504 error when Cloudfront send https-only request to ALB with specific security group

0

I got our CloudFront with ALB as origin, and configured origin as HTTPS ONLY which means CloudFront uses only HTTPS to access the origin. And for this ALB, we tried following inbound rules under its security group:

  • Allow all TCP request from 0.0.0.0/0 for 443
  • Allow all TCP request from 10...0/16 for 80 (character * is replacement for actual private ip)

It seems like cloudfront will send 443 requests to ALB, and pass the security group. However, it doesn't, cloudfront return 504 for my HTTPS request. And weird things are:

  1. if we split the ALB into two ALB (one for 443, one for 80), it works as we expected;
  2. if we change the source of the security group rule for 80 port to 0.0.0.0/0, it works, but we want to limit the access for 80 port(only accessible by private ip address).

Anyone has any thoughts on it?

2 Answers
0
  1. Do you have valid and non-self-signed certificate associated with ALB?
  2. Do you have valid ALB listener associated with target for port 443?
answered 2 years ago
  • Thanks for reply!

    1. Yes, we have SSL certificates from ACM both in CloudFront and ALB side.
    2. Yes, it has. As I said above, it works in two weird situations.
0

Hi there,

The 504 error you are experiencing with CloudFront sending HTTPS-only requests to your ALB (Application Load Balancer) can be caused by a few potential issues such as:

  1. The origin returned an HTTP 504 status code to CloudFront.
  2. The origin didn’t respond before the request expired.
  3. Origin being unreachable and TCP timing out.

To resolve problems with accessing your domain name over HTTPS, check the following:

  1. Your SSL certificate's domain name must be added as an alternate domain name (CNAME) in your CloudFront distribution's settings. For more information, see Using custom URLs for files by adding alternate domain names (CNAMEs).
  2. The domain name of the SSL certificate must be consistent with the domain name associated with the CloudFront distribution. For example, if you issue an SSL certificate for *.example.com, then the CloudFront distribution will support domain names such as abc.example.com or 123.example.com. However, an SSL certificate for *.example.com won't support domain names such as abc.123.example.com. To use abc.123.example.com as a domain name, you need an SSL certificate for either *.123.example.com or abc.123.example.com.
  3. Verify that the status of your CloudFront distribution is Deployed. If the status is still InProgress, then you might not be able to access the domain name because data is still propagating across edge locations.
  4. SSL/TLS certificate: Verify that the SSL/TLS certificate installed on the ALB is valid and matches the domain name used by CloudFront. CloudFront requires a valid certificate to establish a secure connection with the ALB.
  5. Check if there are any network issues or routing problems between CloudFront and the ALB. Ensure that the ALB's DNS name is correctly configured as the origin in CloudFront.
  6. ALB configuration: Verify that the ALB is correctly configured to handle HTTPS requests on port 443. Check the listener configuration and make sure it is set up to handle HTTPS traffic.
  7. Verify that the origin server firewall allows connections from CloudFront, confirm that the firewall allows traffic for port 443.

For more information on troubleshooting SSL errors, see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/http-502-bad-gateway.html#ssl-negotitation-failure

Related information https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/http-504-gateway-timeout.html https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html

AWS
Lebo_M
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions