Domain routed to s3 bucket delivers contents from heroku?

0

We uploaded some HTML content to an amazon s3 bucket and we want to publish it via the url reports.repeato.app. This domain is hosted at a different webhosting company. We are using AWS CloudFront to deliver the website via https. We downloaded the wildcard SSL certificate for *.repeato.app, imported it into AWS Certificate Manager and used it to configure the CloudFront distribution.

We also linked the reports.repeato.app domain to the cloudfront endpoint via CNAME.

The strange thing is: Opening reports.repeato.app in a browser (or via wget), results in contents being shown that should only be shown on clients.repeato.app. clients.repeato.app is hosted on heroku and we don't have any idea why it's being shown on the reports.repeato.app domain. This is very confusing. Any help is very welcome!

  • So the error we get now is: "reports.repeato.app uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH" Any idea why?

  • What is producing that error? You'll find debugging this sort of thing is easier using a command-line tool like curl and looking at the debug (verbose) output rather than relying on what a browser throws up (as they are trying to be user-friendly).

Stephan
asked a year ago274 views
2 Answers
2

What's missing here is the name of the origin (the back-end server - which is S3) that you have configured in your CloudFront distribution - or how you've configured that.

The best way to link your CloudFront distribution to S3 is to use OAC: https://aws.amazon.com/blogs/networking-and-content-delivery/amazon-cloudfront-introduces-origin-access-control-oac/

Also: You've listed some values in the table in your question which should probably be kept private - things like domain keys. I'd remove them from the question and also strongly recommend refreshing them. I'm not 100% sure what the security risk is but better to be safe than sorry - those values are used to confirm your domain identity to providers (AWS, Stripe, etc.). It may not be a big deal but it's the type of thing that is better safe than sorry.

Update: Looking at the CloudFront screenshot you've configured the bucket for website access - you don't need to do that; it can be disabled and you can use OAC to restrict access to the bucket only to CloudFront. That also means that you don't have to make content in the bucket public. Unless you have a good reason, I would do that (disable website hosting on the bucket; make it private; use OAC).

Finally, to address the actual question: I know this sounds like a silly question but are you 100% sure that dpzoovgmxjpdc.cloudfront.net. is the distribution that points to your S3 bucket?

profile pictureAWS
EXPERT
answered a year ago
  • Thanks Brettski, I updated the post...

  • Yes, I am 100% sure that it points to the bucket. you can also see that in the screenshot. I also tried with disabling website access in the bucket. Didn't change anything. Still the wrong content is showing. Did you see that the content is shown is not even hosted on S3? It's hosted on heroku (which itself is using S3, so I am kind of thinking that this could be one of the main ingredients for the mess).

  • Maybe this traceroute information could be interesting too? It seems strange to me...

    traceroute reports.repeato.app traceroute: Warning: reports.repeato.app has multiple addresses; using 13.32.110.52 traceroute to dpzoovgmxjpdc.cloudfront.net (13.32.110.52), 64 hops max, 52 byte packets 1 fritz.box (192.168.178.1) 2.876 ms 2.282 ms 2.242 ms 2 77.118.224.1.wireless.dyn.drei.com (77.118.224.1) 9.547 ms 9.370 ms 12.708 ms 3 192.168.242.95 (192.168.242.95) 10.458 ms 10.722 ms 11.614 ms 4 99.83.112.86 (99.83.112.86) 10.099 ms 10.424 ms 15.931 ms

    traceroute clients.repeato.app traceroute: Warning: clients.repeato.app has multiple addresses; using 108.128.72.146 traceroute to secure-lychee-o9fwczm8jn18lb78hqitwc21.herokudns.com (108.128.72.146), 64 hops max, 52 byte packets 1 fritz.box (192.168.178.1) 2.725 ms 2.197 ms 2.100 ms 2 77.118.224.1.wireless.dyn.drei.com (77.118.224.1) 9.634 ms 9.178 ms 9.000 ms 3 192.168.242.95 (192.168.242.95) 13.955 ms 12.147 ms 9.958 ms 4 99.83.112.86 (99.83.112.86) 9.018 ms 10.273 ms 11.897 ms

  • When I visit reports.repeato.app or clients.repeato.app I see sign-in page. reports.repeato.app points to a CloudFront distribution (dpzoovgmxjpdc.cloudfront.net) while reporst.repeato.app resolved to Heroku. Note that reports.repeato.app says "Repeato Client Center" in the browswer tab while clients.repeato.app has Login so they are definitely different. It looks like your S3 bucket is serving up some Javascript that renders a login page. Try accessing it with curl or wget - that way you get the raw response and not something that your browser is interpreting.

  • @Brettski-AWS: That's a very interesting observation indeed. Tried wget, and the source is indeed different. However, can't really make sense of it. But in any case, the bucket hosts a completely different project than what you see when you navigate to reports.repeato.app. This is what is served from the bucket: https://s3.eu-central-1.amazonaws.com/reports.repeato.app/index.html

    Why the hack is https://reports.repeato.app showing content from a completely different project hosted on heroku? Could it be that heroku kind of "catches" all subdomain requests and routes it to the only project I am hosting there?

0

Finally, we managed to get it done. The 2 issues were:

  1. We had Mongo DB web services activated and it caught all requests to that subdomain and routed it to an old version of the backend. We just had forgotten to turn off that instance and remove the DNS setting.
  2. The "Alternate domain name (CNAME) - optional" field was not set to "reports.repeato.app". We didn't think it was necessary, since it says "optional"

Thanks @Brettski-AWS for your help!

Stephan
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions