Stay up to date with the latest from the Knowledge Center. See all new and updated Knowledge Center articles published in the last month and re:Post’s top contributors.
CloudFront redirects (301) to custom origin (ELB) instead of caching
A customer has configured CloudFront in front of an ELB and he tells me that when he tries to reach the website with the CloudFront URL, CloudFront sends a redirect (301) to the URL of the ELB (the URL changes from the CloudFront URL to the ELB URL in the browser) instead of serving the request directly.
Their custom origin redirects all http traffic to https. I suspect that when a user tries to access the website via the http address, CloudFront sends the request to the custom origin (ELB), the origin sends this redirect (301) to https to CloudFront, and CloudFront caches this redirect. In subsequent requests, CloudFront will send this cached redirect to the client, hence the client is just redirected to the custom origin and sees the URL change in his browser. This is explained in this page. Can you confirm this understanding is correct?
What can be done to solve this? I saw that changing the "Origin Protocol Policy" to "Match Viewer" could maybe solve that? Could you confirm this?
- Newest
- Most votes
- Most comments
The customer's origin will be receiving the hostname of the origin configured in CLoudFront (which points to the ELB) unless they have configured CloudFront to forward the Host header.
So assume that the public hostname for the website (and the CNAME set up on CloudFront) is www.mysite.com and the ELB's hostname is my-loadbalancer.us-west-2.elb.amazonaws.com. While the client sends:
GET /page HTTP/1.1
Host: www.mysite.com
if the Host header is not forwarded to the origin, the origin will receive:
GET /page HTTP/1.1
Host: my-loadbalancer.us-west-2.elb.amazonaws.com
and if it a not received over HTTPS, the origin probably issues a redirect response by simply concatenating https://, the Host header and the path to give the response:
HTTP/1.1 301 Moved Permanently
Location: https://my-loadbalancer.us-west-2.elb.amazonaws.com/page
CloudFront will return that to the client, and thus the client will go directly to the ELB.
As others have pointed out, you can configure CloudFront to redirect HTTP request to HTTPS, and enforce all requests to the origin to be HTTPS. This will solve the issue since the origin redirection will never be executed.
If the redirection on the origin does additional logic that is needed, you could configure CloudFront to forward the Host header to the origin so it would then redirect to the public hostname, or you could modify the origin store the public hostname as a configuration and to redirect to the public hostname rather than using the Host header.
Relevant content
- asked 2 years ago
- asked 3 years ago
- asked 2 months ago
AWS OFFICIALUpdated 8 months ago- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago
