I am trying to connect cloudfront with EBS.
Whats the setup?
EBS is hosting a nodeJs application.
Cloudfront origin set to Elastic load balancer and accepts HTTPS
only [Cloudfront config]
All Alternative domains are added correctly.
ACM certificate is added to Cloudfront [region US EAST - N.Virgina]
EC2 instance / EBS is in the region Asia Pacific. ACM certificates
installed in load balancer are from Asia pacific too.
I am also redirecting http traffic with the help of load balancer listeners.
Security group allows traffic to port 443 .
No AWS WAF set.
Origin settings:-
It's been a day now.
I am trying continuously.
I am able to set DNS A & AAA record to the cloudfront using route 53, getting the dropdown value as well.
I am able to park domains directly to EBS & they work over https properly.
Getting 502 ERROR : The request could not be satisfied.
Already tried https://aws.amazon.com/premiumsupport/knowledge-center/resolve-cloudfront-bad-request-error/
I doubt my ELB has ACM certificate from Asia Pacific but the ACM certificate used in cloudfront is from US EAST , is that causing the issue? I can't change the EBS region now.
It seems that you did not setup https on your EB. But you are using HTTPS only origin. That's why it does not work. You have to have origin in http, or actually properly setup https on your EB.
Thanks to #Marcin for finding out my stupid mistake!
It was because of the ELB not accepting
https only
config from cloudfront.
But i had set listeners to redirect all HTTP traffic to HTTPS,
and HTTPS traffic points to my instance.
After finding out the reason mentioned by #Marcin
How i solved the problem:
Changed cloudfront origin request to http only.
Set a custom header :
then added a new listener to ELB which forwards to my instance if the header match, it would help EBS differentiate requests from Cloudfront and other origins.
Still i was getting same response, found out the response was from cache. Just had to invalidate cache of cloudfront. And its done! 😎
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Invalidation.html
Related
I have AWS EC2 instance that sends the response using HTTP. The URL link is as below:
http://ec2-18-233-225-132.compute-1.amazonaws.com:3030/api/status
This works fine with the. S3 bucket after the deployment, but, the Cloudfront blocks request that are not comes using HTTPS. How do I make sure that HTTPS also work with this URL:
https://ec2-18-233-225-132.compute-1.amazonaws.com:3030/api/status
Thanks.
ec2-18-233-225-132.compute-1.amazonaws.com domain belongs to AWS, not you. This means that you can't have valid SSL certificate for it. You must have your own domain if you want to enforce https between CF and EC2.
Once you get your domain, you can use https://letsencrypt.org/ to get valid free SSL cert for it. Alternatively, you can front your instance with a load balancer, and get free SSL cert for your domain using AWS ACM. Then you associate the SSL cert with the LB.
For cloudfront https handling:
Create certificate in ACM. Update cloudfront distribution to use that certificate and set ssl/TLS.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-procedures.html#cnames-and-https-updating-cloudfront
for EC2 https handling: You need to open HTTPS port (443). To do that, you go to https://console.aws.amazon.com/ec2/ and click on the Security Groups link on the left, then create a new security group with also HTTPS available. Then, just update the security group of the instance.
After these steps, if it's still not working it is an application problem.
You have to configure the Security Group of that Instance...
At left side ,down below the EC2 dashboard ; you can see Network and Security-- then click on Security Group.Click on it ...Then edit inbound Rules...Add https ,port 443
Background: My division of bigcorp.com was sold off and now we are lilcorp.com. We have a fleet of appliances deployed that will be looking for software updates on https://updates.bigcorp.com/, but since we no longer control bigcorp.com, we need to update our appliances to check https://updates.lilcorp.com. bigcorp has given us a cert for updates.bigcorp.com and has a DNS CNAME in place that forwards traffic for updates.bigcorp.com to server.lilcorp.com.
I'm trying to config things like this:
HTTPS HTTPS
Appliance -----------> ELB -----------> CloudFront ----------> S3
Cert for Cert for
updates. updates.
bigcorp. lilcorp.
com com
I've got the following DNS records in place:
updates.bigcorp.com CNAME to server.lilcorp.com
server.lilcorp.com CNAME to ELB
updates.lilcorp.com CNAME to CloudFront.net address
CloudFront is configured to use an S3 bucket as its origin.
Status: Things work if I hit CloudFront directly, but that doesn't help since the appliances are hitting the updates.bigcorp.com address.
Questions:
Can an ELB forward to a CloudFront deployment? I'm not seeing how to make it a "target".
Do I need to put a web server in the middle of this to handle the redirect/forward?
Thanks in advance.
Can an ELB forward to a CloudFront deployment? I'm not seeing how to make it a "target".
No it cannot. The target (for ALB) can be only an private IP address, lambda and instance id.
Do I need to put a web server in the middle of this to handle the redirect/forward?
Yes, you would need some kind of proxy. With ALB, you could use lambda function. So ALB would invoke a lambda function, and the function would query external CloudFront distro and return the results.
So I have a NextJS application hosted on Elastic Beanstalk (with it exposed on port 3000 in the docker file). Now, I have my domain registered with Godaddy. I initially had the DNS setup in Godaddy to point to Elastic Beanstalk. But then I wanted to use cloudfront for CDN/Caching.
So, I started configuring Cloudfront (using this article). I created the custom SSL certificate and got it verified through DNS as well. I set the origin in cloudfront to points to ELB.
Now, once the cloudfront distribution was deployed, I tried using the cloudfront URL xxxxx.cloudfront.net but I got a "504 ERROR - The request could not be satisfied" error.
If I go to the ELB URL I am able to access my application. So, I am not sure what's the issue here. If the cloudfront is pointed to ELB and ELB works then why would cloudfront URL won't work.
Any advice/recommendations?
If you receive a 504 error you are getting a timeout whilst connecting to the origin.
You should check the following:
Does the security group for the ELB allow inbound traffic from anyone (on port 80/443)? If it does not CloudFront is blocked.
Have you misconfigured your "Origin Protocol Policy", by selecting "Match Viewer" it will expect that HTTPS requests that hit CloudFront attempt to connect to the origin via HTTPS.
Does your application have a start time that exceeds the value of the Origin Response Timeout? By default this is 30 seconds.
Ensure the origin is the correct domain name.
There are additional steps to debug a 504 in CloudFront within the HTTP 504 Status Code (Gateway Timeout) page on AWS.
I recently migrated my WordPress to an EC2 instance. I attached an Elastic IP address to it and created an A record in my Route 53. But all my requests were HTTP so I wanted to use CloudFront to redirect all my HTTP to https.
I created a CloudFront distribution and now all my HTTP requests are redirected to https. And since my SSL certificate is active, my site is secure.
But now my site (blog.insisivecloud.io) doesn't load and I get a 502 Error which says "CloudFront wasn't able to connect to the origin." I have given the public DNS of the EC2 instance as my origin.
When I go to the public DNS of the EC2 where the blog is hosted it works fine. (ec2-54-167-212-65.compute-1.amazonaws.com)
Where am I going wrong here?
As official documentation says:
For HTTPS viewer requests that CloudFront forwards to this origin, one of the domain names in the SSL certificate on your origin server must match the domain name that you specify for Origin Domain Name. Otherwise, CloudFront responds to the viewer requests with an HTTP status code 502 (Bad Gateway) instead of returning the requested object. For more information, see Requirements for Using SSL/TLS Certificates with CloudFront.
I have a blog(codeoverflow.in) hosted on aws-ec2 instance. I am using cloudfront and acm certificate to provide ssl for my blog. But when I access codeoverflow.in or www.codeoverflow.in, cloudfront redirect me to https version successfully but gives the following error:
The request could not be satisfied. CloudFront wasn't able to connect
to the origin. Generated by cloudfront (CloudFront) Request ID:
TE89T-COJiVFgBGUpBG_2gWd6Iim3c-svHsborUct49O9Owjb3nl6g==
I have type A and type AAAA alias records for both codeoverflow.in and www.codeoverflow.in in route 53, all pointing to cloudfront distribution.custom ssl certificate is also configured for both domains.as of now I have dissociated elastic ip from ec2, but I want to use it as well together with cloudfront and ec2. Please help me to configure all three together.
It looks like you're trying to connect to your origin via HTTPS, but it doesn't sound like you have SSL enabled on your instance.
The easiest thing to do is use a hostname for your origin - i.e. www-origin.codeoverflow.in. Create a load balancer that listens on both 80 & 443, deploy an appropriate cert to that (you may have to create a new one, or create a wildcard) and put your instance behind that listening on port 80. Finally, create an ALIAS record in Rour53 from www-origin to your load balancer.