CloudFront fails for an HTTP 1.0 request without the Host
header (optional for HTTP 1.0):
POST / HTTP/1.0
Content-Type: application/ocsp-request
Content-Length: 75
HTTP/1.1 400 Bad Request
Server: CloudFront
Date: Wed, 16 Mar 2022 21:22:41 GMT
Content-Type: text/html
Content-Length: 915
Connection: close
X-Cache: Error from cloudfront
Via: 1.1 edd67566d372ed79fbaa7f9cc3d7815e.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: ICN51-C1
X-Amz-Cf-Id: KOUV_x5KqMc2f1CsGn1oXTrgaLFSSJn76dycoN97BqIdmgRYjySN3g==
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>400 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
Bad request.
We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: KOUV_x5KqMc2f1CsGn1oXTrgaLFSSJn76dycoN97BqIdmgRYjySN3g==
</PRE>
<ADDRESS>
</ADDRESS>
</BODY></HTML>
Now, I'm aware that a CDN edge server using shared public IPs (the default when using CloudFront) wouldn't be capable of identifying the correct distribution if it isn't provided with the Host
header, so I enabled dedicated IP address for my distribution (https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-https-dedicated-ip-or-sni.html#cnames-https-dedicated-ip) hoping that it could help, but CloudFront still fails.
Now, considering that (at least technically) using dedicated IP addresses would make CloudFront capable of identifying the correct distribution and send the requests to the expected origin even when the Host
header is missing, is this something supported at all?.
PS: I don’t even see the previous request through Standard logging, so I guess it is lost even before reaching my distribution.
Same question asked in https://stackoverflow.com/questions/71505681/does-amazon-cloudfront-support-http-1-0-requests-without-the-host-header with a bounty.
Some OpenSSL versions (e.g. the current one for Amazon Linux 2) send OCSP HTTP POST requests using
openssl ocsp
with HTTP 1.0 and without theHost
header by default. Now, I know that for multi-tenant CDN edge servers it wouldn't work, but for dedicated IP CDN edge servers it is technically possible and other CDN providers like Akamai or Edgecast support it.