Is it possible, with CloudFront function, to detect or to extract from the request object is HTTP or HTTPS protocol?
I'd like to to it without modifying the Cloudfront Behaviour which automatically redirects from HTTP to HTTPS and my doing it manually.
Not sure how I missed this part..but its' in the documentation
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-cloudfront-headers.html#cloudfront-headers-viewer-location
Related
I have a ec2 server and it's using CloudFront because it needs to use https with cerificate signed by AWS. And then there is some API inside this ec2 server that i need to use post method with form-data. but the server somehow can't get the form-data. Is there some cache policy that i have to set? or CloudFront is purposedly forcing me to do everything with the API gateway thing?
Your setup that uses Cloudfront to terminate TLS and forward HTTP requests to EC2 is fine.
You can try turning on forwarding all Query strings and see if it works for you
I use an Application Load Balancer in AWS as an API Gateway: for forwarding requests to different applications running in AWS. I have configured it with both support for HTTP and HTTPS. A HTTPS listener contains all logical rules for requests forwarding. And a HTTP listener is configured with a single rule: to redirect all traffic to the HTTPS listener ({host}:443/#{path}?#{query}) and to return 301.
HTTPS works perfectly. And HTTP works fine for GET requests. But I found that POST requests to HTTP are converted to GET requests when being redirected to HTTPS, which obviously ends up with 404.
I found online that the problem is in 301 status (https://rtfm.co.ua/en/http-redirects-post-and-get-requests-and-lost-data/#The_root_cause_3xx_redirects_and_HTTP_RFC). But unfortunately there is no option in AWS ALB rules to redirect requests and to return 307 instead of 301.
So does anyone know how I can fix this issue?
Thank you!
We have a similar setup. What we do is let the HTTP request pass through to the application server There the application detects the HTTP protocol and does a software-based 301 redirect as a POST to HTTPS. This moves the specialized protocol handling from the ALB to the application itself. Works great. Any application server would be easy to set up in this way.
I also faced the same issue when the http to https redirection is enabled. Just disable automatic https redirection and directly hit the https route.
Could not find any alternate solution other than this.
Context: I have a 3rd party application running in an EC2 instance via HTTP, and a Cloudfront distribution placed infront for caching and to serve the app via HTTPS.
Website URL: https://elvis.********.com
Problem: I don't have much control over the 3rd party application - but it makes an api call to my app via http. Since the website is hosted over https, this causes an error blocked:mixed-content
(The 3rd party app makes a server call to itself, but via http - See Request URL and Origin)
In this case, shouldn't Cloudfront route this to API call from HTTP to HTTPS? It is a call to the same URL & Server after all.
Wondering if adding a Lambda#Edge function would help (viewer-request | viewer-response | origin-request | origin-response?). But i'm quite skeptical as it looks like the browser blocks the request immediately.
Any insights would be appreciated.
Thanks!
Cloudfront does not do the protocol switching or delegation. This error is coming from the browser and it clearly says it does not allow mixed content. To fix this, you need to host your endpoint on https. If you are using AWS for your endpoint hosting, then it is easy to set up a load balancer with HTTPS certificate. Or you can set up another Cloudfront endpoint for your application origin.
Is there any aws product that allows to proxy HTTP to HTTPs without having to spin up a EC2 instance and setup nginx or whatever?
Tried API Gateway but seems to only allow HTTPS
Tried putting cloudfront in front of API gateway but all it does is redirect the request.
Not sure if there is any way to do what I need? For legacy reasons (which cannot change so don't bother suggesting that) I need a way to expose an HTTP endpoint and internally proxy it to my host through HTTPS.
I was hoping there's a service I could use to avoid having to manage and maintain another instance.
Cheers!
You can't Proxy HTTP to HTTPS, that wont work. You must redirect. You mention without having to setup nginx or whatever. Nginx would simply redirect your HTTP request to HTTPS. Same as Cloudfront would do. You can use Cloudfront to redirect HTTP to HTTPS without using API gateway.
Reading your question again, your application only listens on 443? If that is the case use Cloudfront or stick a docker container(nginx) on the EC2 host where your application runs.
I'm using AWS API Gateway with a custom domain. When I try to access https://www.mydomain.com it works perfectly, but when i try http://www.mydomain.com it can't connect.
Is there a way to redirect the http -> https with the custom domain in API Gateway? If not, is there a way to get the http:// links to work just like the https:// links?
API Gateway doesn't directly support http without TLS, presumably as a security feature, as well as for some practical considerations.
There is not a particularly good way to do this for APIs in general, because redirection of a POST request from HTTP to HTTPS is actually a little bit pointless -- the data is has already been sent insecurely by the time the redirect is generated, unless the client has asked the server to inspect the request headers before the body is sent, with Expect: 100-continue.
You can create a CloudFront distribution, and configure it to redirect GET and HEAD requests from HTTP to HTTPS... but if you send a POST request to such a distribution, CloudFront doesn't redirect -- it just throws an error, since (as noted) such a redirection would be more harmful than helpful.
However... if GET is your application, then it's pretty straightforward: first, deploy your API with a Regional (not Edge-Optimized) API endpoint with a system-assigned hostname, not a custom domain.
Then, create a CloudFront distribution that uses this regional API endpoint as its origin server, and configure the CloudFront distribution's behavior to redirect HTTP to HTTPS. Associate your custom domain name with the CloudFront distribution, rather than with API Gateway directly.