403 status routing traffic through CloudFront to non-AWS custom origin server

Question

We have a domain with a 3rd party Registrar and a dynamic website served from 3rd party servers. I am trying to route traffic through our Registrar, then through CloudFront and then to our custom origin server. Ultimately, we are looking to replace our 3rd party WAF with AWS WAF, but I'm first trying to get traffic routed through CloudFront before adding the WAF layer.

I have created a CloudFront Distribution with an Alternate Domain Name (let's call it aws.example.com) and custom SSL certificate with the same subdomain (aws.example.com) set up through AWS Certificate Manager. I have a CloudFront Behavior set up with the subdomain/Alternate Domain Name as the Origin, Caching disabled, and HTTP redirected to HTTPS. Then in Route 53, I've created a Hosted Zone with an A Record mapping the subdomain/Alternate Domain Name to the static public IP Address of the non-AWS origin server. Finally, at our Registrar, I have a CNAME for the domain name mapping the subdomain "aws" to the Distribution Domain Name for the CloudFront distribution ( e.g. xyz1234.cloudfront.net ).

What I expected was for calls to aws.example.com to route through our Registrar to CloudFront through Route 53 to the non-AWS origin server, but what we get is CloudFront responding with a 403 status. If I go directly to the Distribution Domain Name for the CloudFront distribution, the result is the same. I appears that the traffic stops at CloudFront and that the alternate domain is not passing through Route 53.

What is the correct way to configure this all to route traffic through CloudFront to non-AWS custom origin server?

Answer

The origin domain and CloudFront Alternate Domain Name look the same, but are they set differently?  
If they are the same, please change them to different ones.

Answer

I believe so: TLS 1.2

![CloudFront config](/media/postImages/original/IMJz9u_SrNRumaYC780aI44A)

Answer

Thanks, @Riku. Here are additional configuration details:

**Origin Settings:**

![Origin Settings](/media/postImages/original/IMYQrChmAUT12C7vYkPaTAMA)

**Behaviors Settings:**

![Behaviors Settings A](/media/postImages/original/IMM8PfgAY7TJWVPKVBStB0RA)
![Behaviors Settings B](/media/postImages/original/IMYUgAiSynSVWGUqebS4UyIw)

Answer

Thank you very much.  
Could you please show me additional origin detail settings and behavior detail settings?

Answer

Did you solve the problem here?

Answer

Can you access the origin without going through CloudFront?

If you can access it, please check if it is configured as per the following document.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html

Verify that the CNAME record is set in CloudFront by using the dig command

Answer

Is HTTPS used between CloudFront and the origin?  
Please send me a screenshot of your CloudFront configuration screen if possible.

Answer

I was thinking I should have mentioned that the subdomain on the non-AWS origin server is accessible if DNS is simply routed through our Registrar (via an A record pointed at the IP address of the server).

Also, apologies if it wasn't clear that when configured the way I described we do make it to CloudFront and get the 403 message from CloudFront. The CNAME is configured for the Alternate  Domain Name, and dig does return the correct Distribution Domain Name for the CNAME/Alternate Domain Name aws.example.com

The problem appears to be that the traffic stops at CloudFront and that the alternate domain is not passing through Route 53.

403 status routing traffic through CloudFront to non-AWS custom origin server

Relevant content