CloudFront redirects (301) to custom origin (ELB) instead of caching

0

A customer has configured CloudFront in front of an ELB and he tells me that when he tries to reach the website with the CloudFront URL, CloudFront sends a redirect (301) to the URL of the ELB (the URL changes from the CloudFront URL to the ELB URL in the browser) instead of serving the request directly.

Their custom origin redirects all http traffic to https. I suspect that when a user tries to access the website via the http address, CloudFront sends the request to the custom origin (ELB), the origin sends this redirect (301) to https to CloudFront, and CloudFront caches this redirect. In subsequent requests, CloudFront will send this cached redirect to the client, hence the client is just redirected to the custom origin and sees the URL change in his browser. This is explained in this page. Can you confirm this understanding is correct?

What can be done to solve this? I saw that changing the "Origin Protocol Policy" to "Match Viewer" could maybe solve that? Could you confirm this?

1 Answer
0
Accepted Answer

The customer's origin will be receiving the hostname of the origin configured in CLoudFront (which points to the ELB) unless they have configured CloudFront to forward the Host header.

So assume that the public hostname for the website (and the CNAME set up on CloudFront) is www.mysite.com and the ELB's hostname is my-loadbalancer.us-west-2.elb.amazonaws.com. While the client sends:

GET /page HTTP/1.1
Host: www.mysite.com

if the Host header is not forwarded to the origin, the origin will receive:

GET /page HTTP/1.1
Host: my-loadbalancer.us-west-2.elb.amazonaws.com

and if it a not received over HTTPS, the origin probably issues a redirect response by simply concatenating https://, the Host header and the path to give the response:

HTTP/1.1 301 Moved Permanently
Location: https://my-loadbalancer.us-west-2.elb.amazonaws.com/page

CloudFront will return that to the client, and thus the client will go directly to the ELB.

As others have pointed out, you can configure CloudFront to redirect HTTP request to HTTPS, and enforce all requests to the origin to be HTTPS. This will solve the issue since the origin redirection will never be executed.

If the redirection on the origin does additional logic that is needed, you could configure CloudFront to forward the Host header to the origin so it would then redirect to the public hostname, or you could modify the origin store the public hostname as a configuration and to redirect to the public hostname rather than using the Host header.

EXPERT
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions