Amazon CloudFront

Updated: July 11, 2024

The CloudFrontBinaryManager is a Nuxeo Binary Manager that lets you store Nuxeo's binaries in an Amazon S3 bucket and lets you download them from an Amazon CloudFront CDN using signed URLs.

Before You Start

You should be familiar with:

Distribution Configuration

Serving S3 Content

Follow Using CloudFront with Amazon S3 documentation page to create a web distribution bound to S3.

Mandatory settings:

  • Restrict Bucket Access: true. Must be enabled to serve private content and sign URLs.

  • Query String Forwarding and Caching: whitelist.


To get correct response content-type and content-disposition headers.

  • Restrict Viewer Access: Yes. Requires signed URLs to access objects in the bucket.

Recommended settings in order to ease configuration:

  • Restrict Bucket Access: Yes. Restricts Bucket access to only CloudFront origin.

  • Origin Access Identity: Create a New Identity. Creates a dedicated Identity between the distribution and S3.

  • Grant Read Permissions on Bucket: Yes, Update Bucket Policy. Grants read permission to the selected Identity.

Nuxeo Configuration

In order to configure the package, you will need to provide values for the configuration parameters that define your S3 credentials bucket.

Assuming that you already have a bucket nuxeo_bucket with minimal configuration:


# Required prior to 9.3

You don't need to specify and if you're using IAM instance roles. If you want to go further, please read the Nuxeo S3 Binary Manager page.

Specifying Your Amazon CloudFront Parameters

In nuxeo.conf, add the following lines:

# Use CloudFrontBinaryManager

# CloudFront private key in .pem or .der format

# Fix a query parameter encoding issue - Amazon has to fix it...