By using AWS re:Post, you agree to the Terms of Use
/Cloudfront not respecting Origin Path/

Cloudfront not respecting Origin Path

0

I have a cloudfront distribution with two origins. The first is an S3 static-website bucket and the second is an ALB. I also configured an extra behavior (apart from the default) to forward all api requests to the ALB.

CNAME - service.example.com

Behavior:

  • Path Pattern - api/*
  • Cache Policy - CachingDisabled
  • Origin Request Policy - AllViewer

Origin

  • Origin Path - /api/v1

The objective is to fetch https://service.example.com/api/v1/something when I try to access https://service.example.com/api/something.

This doesn't work. If I access service.example.com/api/anything the URL does not even get rewritten to service.example.com/api/v1/anything

Is there a CloudFront behavior I'm not aware of that's making me misconfigure this?

Edit to add:

I enabled ALB access logging and this is how all requests look:

https 2022-04-21T08:35:38.496934Z app/example-service/48c3493fa5414f88 65.49.20.66:45416 10.0.2.91:8000 0.001 0.002 0.000 404 404 39 178 "GET https://44.198.88.248:443/ HTTP/1.1" "-" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-1:ACCOUNTID:targetgroup/example-service/1d723b6babea76f0 "Root=1-6261175a-69c4fa13012685" "-" "arn:aws:acm:us-east-1:ACCOUNTID:certificate/1d74321b-[snip]-539" 0 2022-04-21T08:35:38.493000Z "forward" "-" "-" "10.0.2.91:8000" "404" "-" "-"

Referring to the syntax of this log line, it seems like "GET https://44.198.88.248:443/ HTTP/1.1" is the requested path. There is no path here even though I requested /api/v1/something/else.

2 Answers
0

Are you specifying your api origin as an ALB or as an HTTP/S server? If the former (which I think is correct) then wouldn't the constructed origin URL be based on the default ALB domain not your CNAME?

answered a month ago
  • I specify the API origin as an HTTPS server. If I use the ALB from the drop-down list, Cloudfront tries to connect to the ALB FQDN over HTTPS and fails because the TLS cert is only valid for the CNAME (service.example.com) and not *.elb.aws.amazon.com.

    So, I have a domain name, say, api-alb.example.com pointing to the ALB (ALIAS-A rec on Route53) and the origin is set to api-alb.example.com over HTTPS. This ensures that the certificate configured at the ALB is valid for the FQDN to which Cloudfront is trying to connect.

0

I have the exact same behaviour but wasn't able to get it to work. Did you have any luck?

answered 25 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions