SsrSite: Enable support for Origin Shield on CloudFront origins

Question

SsrSite: Enable support for Origin Shield on CloudFront origins

leclairmael opened this issue 2 months ago · comments

Origin Shield is a CloudFront feature that can be very helpful to improve cache hit ratio, performance and/or reduce load on the origin.

In the context of a SsrSite, this feature only makes sense when deploying in regional mode.

API

regional?: {
  originShield?: ('s3' | 'function' | 'image-optimization-function')[]
}

Origin Shield can be enabled on an origin type basis; depending on each use case it may or may not make sense to enable it for each origin type. This also provides stability if new origin types are added.
The Origin Shield region should be the same as the one the app is deployed to.

Steps

Validate initial proposal
Implement: make all origins configurable with the regional.originShield prop
Test: ensure the CloudFront origins are properly configured upon creation/update
Test: ensure Origin Shield is disabled when removing the prop after initial creation
Test: ensure the proper region is used when enabling Origin Shield
Doc: add examples and API information

Jay · Answer 1 · Sat Mar 30 2024 04:41:55 GMT+0800 (China Standard Time)

How do you do this in CDK on a CloudFront distribution?

LM · Answer 2 · Sat Mar 30 2024 05:56:28 GMT+0800 (China Standard Time)

@jayair basically something like this:

distribution: {
  additionalBehaviors: {
    '/path': {
      origin: new HttpOrigin(url, {
        originShieldEnabled: true,
        originShieldRegion: 'us-east-1',
      })
    }
  }
}

Jay · Answer 3 · Sat Mar 30 2024 06:30:06 GMT+0800 (China Standard Time)

I wonder if you could configure it with the plan option, for example: https://docs.sst.dev/constructs/NextjsSite#configuring-basic-auth

LM · Answer 4 · Sat Mar 30 2024 06:53:27 GMT+0800 (China Standard Time)

@jayair I'm pretty sure it's not possible, because origins in SsrSite are created like this:

    function createFunctionOrigin(props: FunctionOriginConfig) {
      // ...
      return new HttpOrigin(Fn.parseDomainName(fnUrl.url), {
        readTimeout:
          typeof timeout === "string"
            ? toCdkDuration(timeout)
            : CdkDuration.seconds(timeout),
      });
    }

    function createImageOptimizationFunctionOrigin(
      props: ImageOptimizationFunctionOriginConfig
    ) {
      // ...
      return new HttpOrigin(Fn.parseDomainName(fnUrl.url));
    }

So there's no way to pass any custom options to HttpOrigin.

And createOrigins() is called after the plan is already transformed.