Serving My EC2 Hosted Website Via Cloud Front


Hello All,

First question in this forum. Hope it finds all well and prospering.

The Set Up:

I have an EC2 instance running Nginx and hosting my site. Got an Elastic IP, opened all the right ports. So far, all working well.

I have created a Cloud Front Distribution. It uses the domain name of my site as the source. I add a subdomain,, as an alternate domain at the Distribution Interface. I have created Sectigo ssl certs on my server and created them for my distribution, using the CloudFront interface. SSL is enabled for,, and I set as a CloudFront Alias record in my Route 53 DNS. It points to the URL of the CloudFront distribution. I wait until the changes are deployed before testing. My subdomain, works. The URL for my distribution, works. The distribution is obtaining content from my EC2 instance using as the source. It seems that all is well.

Conflict Ensues:

I want it so that when end users enter into their browser, they get content via my CloudFront distribution vs getting it from my server. To make that happen I have tried all kinds of combos. The way I understand things, the following should have worked.

Heroic Action:

I change the source of my distribution from to Then I change two DNS records. First, goes from pointing to the CloudFront URL to the IP of my EC2 web server. Second, goes from being aimed at the IP to pointing at the CloudFront URL. Using Distribution interface, I remove cdn.mydomain from alternate domains and add Essentially I have flipped the roles played by and I wait for things to propagate and redeploy.

The All Is Lost Moment:

At this point, nothing works. I get an error. Too many redirects. None of the URLs that worked above, work now.

Déjà All Over Again:

I reverse things. All is well. cdn.mydomain and the Distribution URLs seem to serve content via my CloudFront Distribution. And works as expected because it points at the IP of my server.

A Man Has Got To Know His Limitations:

My obviously flawed understanding is that I need to have a subdomain as the source of the Distribution and that said subdomain,, should point at the ip of my web server. I figure Nginx needs know about that subdomain and have added it to my .conf file. I assume that the DNS for should then point at the Distribution url. I toss in a trusted source set of certificates for all three involved domains on my server and tell Nginx what it needs to know about them. I attach a certificate generated by aws, for all three of my domains via the distribution alternate url tab of the Distribution interface. But I only allow one alternate url, which per understanding, should be

Confession Is Good For The Solution:

I am stuck in a loop. I can't get out of it. What am I missing? Thanks for any help!

John Ullom

asked a year ago53 views
2 Answers
Accepted Answer
  1. Create a certificate in ACM, basically wildcarded for *
  2. In the distribution, set the "Alternate domain name" to both,
  3. Use cert from ACM
  4. Create two Behaviors, one for your static content and one for your dynamic content. You will have different caching policies for each.
  5. In Route 53, point both and to Alias of CloudFront distribution
profile picture
answered a year ago
reviewed 8 months ago
  • Hello,

    Thank you for responding. I did as you instructed. Still getting too many redirects error. I am a bit fuzzy as to creating the behaviors but I am reading up on that. For now, I am sticking with the default behavior until I get what I am doing in that regard. I am hoping that whatever it is I am doing wrong is not related to that.

    I have created the DNS entries as specified. They point at the distribution url. I assume that I leave pointing directly at my server and use it as the source for the distribution. resolves as expected. I have cleared cookies, used incognito bowsers, and used the old reliable ctrl F5 sequence to clear caches. Still too many redirects. Also checked my Domain alias url. Too many redirects.

    I am missing something and it is probably obvious.

  • Yes, so what I recommended is to serve the entire site from CloudFront, both static and dynamic content. The '' would be abandoned. The behavior for the static content, like .jpg,.css, would have normal caching policy like 'CachingOptimized'. The behavior for the dynamic content, like *.php, would have the 'CachingDisabled' policy, where CloudFront always requests from the origin.

  • Thank you sir!! Your response was the correct response. The problem I was having was on my server. It was a mess. Rebuilt the who shebang using FreeBSD. Ran into a cipher issue. Mine were too limited. Fixed that too.

    Thanks again.


You probably have this under control but are you taking DNS TTLs into account before testing?

answered a year ago
  • Yes sir, I have. Thanks for asking because in my case, I know just barely enough to be dangerous. I am using route 53 and typically wait 5 minutes or more after I make changes to my DNS entries.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions