Cloudfront - 504 The request could not be satisfied

2

I have a Cloudfront distribution that returns 504. The orgin (s3) returns okay. I have multiple distributions that works. If I create a new one with a origin equal to a distribution that works, I still get the 504 error.

I think it has to do with CF not being able to reach the S3, but as the Bucket website endpoint works fine, I am at a loss.

  • I am also experiencing a similar issue to which I haven't been able to solve yet. have an s3 bucket configured as a static website redirect. The s3 bucket is publicly accessible. I can access the s3 website endpoint directly from anywhere. However, I need Cloudfront for https and certificate. Cloudfront returns 504 always with this s3 bucket as origin.

  • @GregB, you describe the problem excactly.

profile picture
asked a year ago723 views
3 Answers
2
Accepted Answer

Update! As only the root page was showing corretly I had to keep searching for an answer.

Here is how I found my problem:

I got the config from both cloudfronts (one working and one not) so I could compare them.

#!/bin/bash

distribution_id=$1

commands=( "get-distribution-config" )

for command in "${commands[@]}"
do
    if [ -z "$distribution_id" ]; then
        echo "Please provide distribution id as first parameter"
        exit 1
    fi
    aws cloudfront $command --id $distribution_id > cf/$1-$command.json
done

When comparing them I noticed that one value was off. The Origins.Items[].CustomOriginConfig.OriginProtocolPolicy. It was set to https-only on the non-functional cloudfront. I updated the value to http-only and it now works as expected. I again use the web hosting endpoint.

Ill add the script for updating the config.

#!/bin/bash

distribution_id=$1

config_and_etag=$(aws cloudfront get-distribution-config --id $distribution_id)

current_config=$(echo $config_and_etag | jq '.DistributionConfig')

new_config=$(echo $current_config | jq '.Origins.Items[].CustomOriginConfig.OriginProtocolPolicy = "http-only"')

etag=$(echo $config_and_etag | jq -r '.ETag')

aws cloudfront update-distribution --id $distribution_id --distribution-config "$new_config" --if-match "$etag"

Hope this will help others, as this cost me a few gray hairs.

profile picture
answered a year ago
profile picture
EXPERT
reviewed 12 days ago
  • That's awesome! So it seems that configuring this from the AWS console will not work by itself. Looks like creating the dist from aws cli has this option and so does terraform. Console is the only place that doesn't have it.

    I had actually updated my AWS account to business tier for one day so I could get official aws support, and the support engineers have been completely stumped!! They reproduced on their end and needed to take it back internally to figure out what to do. Maybe there will be a way to do this via the console soon.

0

The usual approach for CloudFront with S3 as an origin doesn't use the bucket's static website hosting, it uses the bucket's REST interface. So assuming you have set it up this way the fact that your bucket's website endpoint works doesn't mean anything. Ideally you should disable that endpoint (it's an insecure http-only site), make sure the bucket isn't Public, and use an Origin Access Identity allowing CloudFront permissions to access the bucket.

EXPERT
answered a year ago
0

Update: This only got me to the root page. All other routes had the same problem

  • I deactivated the Static website hosting on the s3.
  • Changed the origin to target the s3 (not the website endpoint)
  • Picked Origin access control settings (recommended)
  • Added a control setting and used that
  • Copied and added the bucket policy
profile picture
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions