I have an Application LoadBalancer with HTTPS cert and a few listener rules, In front, I deployed a CloudFront that will communicate to the load balancer and serve the content in the web , When the origin protocol in CF is HTTP the communication between origin and the CloudFront happens, but when the origin protocol is configured to HTTPS in CF, I am getting a 502 bad gateway error.
To use HTTPS for connection from CloudFront to ALB, while still using ALB's DNS name as origin, set a custom Cache policy in the CloudFront's behavior setting.
In the custom Cache policy's settings, specify Host header to be included in the cache key. Refer to the following image:
Cache key settings
This way, ALB will know to use the correct SSL certificate by referring to the hostname defined in the Host header, not the one in ALB's DNS name. (Assuming that the SSL certificate in ALB's listener is valid and matches the domain name being used to access the CloudFront)
Quoted from:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/http-502-bad-gateway.html
One of the domain names in the certificate must match one or both of
the following values:
The value that you specified for Origin Domain Name for the applicable origin in your distribution.
The value of the
Host header if you configured CloudFront to forward the Host header to
your origin.
The DNS name of the ALB is: openn-dev-alb4-1497166043.us-east-1.elb.amazonaws.com
You can't use that domain with HTTPS. Your SSL cert must be setup for your own domain, not the domain provided by AWS. The reason is that you can have only a valid public SSL certificate for a domain that you (or your company) fully control, not for AWS default ALB domain.
Related
My app structure is like the default traffic goes to S3 and traffic to /api will go to the application load balancer for my Node.js app API backend. My application has been set up and it's working when I test it like: myapplicationloadbalancerDNS:5000.
I have created a CloudFront with Alternate domain names with my domain name and add one origin - S3, and create a Default(*) to this S3 origin. It's working when I test with my domain mydomainname.com
I'm trying to create another distruibution to /api pointing to my ALB. On this setting, my origin domain is the ALB and protocal is HTTPS only. On its Behaviors setting, I created Path pattern: /api, origin and origin groups is the ALB, viewer is Redirect HTTP to HTTPS, Cache key and origin requests is Legacy cache settings with Include the following headers and Host on Add Header.
Then, when I test my domain on api link, mydomainname.com/api, I got 503 error. Even the link, mydomainname.com/api:5000, I got AccessDenied error.
On this setting, my origin domain is the ALB and protocal is HTTPS only
You have to properly setup https on the ALB. First, HTTPS works on port 443, not 5000. Then you also need a valid public SSL certificate and your own domain that you associate with the ALB.
I set AWS Cloudfront with EC2 origin but have some problems
here my setting:
1.Alternate Domain Names (CNAMEs): xyz.com.
2.SSL Certificate: created by ACM.
3.Custom SSL Client Support: Clients that Support Server Name Indication (SNI).
4.Origin Domain Name is EC2 Public DNS.
5.Origin Protocol Policy: HTTP only.
6.Minimum Origin SSL Protocol: SSLv3.
7.Viewer Protocol Policy: Redirect HTTP to HTTPS.
8.Allowed HTTP Methods: GET, HEAD.
Problems:
1.when I call CloudFront Domain Name which is a3xxxxxx.cloudfront.net, it redirects to EC2 public DNS, not CNAME.
2.still see in my browser "your connection to this site is not secure".
3.I set Route53 to Cloudfron DNS but I got the error "too many redirect" in the browser.
I found the problem
in behaviour part, I have to select "Use legacy cache settings" and "Cache Based on Selected Request Headers" select All because I don't want cache just need ssl.
Can you guys help me out in identifying what I am doing wrong in setting up the cloudfront for my ec2 instance (web server) for a custom domain of mine.
I am using my domain name (www.example.com) as the origin domain name.
I have also supplied a certificate to the cloudfront (*.example.com) using ACM.
The problem I am facing is, when i point out my custom domain name to the cloud fronts domain name in route53 using an alias record.
My website responds with an error 502. I'll really appreciate any help. I have explored all the content provided by AWS in respect to this but nothing seems to work till now.
