This guide will show you how to configure WordPress to origin push uploads directly to S3 and using CloudFront to serve the assets. This setup is ideal if you plan to have a scale-out autoscaling solution.
The Problem
I have seen many guides online on how to setup WordPress for autoscaling but none seem to tackle the issue of properly getting your uploads sent to S3 so that a scale-out solution would work as expected. Also, there seems to be many plugins that are charging for X transactions per month… I would steer clear of these plugins because they are not only monitoring your data usage, but they are most likely using a third-party service that is seeing all your content before it is sent to AWS. This has many compliance and security concerns and is completely unnecessary. The point is to fully understand what you are getting into when using any third-party plugins.
Prerequisites
You will need to have W3 Total Cache installed in WordPress. I have chosen W3 Total Cache because it is very stable and one of the best caching solutions on the market. It doesn’t monitor how many uploads you do per month and they do not use a third-party solution to push to S3, the plugin pushes directly to your S3 bucket. You will also need to setup IAM, S3 and CloudFront. I will briefly cover that but I expect you to have knowledge on how to do this yourself. I also assume you are using Route53 for your DNS and you know how to add a record.
Setting Up S3
Create a bucket, ideally make the bucket name what you expect your CDN URL to be. (e.g. assets.cdn.domain.com). You can configure the bucket how you like, I recommend enabling versioning and logging but this has added costs. Do not grant public assess to the bucket, we will allow CloudFront to access this bucket with a policy.
Setting Up CloudFront
Setup a web delivery method for CloudFront, for the Origin Domain Name select your newly created bucket. Select Yes for Restrict Bucket Access and allow it to create a new identity. Wait for this to be deployed and then add the CloudFront domain name to the CDN URL in Route53 as an alias.
Create a Policy in IAM
Finding the right AWS policy for W3 Total Cache was surprisingly more problematic than I anticipate. I have found numerous articles stating to open all permissions for S3 and that is not something I really want to do. Security is always an afterthought until it is compromised. It’s best to start as secure as you can and work back from there. Also, none of the policies I found seemed to work as expected. So I decided I would just figure out the policy on my own. Below is my policy for W3 Total Cache to allow it to connect to push files directly to S3.
Create a new policy, name it whatever you want (e.g. WebServerAccessToBUCKETNAME), then use this JSON for the policy (make sure to replace BUCKET_NAME with your actual bucket name):
Create a User in IAM
Ideally, I would prefer to use roles here but W3 Total Cache does not support roles at the time of this post. So let’s create a user that the web servers can use for W3 Total Cache. I like to namespace special users so I would recommend a user named: system.webserver-domainname, you can use whatever name you want. Make sure to attache the newly created policy from above to the new user. Otherwise none of this will work.
Configure W3 Total Cache
I am not going to explain how to configure W3 Total Cache for your site. This varires on the setup and needs of the website. I only plan to show you the settings that are necessary to complete this setup.
Under General Settings, go to CDN and check Enable. For the CDN Type, select: Origin Push: Amazon Cloudfront.
Save this setting then click on CDN sub-menu on the sidebar. This will take you to a configuration page just for the CDN.
On this screen, you are just going to add the Access Key ID and Secret Key that are for the new user your created above. Assign the bucket name and select the region it’s located.
Make sure to click the test button to ensure your passed. If you test passed, you can now upload a media asset to test your setup.
You should now have a working solution that will allow you to upload files directly to S3 while allowing CloudFront to server as your CDN. With this setup, you can now implement a scale-out solution for autoscaling.
