CDN将内容缓存到全球边缘节点,用户就近访问,降低延迟50%+,减少源站压力80%+。配合DNS解析实现智能流量调度。
用户请求 → DNS解析(CNAME) → 最近边缘节点
│
┌─────────┴─────────┐
▼ ▼
命中缓存 ✅ 未命中 ❌
直接返回 回源获取
(毫秒级) → 缓存到边缘 → 返回| 配置项 | 说明 | 推荐值 |
|---|---|---|
| 缓存TTL | 静态资源缓存时间 | CSS/JS/Img: 1年, HTML: 5分钟 |
| 回源协议 | CDN→源站协议 | HTTPS优先 |
| Gzip/Brotli | 压缩传输 | 开启(>1KB) |
| WAF防护 | Web应用防火墙 | 开启 |
cat > cf-distribution.json << 'EOF'
{
"CallerReference": "my-devops-cdn-2026",
"Comment": "DevOps Static CDN",
"Enabled": true,
"Origins": [{"Id":"S3-origin","DomainName":"my-static-site-2026.s3.ap-southeast-1.amazonaws.com","S3OriginConfig":{}}],
"DefaultCacheBehavior": {
"TargetOriginId": "S3-origin",
"ViewerProtocolPolicy": "redirect-to-https",
"AllowedMethods": ["GET", "HEAD"],
"Compress": true
},
"PriceClass": "PriceClass_200"
}
EOF
aws cloudfront create-distribution --distribution-config file://cf-distribution.json
# 创建缓存失效(强制刷新)
aws cloudfront create-invalidation --distribution-id E1234567890 --paths "/index.html" "/assets/*"
# 查看状态
aws cloudfront get-distribution --id E1234567890 --query 'Distribution.Status'# 创建Hosted Zone
aws route53 create-hosted-zone --name devops.example.com --caller-reference "2026-05-19"
# A记录指向CloudFront
cat > route53-record.json << 'EOF'
{
"Comment": "Point to CloudFront",
"Changes": [{"Action":"CREATE","ResourceRecordSet":{
"Name":"app.devops.example.com","Type":"A",
"AliasTarget":{"HostedZoneId":"Z2FDTNDATAQYW2","DNSName":"d1234567890.cloudfront.net","EvaluateTargetHealth":false}
}}]
}
EOF
aws route53 change-resource-record-sets --hosted-zone-id Z1234567890 --change-batch file://route53-record.json
# 验证DNS解析
dig app.devops.example.com +short
nslookup app.devops.example.com
# SSL证书
aws acm request-certificate --domain-name app.devops.example.com --validation-method DNS --region us-east-1# Let's Encrypt
apt install -y certbot python3-certbot-nginx
certbot --nginx -d app.devops.example.com
certbot renew --dry-run
# 通配符证书(DNS验证)
certbot certonly --manual --preferred-challenges dns -d '*.devops.example.com' --agree-tos -m admin@example.com
# 证书过期监控
cat > /usr/local/bin/cert-check.sh << 'SCRIPT'
#!/bin/bash
DAYS=30
for cert in /etc/letsencrypt/live/*/fullchain.pem; do
expiry=$(openssl x509 -enddate -noout -in "$cert" | cut -d= -f2)
remain=$(( ( $(date -d "$expiry" +%s) - $(date +%s) ) / 86400 ))
[[ $remain -lt $DAYS ]] && echo "⚠️ $cert expires in $remain days!"
done
SCRIPT
chmod +x /usr/local/bin/cert-check.sh
用户 → DNS解析(CNAME) → CDN边缘节点 → 源站(S3/OSS)
│ │
Route53/DNSPod 缓存命中?
智能调度 ├─ 是 → 直接返回(5-20ms)
└─ 否 → 回源获取 → 缓存 → 返回(100-500ms)
SSL: 用户→CDN (证书1) CDN→源站 (证书2)
安全: WAF + DDoS防护 + HTTPSaws cloudfront create-invalidation --distribution-id E1234567890 --paths "/*"
curl -I https://cdn.devops.example.com/index.html | grep -i cache
# 常见:Cache-Control max-age过大/未配置Invalidation/回源Host错误掌握CloudFront/Route53配置、SSL证书管理、CDN缓存策略——全球加速让用户体验飞跃
| 资源类型 | 缓存TTL | Cache-Control | 刷新策略 |
|---|---|---|---|
| HTML | 5分钟 | max-age=300 | CDN Invalidation |
| CSS/JS | 1年 | max-age=31536000, immutable | 文件名加hash |
| 图片 | 30天 | max-age=2592000 | 文件名加hash |
| API响应 | 不缓存 | no-store | N/A |
| 字体 | 1年 | max-age=31536000, immutable | 文件名加hash |
# 安装tccli
pip install tccli && tccli configure
# 添加加速域名
tccli cdn AddCdnDomain \
--Domain cdn.devops.example.com \
--ServiceType web \
--Origin '{"type":"cos","list":["my-bucket-1250000000.cos.ap-guangzhou.myqcloud.com"]}'
# 刷新缓存
tccli cdn PurgeUrlsCache --Urls '["https://cdn.devops.example.com/index.html"]'
# 查看CDN统计
tccli cdn DescribeCdnData \
--StartTime "2026-05-19T00:00:00+08:00" \
--EndTime "2026-05-19T23:59:59+08:00" \
--Domains '["cdn.devops.example.com"]'
# 安装Wrangler CLI
npm install -g wrangler
wrangler login
# 创建Worker
wrangler init my-edge-function
cd my-edge-function
cat > src/index.ts << 'EOF'
export default {
async fetch(request: Request): Promise {
const url = new URL(request.url);
// A/B测试:基于Cookie分流
const abGroup = request.headers.get('Cookie')?.includes('ab=new') ? 'new' : 'old';
// 缓存策略:静态资源1年,HTML 5分钟
if (url.pathname.match(/\.(css|js|png|jpg|woff2)$/)) {
const cache = caches.default;
const cached = await cache.match(request);
if (cached) return cached;
const resp = await fetch(request);
const newResp = new Response(resp.body, resp);
newResp.headers.set('Cache-Control', 'public, max-age=31536000');
await cache.put(request, newResp.clone());
return newResp;
}
return fetch(request);
}
};
EOF
wrangler deploy