Most 502 from CloudFront caused by the SSL communication between CloudFront and Origin.
CloudFront makes sure that your origin:
1.Has Trusted certificate
2. Ciphers matches
3. CloudFront uses the SNI filed in Client hello which is defined as Origin domain name, it most cases if you have cert on EC2 with www.example.com CN, you can forward HOST header and it should solve your problem.
If you don't have HTTPS running on Origin, you can select HTTP only in Origin protocol policy as its bydefault set to Viewer match.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/http-502-bad-gateway.html
I recently migrated my WordPress to an EC2 instance. I attached an Elastic IP address to it and created an A record in my Route 53. But all my requests were HTTP so I wanted to use CloudFront to redirect all my HTTP to https.
I created a CloudFront distribution and now all my HTTP requests are redirected to https. And since my SSL certificate is active, my site is secure.
But now my site (blog.insisivecloud.io) doesn't load and I get a 502 Error which says "CloudFront wasn't able to connect to the origin." I have given the public DNS of the EC2 instance as my origin.
When I go to the public DNS of the EC2 where the blog is hosted it works fine. (ec2-54-167-212-65.compute-1.amazonaws.com)
Where am I going wrong here?
As official documentation says:
For HTTPS viewer requests that CloudFront forwards to this origin, one of the domain names in the SSL certificate on your origin server must match the domain name that you specify for Origin Domain Name. Otherwise, CloudFront responds to the viewer requests with an HTTP status code 502 (Bad Gateway) instead of returning the requested object. For more information, see Requirements for Using SSL/TLS Certificates with CloudFront.
If i use Cloudfront to sit in front of a webserver, which itself is behind an ELB, would the following apply?
I use Route53 to create a domain name record for the CF domain and apply an SSL certificate to that domain to secure the distribution
If CF can not serve the content from the cache then the SSL connection is forward to the the ELB (which fronts the webserver as an origin server)
Therefore i also need to use the same domain name (FQDN) on the ELB (via Route53 CNAME) and apply the same cert there too?
When CF forwards the request through the ELB the SSL is terminated
Is that right ? Will one FQDN cert suffice or better to use a wildcard? Is it better to use the origin server domain name instead?
As i can now use the new AWS certificate manager tool (ACM) to add these certs, does anyone know if CF still require the cost for use of custom SSL cert if using ACM (which makes CF an expensive AWS service)?
If CF can not serve the content from the cache then the SSL connection is forward to the the ELB (which fronts the webserver as an origin server)
The SSL connection is not "forwarded". A new SSL connection is established between CloudFront and the ELB.
The SSL connection between the user and CloudFront is a completely different connection than the one between CloudFront and the ELB. Therefore, there is not requirements on matching the domain names used on the ELB and CloudFront.
Therefore i also need to use the same domain name (FQDN) on the ELB (via Route53 CNAME) and apply the same cert there too?
The only restriction is that the SSL certificate on the ELB must match the domain name used on the ELB. It can be a different SSL cert and domain name than those used on CloudFront.
If you want to use the "Custom SSL" feature and support "All Clients", not just those that support SNI, then yes, you must still pay the extra charges, even is you are using ACM.
Example 1
You can create Route 53 records for www.domain.com and origin.domain.com and an SSL cert for *.domain.com. From these, you would assign www.domain.com to the CloudFront distribution, origin.domain.com to your ELB, and use the wildcard cert on both.
Example 2
You can create Route 53 records for www.domain.com and origin.domain.com and separate SSL certs for www.domain.com and origin.domain.com. From these, you would assign www.domain.com to the CloudFront distribution using the www.domain.com cert, and origin.domain.com to your ELB using the origin.domain.com cert.
Example 3
You can create Route 53 records for www.domain1.com and origin.domain2.com and separate SSL certs for www.domain2.com and origin.domain2.com. From these, you would assign www.domain2.com to the CloudFront distribution using the www.domain2.com cert, and origin.domain2.com to your ELB using the origin.domain2.com cert.