By using AWS re:Post, you agree to the Terms of Use
/Cloudfront not respecting Origin Path/

Cloudfront not respecting Origin Path


I have a cloudfront distribution with two origins. The first is an S3 static-website bucket and the second is an ALB. I also configured an extra behavior (apart from the default) to forward all api requests to the ALB.



  • Path Pattern - api/*
  • Cache Policy - CachingDisabled
  • Origin Request Policy - AllViewer


  • Origin Path - /api/v1

The objective is to fetch when I try to access

This doesn't work. If I access the URL does not even get rewritten to

Is there a CloudFront behavior I'm not aware of that's making me misconfigure this?

Edit to add:

I enabled ALB access logging and this is how all requests look:

https 2022-04-21T08:35:38.496934Z app/example-service/48c3493fa5414f88 0.001 0.002 0.000 404 404 39 178 "GET HTTP/1.1" "-" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-1:ACCOUNTID:targetgroup/example-service/1d723b6babea76f0 "Root=1-6261175a-69c4fa13012685" "-" "arn:aws:acm:us-east-1:ACCOUNTID:certificate/1d74321b-[snip]-539" 0 2022-04-21T08:35:38.493000Z "forward" "-" "-" "" "404" "-" "-"

Referring to the syntax of this log line, it seems like "GET HTTP/1.1" is the requested path. There is no path here even though I requested /api/v1/something/else.

2 Answers

Are you specifying your api origin as an ALB or as an HTTP/S server? If the former (which I think is correct) then wouldn't the constructed origin URL be based on the default ALB domain not your CNAME?

answered a month ago
  • I specify the API origin as an HTTPS server. If I use the ALB from the drop-down list, Cloudfront tries to connect to the ALB FQDN over HTTPS and fails because the TLS cert is only valid for the CNAME ( and not *

    So, I have a domain name, say, pointing to the ALB (ALIAS-A rec on Route53) and the origin is set to over HTTPS. This ensures that the certificate configured at the ALB is valid for the FQDN to which Cloudfront is trying to connect.


I have the exact same behaviour but wasn't able to get it to work. Did you have any luck?

answered 25 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions