CloudFront redirects (301) to custom origin (ELB) instead of caching

0

A customer has configured CloudFront in front of an ELB and he tells me that when he tries to reach the website with the CloudFront URL, CloudFront sends a redirect (301) to the URL of the ELB (the URL changes from the CloudFront URL to the ELB URL in the browser) instead of serving the request directly.

Their custom origin redirects all http traffic to https. I suspect that when a user tries to access the website via the http address, CloudFront sends the request to the custom origin (ELB), the origin sends this redirect (301) to https to CloudFront, and CloudFront caches this redirect. In subsequent requests, CloudFront will send this cached redirect to the client, hence the client is just redirected to the custom origin and sees the URL change in his browser. This is explained in this page. Can you confirm this understanding is correct?

What can be done to solve this? I saw that changing the "Origin Protocol Policy" to "Match Viewer" could maybe solve that? Could you confirm this?

1개 답변
0
수락된 답변

The customer's origin will be receiving the hostname of the origin configured in CLoudFront (which points to the ELB) unless they have configured CloudFront to forward the Host header.

So assume that the public hostname for the website (and the CNAME set up on CloudFront) is www.mysite.com and the ELB's hostname is my-loadbalancer.us-west-2.elb.amazonaws.com. While the client sends:

GET /page HTTP/1.1
Host: www.mysite.com

if the Host header is not forwarded to the origin, the origin will receive:

GET /page HTTP/1.1
Host: my-loadbalancer.us-west-2.elb.amazonaws.com

and if it a not received over HTTPS, the origin probably issues a redirect response by simply concatenating https://, the Host header and the path to give the response:

HTTP/1.1 301 Moved Permanently
Location: https://my-loadbalancer.us-west-2.elb.amazonaws.com/page

CloudFront will return that to the client, and thus the client will go directly to the ELB.

As others have pointed out, you can configure CloudFront to redirect HTTP request to HTTPS, and enforce all requests to the origin to be HTTPS. This will solve the issue since the origin redirection will never be executed.

If the redirection on the origin does additional logic that is needed, you could configure CloudFront to forward the Host header to the origin so it would then redirect to the public hostname, or you could modify the origin store the public hostname as a configuration and to redirect to the public hostname rather than using the Host header.

AWS
전문가
답변함 3년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