRwpU9X32omvHLdENBnw==
-----END RSA PRIVATE KEY-----
  1. Open Dev Tool Network tab and navigate to the /admin/tool/objectfs/presignedurl_tests.php page.
  2. Confirm, that file requests like /pluginfile.php/1/tool_objectfs/settings/0/testvideo.mp4 get redirected to pre-signed CloudFront URL (HTTP status 303).
  3. Confirm, that requests to pre-signed CloudFront URL return requested data (HTTP status 200).

A fix for MDL-70323 and mod_hvp

  1. Put the following lines into your config.php to make sure H5P activities are displayed correctly:
$CFG->h5pcrossorigin = 'anonymous';
$CFG->mod_hvp_crossorigin = 'anonymous';