Cloudfront not respecting Origin Path
I have a cloudfront distribution with two origins. The first is an S3 static-website bucket and the second is an ALB. I also configured an extra behavior (apart from the default) to forward all api requests to the ALB.
CNAME - service.example.com
- Path Pattern -
- Cache Policy -
- Origin Request Policy -
- Origin Path -
The objective is to fetch
https://service.example.com/api/v1/something when I try to access
This doesn't work. If I access
service.example.com/api/anything the URL does not even get rewritten to
Is there a CloudFront behavior I'm not aware of that's making me misconfigure this?
Edit to add:
I enabled ALB access logging and this is how all requests look:
https 2022-04-21T08:35:38.496934Z app/example-service/48c3493fa5414f88 188.8.131.52:45416 10.0.2.91:8000 0.001 0.002 0.000 404 404 39 178 "GET https://184.108.40.206:443/ HTTP/1.1" "-" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-1:ACCOUNTID:targetgroup/example-service/1d723b6babea76f0 "Root=1-6261175a-69c4fa13012685" "-" "arn:aws:acm:us-east-1:ACCOUNTID:certificate/1d74321b-[snip]-539" 0 2022-04-21T08:35:38.493000Z "forward" "-" "-" "10.0.2.91:8000" "404" "-" "-"
Referring to the syntax of this log line, it seems like
"GET https://220.127.116.11:443/ HTTP/1.1" is the requested path. There is no path here even though I requested
Are you specifying your api origin as an ALB or as an HTTP/S server? If the former (which I think is correct) then wouldn't the constructed origin URL be based on the default ALB domain not your CNAME?
I specify the API origin as an HTTPS server. If I use the ALB from the drop-down list, Cloudfront tries to connect to the ALB FQDN over HTTPS and fails because the TLS cert is only valid for the CNAME (service.example.com) and not
So, I have a domain name, say,
api-alb.example.compointing to the ALB (ALIAS-A rec on Route53) and the origin is set to
api-alb.example.comover HTTPS. This ensures that the certificate configured at the ALB is valid for the FQDN to which Cloudfront is trying to connect.
I have the exact same behaviour but wasn't able to get it to work. Did you have any luck?
Debugging Cloudfront with multiple origins (S3 + API Gateway) : path pattern not working.asked 4 months ago
Route53 custom domain not updating contentasked 2 months ago
CloudFront Origin PathAccepted Answerasked 4 months ago
OAI or not OAI for serving a static website in S3 using CloudFrontasked a month ago
CloudFront giving access denied to subfoldersasked a year ago
How to use https with S3 (Alternate Domain Names) and Cloudfrontasked 3 years ago
Origin Group getting 403 on 404 failoverasked 2 years ago
Cloudfront not respecting Origin Pathasked a month ago
Protect HTTP Api Gateway with WAFasked 2 months ago
Can a CloudFront origin be another CloudFront distribution?asked a month ago