I have a cloudfront distribution with two origins. The first is an S3 static-website bucket and the second is an ALB. I also configured an extra behavior (apart from the default) to forward all api requests to the ALB.
CNAME - service.example.com
**Behavior: **
- Path Pattern -
api/*
- Cache Policy -
CachingDisabled
- Origin Request Policy -
AllViewer
Origin
The objective is to fetch https://service.example.com/api/v1/something when I try to access https://service.example.com/api/something.
This doesn't work. If I access service.example.com/api/anything the URL does not even get rewritten to service.example.com/api/v1/anything
Is there a CloudFront behavior I'm not aware of that's making me misconfigure this?
Edit to add:
I enabled ALB access logging and this is how all requests look:
https 2022-04-21T08:35:38.496934Z app/example-service/48c3493fa5414f88 65.49.20.66:45416 10.0.2.91:8000 0.001 0.002 0.000 404 404 39 178 "GET https://44.198.88.248:443/ HTTP/1.1" "-" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-1:ACCOUNTID:targetgroup/example-service/1d723b6babea76f0 "Root=1-6261175a-69c4fa13012685" "-" "arn:aws:acm:us-east-1:ACCOUNTID:certificate/1d74321b-[snip]-539" 0 2022-04-21T08:35:38.493000Z "forward" "-" "-" "10.0.2.91:8000" "404" "-" "-"
Referring to the syntax of this log line, it seems like "GET https://44.198.88.248:443/ HTTP/1.1" is the requested path. There is no path here even though I requested /api/v1/something/else.
I specify the API origin as an HTTPS server. If I use the ALB from the drop-down list, Cloudfront tries to connect to the ALB FQDN over HTTPS and fails because the TLS cert is only valid for the CNAME (service.example.com) and not
*.elb.aws.amazon.com.So, I have a domain name, say,
api-alb.example.compointing to the ALB (ALIAS-A rec on Route53) and the origin is set toapi-alb.example.comover HTTPS. This ensures that the certificate configured at the ALB is valid for the FQDN to which Cloudfront is trying to connect.