403 status routing traffic through CloudFront to non-AWS custom origin server

0

We have a domain with a 3rd party Registrar and a dynamic website served from 3rd party servers. I am trying to route traffic through our Registrar, then through CloudFront and then to our custom origin server. Ultimately, we are looking to replace our 3rd party WAF with AWS WAF, but I'm first trying to get traffic routed through CloudFront before adding the WAF layer.

I have created a CloudFront Distribution with an Alternate Domain Name (let's call it aws.example.com) and custom SSL certificate with the same subdomain (aws.example.com) set up through AWS Certificate Manager. I have a CloudFront Behavior set up with the subdomain/Alternate Domain Name as the Origin, Caching disabled, and HTTP redirected to HTTPS. Then in Route 53, I've created a Hosted Zone with an A Record mapping the subdomain/Alternate Domain Name to the static public IP Address of the non-AWS origin server. Finally, at our Registrar, I have a CNAME for the domain name mapping the subdomain "aws" to the Distribution Domain Name for the CloudFront distribution ( e.g. xyz1234.cloudfront.net ).

What I expected was for calls to aws.example.com to route through our Registrar to CloudFront through Route 53 to the non-AWS origin server, but what we get is CloudFront responding with a 403 status. If I go directly to the Distribution Domain Name for the CloudFront distribution, the result is the same. I appears that the traffic stops at CloudFront and that the alternate domain is not passing through Route 53.

What is the correct way to configure this all to route traffic through CloudFront to non-AWS custom origin server?

8 Risposte
0

Can you access the origin without going through CloudFront?

If you can access it, please check if it is configured as per the following document. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html

Verify that the CNAME record is set in CloudFront by using the dig command

profile picture
ESPERTO
con risposta un anno fa
0

I was thinking I should have mentioned that the subdomain on the non-AWS origin server is accessible if DNS is simply routed through our Registrar (via an A record pointed at the IP address of the server).

Also, apologies if it wasn't clear that when configured the way I described we do make it to CloudFront and get the 403 message from CloudFront. The CNAME is configured for the Alternate Domain Name, and dig does return the correct Distribution Domain Name for the CNAME/Alternate Domain Name aws.example.com

The problem appears to be that the traffic stops at CloudFront and that the alternate domain is not passing through Route 53.

con risposta un anno fa
0

Is HTTPS used between CloudFront and the origin?
Please send me a screenshot of your CloudFront configuration screen if possible.

profile picture
ESPERTO
con risposta un anno fa
0

I believe so: TLS 1.2

CloudFront config

con risposta un anno fa
0

Thank you very much.
Could you please show me additional origin detail settings and behavior detail settings?

profile picture
ESPERTO
con risposta un anno fa
0

Thanks, @Riku. Here are additional configuration details:

Origin Settings:

Origin Settings

Behaviors Settings:

Behaviors Settings A Behaviors Settings B

con risposta un anno fa
0

The origin domain and CloudFront Alternate Domain Name look the same, but are they set differently?
If they are the same, please change them to different ones.

profile picture
ESPERTO
con risposta un anno fa
0

Did you solve the problem here?

profile picture
ESPERTO
con risposta un anno fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande