By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Does CloudFront Count WSS Traffic as HTTP (instead of HTTPS) in Usage Reports?

0

Hi,

My entire CloudFront setup is configured to use HTTPS only — both from viewer to CloudFront and from CloudFront to the origin. However, I’m seeing significant HTTP traffic in the usage section of Reports and Analytics.

After a deeper dive, I suspect that the CloudFront usage stats mistakenly count WSS (WebSocket Secure) traffic as HTTP, for the following reasons:

  • Everything is set to HTTPS only, yet I still see significant HTTP traffic in the stats.
  • The HTTP traffic pattern perfectly matches the WebSocket traffic pattern observed on my origin server.
  • CloudFront usage reports only split traffic into HTTP and HTTPS categories, but WebSocket is not strictly HTTP or HTTPS (WS shall be HTTP and WSS shall be HTTPS, or use better terms).

It seems to me that both WS and WSS traffic are being counted as HTTP in CloudFront stats. This is confusing because it makes it look like my setup is not secure when in fact it is.

Can anyone verify if this is the case?

Thanks!

Topics
Networking & Content Delivery
Tags
Amazon CloudFront
Language
English
cjzh
asked 20 days ago43 views
1 Answer
-1

Based on the information available, your suspicion about CloudFront counting WebSocket Secure (WSS) traffic as HTTPS in usage reports is incorrect. CloudFront actually counts HTTPS WebSocket requests, including WSS traffic, under the HTTPS category in usage reports.

Specifically, CloudFront includes HTTPS WebSocket requests (GET requests with the 'Upgrade: websocket' header) in the count of HTTPS requests that are forwarded to your origin or edge function. This is categorized under the 'Requests-HTTPS-Proxy' usage type in CloudFront's billing and usage reports.

Given that your entire CloudFront setup is configured to use HTTPS only, the HTTP traffic you're seeing in the usage reports is likely not related to WSS traffic. There could be other reasons for this discrepancy:

  1. It's possible that some clients are still attempting HTTP connections, which are then being redirected to HTTPS. These initial HTTP requests would still be counted in the usage reports.

  2. There might be some configuration issues allowing HTTP traffic through, despite your intention to use HTTPS only.

  3. The traffic pattern matching between HTTP traffic in CloudFront stats and WebSocket traffic on your origin server could be coincidental.

To resolve this issue and understand the source of the HTTP traffic, you should:

  1. Double-check your CloudFront distribution settings to ensure that the Viewer Protocol Policy is set to 'Redirect HTTP to HTTPS' or 'HTTPS Only' for all cache behaviors.

  2. Verify that your origin server is not accepting HTTP connections.

  3. Use CloudFront access logs or real-time logs to analyze the specific requests causing the HTTP traffic in your usage reports.

  4. Consider reaching out to AWS Support for a more detailed analysis of your specific setup and traffic patterns.

Remember, CloudFront is designed to accurately report HTTPS and WSS traffic under the HTTPS category, so the issue you're experiencing is likely not due to misclassification of WSS traffic as HTTP.
Sources
Interpret your AWS bill and usage reports for CloudFront - Amazon CloudFront
Viewer HTTPS configuration - Secure Content Delivery with Amazon CloudFront

profile picture
re:Post Agent
answered 20 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content