AWS CloudFront on Rails

Mikhail Salosin — Tue, 14 Jun 2022 21:57:43 +0000

Content Delivery Network is a useful tool to reduce the latency of delivering images, scripts, and stylesheets to your customer. Since we at Revealbot are using AWS as our cloud provider we decided to give Amazon's own CDN CloudFront a try.

In this post I'll describe how to setup Rails and CloudFront to work with each other.

On the Rails side configuration is pretty straightforward. To enable CDN we need to add one line to our production.rb config file:

config.asset_host = 'cdn.revealbot.com'

Now we need to set up CloudFront. Go to CloudFront page in the AWS console. Click on Create distribution. Fill in the Origin domain, with the site domain select protocol that CloudFront will use to access your sites.

In the Settings tab enter the domain name that will be used as the CDN subdomain and request an SSL certificate to enable HTTPS.

Then click Create Distribution. It will take AWS a couple of minutes to roll up distribution to all regions, in the meantime, we can continue our setup. Click on created distribution and go to the Origins tab. Since we only want to serve our assets through CDN we can add additional "fake" origin invalid.invalid that will help us reject all requests except for assets.

Ok, almost done, now let's set up path rules, go to Behavior and create rules that will define how CDN is processing different paths. This is our current setup:

Notice that the Default (*) path is set to invalid.invalid that we set up earlier, this will prevent CDN from serving anything else besides assets - images, fonts, stylesheets, and js files.

And that's it, redeploy your production app and all assets will be served through CloudFront CDN.

Easy migration to Ansible Vault id

Mikhail Salosin — Tue, 14 Jun 2022 13:49:37 +0000

To keep all our tokens secure we use the Ansible vault to encrypt them. Historically all files with secrets were encrypted with a single password instead of using a vault id and password file. This week we decided to migrate to vault id.

All files encrypted with a password and without vault id specified will have the header $ANSIBLE_VAULT;1.1;AES256. We can use grep to find all files with this header. To do that run

grep "\$ANSIBLE_VAULT;1.1;AES256" group_vars/**/*.yml

Now we have a list of files that looks like that:

group_vars/staging/amazon.yml:$ANSIBLE_VAULT;1.1;AES256
group_vars/staging/db.yml:$ANSIBLE_VAULT;1.1;AES256
group_vars/staging/docker_registry.yml:$ANSIBLE_VAULT;1.1;AES256
....

Grep adds matched string at the end of every file. We can use the cut command to remove this part since we only need file names. cut -d: -f1 will leave only the file name.

And finally, we can use xargs to pass the file list to the ansible-vault rekey command to convert all encrypted files to encrypted files with vault id.

The full command will look like this:

grep "\$ANSIBLE_VAULT;1.1;AES256" group_vars/**/*.yml | cut -d: -f1 | xargs ansible-vault rekey --new-vault-id vaultID@vaultfile

DEV Community: Mikhail Salosin

AWS CloudFront on Rails

Easy migration to Ansible Vault id