TLDR; With the power of virtual hosts and MAMP, you can use any domain name and have it resolve to your local system. In this way, you can set signed cookies for your CloudFront distribution locally and test out its implementation before deploying to higher environments.
The AWS documentation on CloudFront specifies two methods to secure private content:
- Signed URL
- Signed cookies
You have determined that securing each resource individually via signed URL is not necessary. It makes more sense for your use case to use signed cookies and grant access to multiple resources at once.
Testing with signed URL is straightforward. Once you have a signed URL, you can make uses of it from anywhere, be it from your local dev machine or a higher environment.
Not so with CloudFront signed cookies.
Due to the nature of cookies, you can only set them from the same host domain name. For example, you cannot set signed cookies for CloudFront when you are testing out your web application from a dev machine running on “localhost”.
However, there is an approach that would make it possible to test signed cookies implementation with CloudFront locally. Fortunately, this approach is widespread and in use by many dev workflows — in fact, you might already be using it!
Sample Architecture
Let’s review the high level configuration of a sample architecture:
We have two CloudFront web distributions:
The web distribution example.com does not restrict access in any way. It’s origin is a private S3 bucket called webapp, and the distribution’s purpose is to speed up the distribution of static files making up the web application.
The web distribution protected.example.com restricts viewer access. It’s origin is a private S3 bucket called protected, and the distribution’s purpose is to speed up the distribution of static files while at the same time limiting access to authenticated members.
Private content is accessible via protected.example.com should clients present valid signed cookies. To put another way, when an example.com subscriber successfully logs in, the web application sets signed cookies on the browser and grants access to private content according to the access policy of the signed cookies.
Given our sample architecture, how do we get started with testing out signed cookies?
MAMP and virtual hosts
This is where virtual hosts come into play. With the power of virtual hosts and MAMP, you can use any domain name and have it resolve to your local system. In this way, you can set signed cookies for your CloudFront distribution locally and test out its implementation before deploying to higher environments.
To prepare the local environment, you will need to do the following:
- Edit the hosts file to resolve your domain name to localhost
- Configure MAMP with a virtual host serving a dev copy of your webapp
There are countless guides online on how to configure virtual hosts with MAMP. As an example, I found the article Adding a virtual host in MAMP for Mac helpful.
Let’s fast forward.
You have edited your host file and configured MAMP. We now have a shared base domain name between the webapp running on localhost and the CloudFront distribution, as illustrated by the diagram.
With MAMP running, visiting http://example.com/ in a browser will resolve internally to the local machine and serve the dev copy of your webapp.
Now, you can test the implementation of signed cookies locally. The cookies set by your web application will appear to be from *.example.com, and will be visible when requesting against the live CloudFront distribution protected.example.com.
Conclusion
The above approach allowed me to test different usages of signed cookies from my local machine against a live CloudFront web distribution serving private content.
