Questions tagged with Amazon CloudFront
Content language: English
Sort by most recent
I have a registered domain **xxx.com**.
I would like to make an **aaa.xxx.com** and **bbb.xxx.com** subdomains, and point them to different locations (in my case, CloudFront distributions). I found conflicting documentation even on the AWS Docs about this use case, and there's a lot of confusion out there on the net in different tutorials.
For the time being, I have the following configuration in Route 53 for the public hosted zone **xxx.com**:
```
xxx.com NS ...
xxx.com SOA ...
<rnd>.xxx.com CNAME ... (needed for the ssl cert)
aaa.xxx.com A Routes to CloudFront1
bbb.xxx.com A Routes to CloudFront2
```
If I copy&paste the CloudFront2 location here to the browser, I get to the proper static website I'd like to use. If I go to the address **bbb.xxx.com**, then I see the contents of **aaa.xxx.com***. I have waited 72h+ to wait for the DNS caches to clean up, but still no change unfortunately. I'm suspecting I might be doing something completely flawed here :-)
So, my question is: how should such a normal config would look like where there is a root domain + 2 subdomains pointing to different location? Any articles, links would be more than welcome!
I'd like to analyze the number of requests, for example, that contain the HTTP headers that I've included in my CloudFront cache key. How can I do this? For example, when I created my caching policy, I enabled the CloudFront-Is-Mobile/SmartTV/Desktop-Viewer headers because I'd like to see how many requests originate from these different device types. I thought the HTTP header information would be available in CloudFront standard logs, but no such luck. Where to look?
Hello I'm making a simple API request to my lambda endpoint from another server that's hosted on railway.app and everytime I make a request to my lambda I get the following error.
```
<H1>403 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
Bad request.
We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: _-bskwhg7aCgBL3YAH7_MazAyGiMiE1dfA5i7xa1wg_uRvNzMFVTiQ==
</PRE>
```
this is just an snippet of the request error from an axios request from my server to my lambda
I haven't used cloudfront before nor have I configured anything to use Cloudfront, I used the Serverless package for typescript to create an S3 bucket for my API, and I don't know how to resolve this issue, because the same request I'm making from my railway server can be completed by using a get request with postman.
Any help would be greatly appreciated
I am trying to set a WAF ACL on top of my CloudFront distribution.
Initial idea behind the implementation is the idea of having a Video On Demand streaming. So basically I do have a web application, which is hosted on my HTTP web server. The web application wants to access a specific video resources, stored in my previously configured S3 bucket. There is an AOI created on top of it, so my CloudFront distribution shares the files stored in a previously mentioned S3 bucket.
I do want to prevent access to the files that can be accessed through a CloudFront distribution URL, and limit the access so only my web server which hosts my web application, can read those files. All other potential attackers and users who does not access files via my web application, should be rejected.
I already created a AWS WAF ACL with the allow action access policy on my set of IPs (within set of IPs there is only my web server IP which hosts my web application listed) and associate it within a rule as well as associate my WAF ACL with a previously mentioned CloudFront distribution.
I am looking for a way to enable video download through CloudFront distribution only via my web application. I've looked in a signed URLs implementation, but I do have a problem because i need to specify my video URL link into my web application through a simple web form on course level, which does not enable me some sort of dynamically set a signed URL once I could generate it.
Hi
I run WordPress and put a origin server in Japan.
And 75% of my website visitors come from South Korea.
Based on the location of the cloudfront, I think the cached files should be served from the Korea edge (Seoul).
But in reality, most of the requests are served from the Singapore edge.
Is there any reason why they are being served from the Singapore server instead of Korea and how can I fix this?
And
I can't find the Korea Edge in Bills, is it not available?
Thank you.
I am using AWS CloudFormation to deploy a stack containing a CloudFront distribution using a CloudFront function. The template contains the following entries:
```yaml
CloudFrontFunction:
Type: "AWS::CloudFront::Function"
Properties:
Name: "my-function"
AutoPublish: true
FunctionConfig:
Comment: "My function"
Runtime: "cloudfront-js-1.0"
FunctionCode: |
function handler(event) { /* ommitted for brievity */ }
CloudFrontDistribution:
Type: "AWS::CloudFront::Distribution"
Properties:
...
DefaultCacheBehavior:
FunctionAssociations:
- EventType: "viewer-request"
FunctionARN:
"Fn::GetAtt": "CloudFrontFunction.FunctionARN"
```
Each time I deploy the stack using this template, CloudFormation updates the CloudFront function even if the function has not changed (I suspect this is caused by AutoPublish: true, but I need this setting to be enabled).
This results in CloudFormation also updating the distribution, which takes several minutes, and often simply fails (my guess is that the CloudFront API is not very reliable during peak traffic hours), resulting in our CD pipeline also failing.
Is there a way to avoid this behavior (e.g. do not publish the function if it has not changed)? I might put the function in another template/stack and keep this stack outside of our CD pipeline, but it's tedious to have to handle the function updates manually.
My domain (`example.com`) is registered with name.com. Domain's NS are pointed to AWS Route 53 name servers. My WordPress is hosted at siteground and having IP address (`1.1.1.1` example) and a subdomain (`aws.example.com`) is created at siteground.
In my AWS CloudFront distribution, Origin domain is pointed to `aws.example.com` since it will not accept the IP address.
In Route 53, `aws.example.com` A record points to IP (`1.1.1.1` from siteground). And `example.com` & `www.example.com`'s A & AAA records point to AWS CloudFront distribution name (`d1111abcd8.cloudfront.net` example).
Above configuration return 502 error for both domain name and CloudFront distribution name. (Error: CloudFront wasn't able to connect to the origin).
How can I make this configuration work while I use `example.com` as public domain with CloudFront?
CloudFront configuration:
Supported HTTP versions: HTTP/2, HTTP/1.1, HTTP/1.0
Alternate domain names: www.example.com, example.com
Custom SSL certificate: Yes, issued by AWS ACM
Origin domain: aws.example.com
Protocol: HTTP only
No additional CF configuration
I have been trying to set up a website of static web pages with SSL termination provided by CloudFront.
I set up the origin s3 bucket in the new ap-southeast-4 (Melbourne).
After all the setup when I try to access the web pages via the CloudFront distribution I get the error message:
```
<Error>
<Code>InvalidToken</Code>
<Message>The provided token is malformed or otherwise invalid.</Message>
<Token-0>****</Token-0>
<RequestId>****</RequestId>
<HostId>****</HostId>
</Error>
```
Going back to the first principles I seem to have isolated the problem to the region ap-southeast-4.
Currently, in production, we have existing CloudFront distributions that host files out of ap-southeast-2 (Sydney). This is odd so I created the 2 test CloudFront distributions with the simplest stack possible. One distribution points to a test s3 bucket in ap-southeast-4 (Melb) and the other to a test bucket in ap-southeast-2 (Syd).
The distribution pointing to ap-southeast-4 always returns the InvalidToken error while the distribution pointing to ap-southeast-2 works fine.
Any help in fixing this problem would be appreciated.
From last few days I am facing this issue, I think it's network issue
Cloudfront giving very slow response, my assets load very slow, so I have traceroute and following is result of it
I have replace subdomain with dummy text because I don't want to expose my cloudfront subdomain in public.
C:\Users\jigs>tracert MYCLOUDFRONTSUBDOMAIN.cloudfront.net
Tracing route to MYCLOUDFRONTSUBDOMAIN.cloudfront.net [108.159.80.52]
over a maximum of 30 hops:
1 2 ms 1 ms 1 ms 192.168.0.1
2 2 ms 2 ms 2 ms 116.74.88.1
3 3 ms 2 ms 2 ms 100.74.116.1.hathway.com [116.74.100.1]
4 15 ms 14 ms 16 ms 136.232.18.13.static.jio.com [136.232.18.13]
5 28 ms 25 ms 31 ms 172.16.92.145
6 26 ms 33 ms 31 ms 172.16.92.145
7 32 ms 25 ms 31 ms 99.82.178.202
8 29 ms 28 ms 24 ms 52.95.65.213
9 21 ms 21 ms 21 ms 52.95.67.57
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 30 ms 32 ms 21 ms server-108-159-80-52.bom78.r.cloudfront.net [108.159.80.52]
Trace complete.
Can anyone tell what is the issue? and how can I fix it?
getting DNS_PROBE_FINISHED_NXDOMAIN with AWS amplify and route 53 with an externally registered domain.
I'm hosting my app on Amplify, I have gottten the cloudfront address and added it to route 53 in a newly created Hosted zone. I then added the new nameservers in my domain providers portal.
When I visit the site i get the error : "DNS_PROBE_FINISHED_NXDOMAIN". I've tried clearning cookies, caches, resetting router - everything but it doesn't work
i tested the records on route53 and it found no errors.
Any help would be much appreciated
I am using a custom domain that I own and attached that to LightSail distribution.
As part of the process, I also created a certificate, validated it in my DNS registrar(Namecheap) and then attached it.
But when I make a call to my website:
curl -v https://whatify.io
I see that it is returning a self signed certificate.
Below is the relevant output:
```
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.se/docs/sslcerts.html
```
I can see on the LightSail distribution tab in AWS console that the ceritifcate is valid and in-use. Why is this happening?
Hello! I'm trying to configure Cloudfront to send an If-None-Match to my origin when a resource expires, so that I can respond with a 304 if nothing has changed. For some reason, I'm unable to get Cloudfront to do so.
My origin responds with these headers:
```
HTTP/2 200
content-type: application/json; charset=utf-8
content-length: 181691
access-control-allow-origin: *
cache-control: max-age=5
date: Fri, 17 Feb 2023 21:16:49 GMT
x-content-type-options: nosniff
x-frame-options: DENY
etag: W/"15-mbAPvGdFm9PuCZHJFTtrwm@3"
vary: Accept-Encoding
```
So, sending `cache-control` of 5 seconds and a weak e-tag.
My cloudfront cache policy has min ttl of 1, forwards headers Origin and a few x- ones, forwards all query strings. No cookies. Compression is turned on.
My origin request policy is "AllViewer".
For some reason, Cloudfront never sends an `If-None-Match` header to my origin when resource expires. If I manually specify an `If-None-Match` header in my request in a `curl` command to Cloudfront, my origin does see it and responds correctly. So there must be something wrong with my configurations.
Any ideas? I've been pouring over the documentations but have not found anything that worked.
Thanks!