Cloudfront not respecting Origin Path

0

I have a cloudfront distribution with two origins. The first is an S3 static-website bucket and the second is an ALB. I also configured an extra behavior (apart from the default) to forward all api requests to the ALB.

CNAME - service.example.com

**Behavior: **

  • Path Pattern - api/*
  • Cache Policy - CachingDisabled
  • Origin Request Policy - AllViewer

Origin

  • Origin Path - /api/v1

The objective is to fetch https://service.example.com/api/v1/something when I try to access https://service.example.com/api/something.

This doesn't work. If I access service.example.com/api/anything the URL does not even get rewritten to service.example.com/api/v1/anything

Is there a CloudFront behavior I'm not aware of that's making me misconfigure this?

Edit to add:

I enabled ALB access logging and this is how all requests look:

https 2022-04-21T08:35:38.496934Z app/example-service/48c3493fa5414f88 65.49.20.66:45416 10.0.2.91:8000 0.001 0.002 0.000 404 404 39 178 "GET https://44.198.88.248:443/ HTTP/1.1" "-" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-1:ACCOUNTID:targetgroup/example-service/1d723b6babea76f0 "Root=1-6261175a-69c4fa13012685" "-" "arn:aws:acm:us-east-1:ACCOUNTID:certificate/1d74321b-[snip]-539" 0 2022-04-21T08:35:38.493000Z "forward" "-" "-" "10.0.2.91:8000" "404" "-" "-"

Referring to the syntax of this log line, it seems like "GET https://44.198.88.248:443/ HTTP/1.1" is the requested path. There is no path here even though I requested /api/v1/something/else.

asked 2 years ago1848 views
3 Answers
0

Are you specifying your api origin as an ALB or as an HTTP/S server? If the former (which I think is correct) then wouldn't the constructed origin URL be based on the default ALB domain not your CNAME?

EXPERT
answered 2 years ago
  • I specify the API origin as an HTTPS server. If I use the ALB from the drop-down list, Cloudfront tries to connect to the ALB FQDN over HTTPS and fails because the TLS cert is only valid for the CNAME (service.example.com) and not *.elb.aws.amazon.com.

    So, I have a domain name, say, api-alb.example.com pointing to the ALB (ALIAS-A rec on Route53) and the origin is set to api-alb.example.com over HTTPS. This ensures that the certificate configured at the ALB is valid for the FQDN to which Cloudfront is trying to connect.

0

I have the exact same behaviour but wasn't able to get it to work. Did you have any luck?

answered 2 years ago
0

The steps provided in the documentation links below are summarized as follows:

  1. Open the CloudFront distribution settings in the AWS Management Console.
  2. Go to the "Behaviors" tab and click "Create Behavior" to create a new custom behavior.
  3. For "Path Pattern," enter /api/* to match all requests that start with /api/.
  4. For "Cache Policy," select "CachingDisabled".
  5. For "Origin Request Policy," select "AllViewer" to forward the request to the origin (ALB).
  6. Configure the origin settings for the ALB:
    1. Origin Domain Name: the domain name or endpoint of your ALB.
    2. Origin Path: /api/v1.

Save the behavior and wait for the CloudFront distribution to update. Ensure you did this correctly. It might take some time for CloudFront to update.

If this is what you did and you still are facing origin path problems, follow the more detailed AWS instructions for your CloudFront multi-origin setup: https://catalog.us-east-1.prod.workshops.aws/workshops/4557215e-2a5c-4522-a69b-8d058aba088c/en-US/basic-configuration/create-multiple-origins

Values you want to put in when configuring with CloudFront: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html

Hope these resources help!

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions