@stacksjs/ts-cloud 0.2.25 → 0.2.26
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/drivers/index.d.ts
CHANGED
|
@@ -7,3 +7,5 @@ export { buildAwsArtifactFetch, buildLocalArtifactFetch, buildSiteDeployScript,
|
|
|
7
7
|
export { deployAllComputeSites, deploySiteRelease, reloadRpxGateway } from './shared/compute-deploy';
|
|
8
8
|
export { buildRpxConfig, buildRpxProvisionScript, deriveRouteId, normalizeRoutePath, renderRpxLauncher, DEFAULT_RPX_CERTS_DIR, RPX_DIR, RPX_LAUNCHER_PATH, RPX_SERVICE_NAME, } from './shared/rpx-gateway';
|
|
9
9
|
export type { BuildRpxConfigOptions, BuildRpxProvisionOptions, RpxGatewayConfig, RpxRoute, } from './shared/rpx-gateway';
|
|
10
|
+
export { buildCloudFrontOriginConfig, MANAGED_CACHE_POLICY_DISABLED, MANAGED_CACHE_POLICY_OPTIMIZED, MANAGED_ORIGIN_REQUEST_POLICY_ALL_VIEWER, } from './shared/cloudfront-origin';
|
|
11
|
+
export type { BuildCloudFrontOriginOptions, OriginFrontedBehavior, } from './shared/cloudfront-origin';
|
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* CloudFront-in-front-of-a-custom-origin distribution config.
|
|
3
|
+
*
|
|
4
|
+
* When a self-hosted gateway (rpx on a Hetzner box) is the origin behind
|
|
5
|
+
* CloudFront, the distribution needs a very specific shape — and several
|
|
6
|
+
* non-obvious settings will silently break it if wrong. This builder encodes
|
|
7
|
+
* the working configuration so it can't regress:
|
|
8
|
+
*
|
|
9
|
+
* - **One custom origin**, the dedicated origin host (e.g. `origin.example.com`),
|
|
10
|
+
* HTTPS-only. It must NOT be a public alias (that loops) and can't be a bare IP.
|
|
11
|
+
* - **Host forwarding** via the AWS-managed `AllViewer` origin-request policy, so
|
|
12
|
+
* the box receives `Host: <alias>` and routes by it (not by the origin host).
|
|
13
|
+
* - **No `DefaultRootObject`.** Setting it to `index.html` makes CloudFront fetch
|
|
14
|
+
* `/index.html`, which a gateway with clean-URLs 301-redirects back to `/` — an
|
|
15
|
+
* infinite loop. Leave it empty and let the origin serve `/`.
|
|
16
|
+
* - **No CloudFront Functions / Lambda@Edge.** S3-era URL-rewrite functions fight
|
|
17
|
+
* a gateway that already does its own path-mounting + clean URLs (→ 301 loops).
|
|
18
|
+
* - **Dynamic paths** (e.g. `/api/*`) use the managed `CachingDisabled` policy and
|
|
19
|
+
* allow all HTTP methods; **static paths** use `CachingOptimized`.
|
|
20
|
+
* - **Origin lockdown header** (optional): a secret injected on the origin hop,
|
|
21
|
+
* paired with rpx `createOriginGuard`, so the publicly-resolvable origin can't
|
|
22
|
+
* be used to bypass the CDN.
|
|
23
|
+
*
|
|
24
|
+
* The result is a complete `DistributionConfig` suitable for CloudFront
|
|
25
|
+
* `CreateDistribution` or `UpdateDistribution`.
|
|
26
|
+
*/
|
|
27
|
+
/** AWS-managed cache/origin-request policy IDs (identical across all accounts). */
|
|
28
|
+
export declare const MANAGED_CACHE_POLICY_OPTIMIZED = "658327ea-f89d-4fab-a63d-7e88639e58f6";
|
|
29
|
+
export declare const MANAGED_CACHE_POLICY_DISABLED = "4135ea2d-6df8-44a3-9df3-4b5a84be39ad";
|
|
30
|
+
export declare const MANAGED_ORIGIN_REQUEST_POLICY_ALL_VIEWER = "216adef6-5c7f-47e4-b989-5492eafa07d3";
|
|
31
|
+
export interface OriginFrontedBehavior {
|
|
32
|
+
/** Path pattern this behavior owns, e.g. `/api/*`, `/docs`, `/docs/*`. */
|
|
33
|
+
pathPattern: string;
|
|
34
|
+
/** `dynamic` → no caching + all methods (apps/APIs); `static` → cached (CachingOptimized). */
|
|
35
|
+
kind: 'dynamic' | 'static';
|
|
36
|
+
}
|
|
37
|
+
export interface BuildCloudFrontOriginOptions {
|
|
38
|
+
/** Public aliases (CNAMEs) on the distribution, e.g. `['example.com', 'www.example.com']`. */
|
|
39
|
+
aliases: string[];
|
|
40
|
+
/** Dedicated origin hostname CloudFront connects to. MUST resolve to the box, MUST NOT be an alias. */
|
|
41
|
+
originDomain: string;
|
|
42
|
+
/** ACM certificate ARN (us-east-1) covering {@link aliases}. */
|
|
43
|
+
viewerCertificateArn: string;
|
|
44
|
+
/** Per-path behaviors layered over the default. The default behavior (`/`) is always `static`. */
|
|
45
|
+
behaviors?: OriginFrontedBehavior[];
|
|
46
|
+
/** Secret injected on the origin hop (paired with rpx `createOriginGuard`). Omit to leave the origin open. */
|
|
47
|
+
originSecret?: string;
|
|
48
|
+
/** Header carrying {@link originSecret}. @default 'X-Origin-Verify' */
|
|
49
|
+
originSecretHeader?: string;
|
|
50
|
+
/** Stable id used to deterministically derive `CallerReference`. @default originDomain */
|
|
51
|
+
callerReference?: string;
|
|
52
|
+
/** Distribution comment. */
|
|
53
|
+
comment?: string;
|
|
54
|
+
/** `PriceClass_All` | `PriceClass_200` | `PriceClass_100`. @default 'PriceClass_All' */
|
|
55
|
+
priceClass?: string;
|
|
56
|
+
}
|
|
57
|
+
/**
|
|
58
|
+
* Build a complete CloudFront `DistributionConfig` for a self-hosted origin.
|
|
59
|
+
* See the module docblock for the rationale behind each fixed setting.
|
|
60
|
+
*/
|
|
61
|
+
export declare function buildCloudFrontOriginConfig(options: BuildCloudFrontOriginOptions): Record<string, any>;
|
|
@@ -67,6 +67,15 @@ export interface RpxGatewayConfig {
|
|
|
67
67
|
hosts: false;
|
|
68
68
|
certs: false;
|
|
69
69
|
};
|
|
70
|
+
/**
|
|
71
|
+
* Origin lockdown (from `proxy.cdn` when a `secret` is set): rpx rejects
|
|
72
|
+
* direct hits to the CDN-fronted hosts that lack the shared-secret header.
|
|
73
|
+
*/
|
|
74
|
+
originGuard?: {
|
|
75
|
+
header: string;
|
|
76
|
+
value: string;
|
|
77
|
+
hosts: string[];
|
|
78
|
+
};
|
|
70
79
|
}
|
|
71
80
|
export interface BuildRpxConfigOptions {
|
|
72
81
|
/** Proxy config from `infrastructure.compute.proxy`. */
|
package/dist/index.js
CHANGED
|
@@ -81788,6 +81788,14 @@ function buildRpxConfig(sites, options) {
|
|
|
81788
81788
|
certsDir
|
|
81789
81789
|
};
|
|
81790
81790
|
}
|
|
81791
|
+
const cdn = options.proxy.cdn;
|
|
81792
|
+
if (cdn?.secret && cdn.frontedHosts.length > 0) {
|
|
81793
|
+
config6.originGuard = {
|
|
81794
|
+
header: cdn.secretHeader ?? "X-Origin-Verify",
|
|
81795
|
+
value: cdn.secret,
|
|
81796
|
+
hosts: cdn.frontedHosts
|
|
81797
|
+
};
|
|
81798
|
+
}
|
|
81791
81799
|
return config6;
|
|
81792
81800
|
}
|
|
81793
81801
|
function renderRpxLauncher(config6) {
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@stacksjs/ts-cloud",
|
|
3
3
|
"type": "module",
|
|
4
|
-
"version": "0.2.
|
|
4
|
+
"version": "0.2.26",
|
|
5
5
|
"description": "A lightweight, performant infrastructure-as-code library and CLI for deploying both server-based (EC2) and serverless applications.",
|
|
6
6
|
"author": "Chris Breuer <chris@stacksjs.com>",
|
|
7
7
|
"license": "MIT",
|
|
@@ -89,8 +89,8 @@
|
|
|
89
89
|
"test": "bun test"
|
|
90
90
|
},
|
|
91
91
|
"dependencies": {
|
|
92
|
-
"@ts-cloud/aws-types": "0.2.
|
|
93
|
-
"@ts-cloud/core": "0.2.
|
|
92
|
+
"@ts-cloud/aws-types": "0.2.26",
|
|
93
|
+
"@ts-cloud/core": "0.2.26",
|
|
94
94
|
"@stacksjs/ts-xml": "^0.1.0"
|
|
95
95
|
},
|
|
96
96
|
"devDependencies": {
|