https://serverless-stack.com/ logo
#help
Title
# help
n

Nick Laffey

01/26/2022, 5:21 PM
This might be a dumb question but can someone confirm if it’s possible to deploy a static site to a domain only accessible by users on a VPN? Any pointers as to how to achieve this with SST?
t

thdxr

01/26/2022, 5:21 PM
can you elaborate on why you're looking to protect frontend resources?
Typically those aren't sensitive
n

Nick Laffey

01/26/2022, 5:22 PM
It’s a storybook for our component library, we’d just feel a little better if internal documentation wasn’t floating around in the public.
t

thdxr

01/26/2022, 5:22 PM
StaticSite is for a cloudfront backed site so it can't be used for putting behind a VPN
You can probably rig WAF to control access to it for ips in your VPN
n

Nick Laffey

01/26/2022, 5:24 PM
A know a little bit about WAF’s, still a little unsure what you’re suggesting it be deployed with if not StaticSite though.
t

thdxr

01/26/2022, 5:24 PM
But in general I avoid VPNs in my stack and look for zero trust solutions instead
Yeah I'm not sure how to go about this otherwise, all of aws's services (s3, cloudfront) are meant to be accessed directly. I think there's some way to control with WAF but not entirely sure
n

Nick Laffey

01/26/2022, 5:25 PM
Yeah we’re exploring other ideas for hooking in SSO with a static site deployment. We apparently use a 3rd party service for some other API documentation so we might go with that. Just thought I’d see if I was missing something.
t

thdxr

01/26/2022, 5:28 PM
Not saying this is what you should go with but this is a good overview on a product that works better with these types of situations: https://www.cloudflare.com/teams/access/
a

Austin

01/26/2022, 5:40 PM
We use WAF for this purpose to easily restrict some internal SPA (Angular) applications that are hosted with S3/CloudFront to our office and VPN IPs. If you have known/static IPs to whitelist, WAF is pretty easy to use for that.
Should be able to use StaticSite normally and then create WAF as a separate resource and just attach it to the CloudFront CDN
n

Nick Laffey

01/26/2022, 5:52 PM
Great thanks all, I’m not going to be working on this myself most likely but I’m passing the info along
FWIW my co-worker is now investigating using lambda edge functions to redirect to our SSO if a cookie isn’t present and then redirect back to the static site once verified.
4 Views