Initial commit

Author: k1LoW

.gitignore

@@ -0,0 +1 @@
+node_modules

README.md

@@ -0,0 +1,32 @@
+# Serverless boilerplate for Static website hosting with Basic authentication
+
+## Architecture
+
+```
+[CloudFront (with Lambda@Edge)] - Restrict Bucket Access -> [S3 Origin Bucket]
+```
+
+## Usage
+
+### Config
+
+Set Basic authentication config ( `handler.js` )
+
+### Deploy
+
+```
+$ npm install
+$ AWS_PROFILE=XxxxxXXX WEBSITE_S3_BUCKET_NAME=sls-static-basic npm run deploy
+```
+
+### Synchronize src/* and Website
+
+```
+$ AWS_PROFILE=XxxxxXXX WEBSITE_S3_BUCKET_NAME=sls-static-basic npm run sync
+```
+
+### Remove
+
+```
+$ AWS_PROFILE=XxxxxXXX WEBSITE_S3_BUCKET_NAME=sls-static-basic npm run remove
+```

handler.js

@@ -0,0 +1,35 @@
+'use strict';
+
+const BASIC_AUTH_USERS = {
+    'user': 'pass'
+};
+
+module.exports.basicAuth = (event, context, callback) => {
+    const request = event.Records[0].cf.request;
+    const headers = request.headers;
+    const authorization = headers.authorization || headers.Authorization;
+
+    if (authorization) {
+        const encoded = authorization[0].value.split(' ')[1];
+        const userAndPassword = new Buffer(encoded, 'base64').toString();
+        for (let user in BASIC_AUTH_USERS) {
+            const password = BASIC_AUTH_USERS[user];
+            if (`${user}:${password}` === userAndPassword) {
+                callback(null, request);
+                return;
+            }
+        }
+    }
+
+    const response = {
+        status: '401',
+        statusDescription: 'Authorization Required',
+        headers: {
+            'www-authenticate': [{key: 'WWW-Authenticate', value: 'Basic'}],
+            'content-type': [{key: 'Content-Type', value: 'text/plain; charset=utf-8'}]
+        },
+        body: '401 Authorization Required'
+    };
+
+    callback(null, response);
+};

package.json

@@ -0,0 +1,22 @@
+{
+  "name": "serverless-static-hosting-with-basic-auth",
+  "version": "0.1.0",
+  "description": "Serverless boilerplate for Static website hosting with Basic authentication",
+  "main": "index.js",
+  "scripts": {
+    "deploy": "sls deploy -v",
+    "remove": "sls remove",
+    "sync": "sls sync",
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "keywords": [
+    "serverless"
+  ],
+  "author": "k1LoW <[email protected]> (https://github.com/k1LoW)",
+  "license": "MIT",
+  "devDependencies": {
+    "serverless": "^1.25.0",
+    "serverless-plugin-cloudfront-lambda-edge": "^1.0.0",
+    "serverless-s3-sync": "^1.3.0"
+  }
+}

serverless.yml

@@ -0,0 +1,111 @@
+service: ${self:provider.environment.WEBSITE_S3_BUCKET_NAME}
+
+provider:
+  name: aws
+  runtime: nodejs6.10
+
+  stage: dev
+  region: us-east-1 # Lambda@Edge function must be us-east-1
+
+  environment:
+    WEBSITE_S3_BUCKET_NAME: ${env:WEBSITE_S3_BUCKET_NAME, 'sls-static-basic'}
+
+plugins:
+  - serverless-s3-sync
+  - serverless-plugin-cloudfront-lambda-edge
+
+custom:
+  s3Sync:
+    - bucketName: ${self:provider.environment.WEBSITE_S3_BUCKET_NAME}
+      localDir: src
+
+functions:
+  basicAuth:
+    name: '${self:provider.environment.WEBSITE_S3_BUCKET_NAME}-viewer-request'
+    handler: handler.basicAuth
+    memorySize: 128
+    timeout: 1
+    lambdaAtEdge:
+      distribution: WebsiteDistribution
+      eventType: 'viewer-request'
+
+resources:
+  Resources:
+    WebsiteBucket:
+      Type: AWS::S3::Bucket
+      Properties:
+        BucketName: ${self:provider.environment.WEBSITE_S3_BUCKET_NAME}
+        AccessControl: Private
+        WebsiteConfiguration:
+          IndexDocument: index.html
+          ErrorDocument: error.html
+    WebsiteBucketPolicy:
+      Type: AWS::S3::BucketPolicy
+      Properties:
+        Bucket: { Ref: WebsiteBucket }
+        PolicyDocument:
+          Statement:
+            -
+              Action:
+                - "s3:GetObject"
+              Effect: Allow
+              Resource: { "Fn::Join" : ["", ["arn:aws:s3:::", { Ref : WebsiteBucket }, "/*" ] ]  }
+              Principal:
+                AWS: { "Fn::Join" : [" ", ["arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity", { Ref: WebsiteOriginAccessIdentity } ] ] }
+    WebsiteOriginAccessIdentity:
+      Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
+      Properties:
+        CloudFrontOriginAccessIdentityConfig:
+          Comment: "CloudFrontOriginAccessIdentity for ${self:service}-${self:provider.stage}"
+    WebsiteDistribution:
+      Type: AWS::CloudFront::Distribution
+      Properties:
+        DistributionConfig:
+          DefaultCacheBehavior:
+            AllowedMethods: [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT" ]
+            CachedMethods:  [ "GET", "HEAD", "OPTIONS" ]
+            TargetOriginId: WebsiteBucketOrigin
+            ViewerProtocolPolicy: redirect-to-https
+            DefaultTTL: 0
+            MaxTTL: 0
+            MinTTL: 0
+            Compress: true
+            ForwardedValues:
+              QueryString: true
+              Cookies:
+                Forward: 'all'
+          CustomErrorResponses:
+            -
+              ErrorCode: '403'
+              ErrorCachingMinTTL: 1
+            -
+              ErrorCode: '404'
+              ErrorCachingMinTTL: 1
+            -
+              ErrorCode: '500'
+              ErrorCachingMinTTL: 1
+            -
+              ErrorCode: '502'
+              ErrorCachingMinTTL: 1
+            -
+              ErrorCode: '503'
+              ErrorCachingMinTTL: 1
+            -
+              ErrorCode: '504'
+              ErrorCachingMinTTL: 1
+          DefaultRootObject: 'index.html'
+          Enabled: true
+          PriceClass: 'PriceClass_100'
+          HttpVersion: 'http2'
+          ViewerCertificate:
+            CloudFrontDefaultCertificate: true
+          Origins:
+            -
+              Id: 'WebsiteBucketOrigin'
+              DomainName: { 'Fn::GetAtt': [ WebsiteBucket, DomainName ] }
+              S3OriginConfig:
+                OriginAccessIdentity: { "Fn::Join" : ["", ["origin-access-identity/cloudfront/", { Ref: WebsiteOriginAccessIdentity } ] ]  }
+  Outputs:
+    WebsiteURL:
+      Value: { "Fn::Join" : ["", ["https://", { "Fn::GetAtt" : [ WebsiteDistribution, DomainName ] } ] ] }
+      Description: "URL for website via CloudFront"

src/error.html

@@ -0,0 +1 @@
+Error

src/index.html

@@ -0,0 +1 @@
+Authenticated Access!!!