Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

CloudFront will not work with authorization

0

I'm trying to set up a CloudFront distribution in front of a web server running on an EC2 instance. The purpose for doing this is so that I can attach a Certificate from the Certificate Manager to the distribution instead of having to install a certificate on the web server.

The web server hosts API endpoints for a mobile app, not web pages for a browser, although I do not think this matters.

It works, but only when I make requests which do not require authorization. For example I can call the login endpoint or the status check endpoint, which do not require authorization. But I cannot call any endpoint that requires authorization. The response I get back is always 403 Forbidden along with a small web page generated by CloudFront.

The server is looking for the "Authorization" header. I created and applied my own cache policy and made sure that it includes the Authorization header as well as several others, plus all of the query parameters and cookies, but this doesn't fix the problem. I also tried the predefined "Caching Disabled" policy. For Origin request policy I used "AllViewer" which says it is recommended for EC2.

Topics
Networking & Content Delivery
Tags
Amazon CloudFront
Language
English
asked a year ago991 views
5 Answers
1
Accepted Answer

I think I found the problem. I've been testing this with Postman. Someone copied a POST request in Postman and changed it to a GET request, but did not delete the post body. The presence of a post body in a GET request caused CloudFront to reject the request. Clearing the post body fixed it.

answered a year ago
0

Instead of cloudfront, have you considered using an ALB with a certifcate attached instead?

EXPERT
answered a year ago
  • Frank
    a year ago

    No. I don't know what an ALB is.

  • Frank
    a year ago

    Do you mean a load balancer?

  • Gary Mclean EXPERT
    a year ago

    ALB is Application Load balancer..

  • Frank
    a year ago

    Thanks, I think that is worth a try. I didn't realize you could use certificates with load balancers.

  • Generally Adam MODERATOR
    a year ago

    I don't believe you can with network load balancers, but application load balancers operate at layer 7/HTTP and support both certs for HTTPS as well as WAF firewall rules.

0

What do you see in the web server logs on your EC2 instance? Are you seeing requests with the Authorization header coming from CloudFront?

AWS
EXPERT
answered a year ago
  • Frank
    a year ago

    I'm seeing the header but the header name is being changed to all lowercase letters. So instead of "Authorization" I'm getting "authorization". This is why my application isn't reading the header. Why is this happening?

  • Frank
    a year ago

    This is probably not the problem. Ok, when I send the request through CloudFront I get all of the same headers that I get when I send it directly to the server, plus three additional ones called "x-forwarded-for", "via", and "x-amz-cf-id". I don't have any reason to believe that any of these extra headers is a problem. It doesn't make any sense. The authorization header is identical in both requests.

  • Frank
    a year ago

    The CloudFront error log reports "InvalidRequest text/html". This is curious because the request content type is supposed to be application/json. Is CloudFront blocking or modifying the Content-Type header?

0

Hello,

to fix the issue with CloudFront and the Authorization header:

Ensure your cache policy includes the Authorization header. Use a policy that forwards all headers, cookies, and query parameters. Apply the custom cache and origin request policies to your CloudFront distribution.

EXPERT
answered a year ago
EXPERT
reviewed a year ago
-1

CloudFront itself does not handle authorization directly like a traditional web server. Instead, it's typically used as a content delivery network (CDN) to distribute static and dynamic content globally with low latency. However, it can work with authorization mechanisms when used in conjunction with other AWS services or custom setups. Here are some common approaches to handle authorization with CloudFront:

  1. Using AWS Lambda@Edge:

    • Lambda@Edge allows you to run AWS Lambda functions at CloudFront edge locations, which can inspect and modify requests and responses in real-time. You can implement custom authorization logic using Lambda@Edge to check authorization headers, tokens, or cookies before allowing access to content served by CloudFront.

  2. Origin Access Identity (OAI):

    • You can restrict access to your CloudFront distribution so that it only fetches content from an Amazon S3 bucket or an HTTP server that you specify. By using an OAI, you ensure that requests made through CloudFront are authenticated based on permissions configured on the origin (like an S3 bucket).

  3. Signed URLs or Signed Cookies:

    • CloudFront supports serving content using signed URLs or signed cookies. This approach generates URLs or cookies with limited expiration times and permissions, which can be used to grant temporary access to content based on the presence of a valid signature.

  4. Use of Custom Headers:

    • You can configure CloudFront to forward custom headers to your origin. For example, if your origin server performs authentication based on specific headers (like an authentication token), you can configure CloudFront to pass these headers along with the request.

  5. Authorization at the Origin:

    • Implementing authorization directly at your origin (e.g., web server or application server) and ensuring that CloudFront only serves authorized content based on the responses from the origin server.

Example Scenario Using Lambda@Edge:

Let's say you have an application where users must be authenticated to access certain content. Here's how you might use Lambda@Edge with CloudFront for authorization:

  • Configure your CloudFront distribution to use Lambda@Edge for viewer request events.
  • Write a Lambda function that checks incoming requests for an authorization token or cookie.
  • If the authorization token or cookie is valid (i.e., matches a session or is signed correctly), allow the request to proceed.
  • If the authorization token or cookie is missing or invalid, return a 401 Unauthorized response or redirect to a login page.

Lambda@Edge functions are deployed globally across AWS's network of edge locations, ensuring that authorization checks are performed close to the user, which helps reduce latency.

Considerations:

  • Cost: Using Lambda@Edge incurs costs for both the Lambda invocations and data transfer. Ensure to review AWS pricing for Lambda@Edge and CloudFront data transfer.

  • Performance: Lambda@Edge can add a small additional latency to requests due to the time taken to execute the function at the edge location. However, this latency is generally minimal due to the proximity of the edge locations to the end users.

By leveraging these methods, you can effectively handle authorization and access control while using CloudFront to distribute your content globally with low latency. Each approach has its nuances and suitability depending on your specific use case and security requirements.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content