I set AWS Cloudfront with EC2 origin but have some problems
here my setting:
1.Alternate Domain Names (CNAMEs): xyz.com.
2.SSL Certificate: created by ACM.
3.Custom SSL Client Support: Clients that Support Server Name Indication (SNI).
4.Origin Domain Name is EC2 Public DNS.
5.Origin Protocol Policy: HTTP only.
6.Minimum Origin SSL Protocol: SSLv3.
7.Viewer Protocol Policy: Redirect HTTP to HTTPS.
8.Allowed HTTP Methods: GET, HEAD.
Problems:
1.when I call CloudFront Domain Name which is a3xxxxxx.cloudfront.net, it redirects to EC2 public DNS, not CNAME.
2.still see in my browser "your connection to this site is not secure".
3.I set Route53 to Cloudfron DNS but I got the error "too many redirect" in the browser.
I found the problem
in behaviour part, I have to select "Use legacy cache settings" and "Cache Based on Selected Request Headers" select All because I don't want cache just need ssl.
Related
I have a EC2 Instance in which I've installed an SSL certificate via LetsEncrypt
The Instance hosts a FastApi and Gunicorn which serves as server for a mobile app
There's an elastic IP attached to the EC2 instance
All inbounds and outbounds EC2 ports are opened
I have imported in the Certificate Manager (east-2 Virginia) the SSL certificate generated by LetsEncrypt
I have created an hosted zone in Route53 adding a domain (www.example.com) and creating the CAA (0 issue "letsencrypt.org") + changed the nameservers in godaddy as per the ones in the Route53 NS
I have created a CloudFront distribution having as origin the Public IPv4 DNS of the EC2 instance, redirecting HTTP to HTTPS, setting the Custom SSL certificate equal to the one uploaded in the Certificate Manager (LetsEncrypt) and in the Alternate domain name (CNAME) added the www.example.com
I have added in Route53, in the A record, the CloudFront Distribution domain name
Given these premises, in the EC2 instance there is not a landing html page (like hello world!) to be reached if the CloudFront Distribution domain name or the domain name is pinged.
However, If I ping it, I get the 502 error (502 ERROR The request could not be satisfied.
CloudFront wasn't able to connect to the origin. We can't connect to the server for this app or website at this time).
The domain was validated in the SSLlab without throwing errors except a "Chain issues Incorrect order, Extra certs" in the "Additional Certificates section" (not in the "Server Key and Certificate #1") and the X-Cache says: Error from CloudFront.
How can I fix the 502 error?
EDIT
I've posted the solution in the comment
The solution was to keep everything as above stated but:
remove the ssl certificate from the instance
generate a new ssl certificate in Certificate Manager from Amazon (this also implies creating records in Route 53 of the CNAME of the new certificate and selecting the new certificate in the Cloudfront distribution).
At the end the issue was a conflict between the two ssl certificates. Only one had to be kept.
I have an Application LoadBalancer with HTTPS cert and a few listener rules, In front, I deployed a CloudFront that will communicate to the load balancer and serve the content in the web , When the origin protocol in CF is HTTP the communication between origin and the CloudFront happens, but when the origin protocol is configured to HTTPS in CF, I am getting a 502 bad gateway error.
To use HTTPS for connection from CloudFront to ALB, while still using ALB's DNS name as origin, set a custom Cache policy in the CloudFront's behavior setting.
In the custom Cache policy's settings, specify Host header to be included in the cache key. Refer to the following image:
Cache key settings
This way, ALB will know to use the correct SSL certificate by referring to the hostname defined in the Host header, not the one in ALB's DNS name. (Assuming that the SSL certificate in ALB's listener is valid and matches the domain name being used to access the CloudFront)
Quoted from:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/http-502-bad-gateway.html
One of the domain names in the certificate must match one or both of
the following values:
The value that you specified for Origin Domain Name for the applicable origin in your distribution.
The value of the
Host header if you configured CloudFront to forward the Host header to
your origin.
The DNS name of the ALB is: openn-dev-alb4-1497166043.us-east-1.elb.amazonaws.com
You can't use that domain with HTTPS. Your SSL cert must be setup for your own domain, not the domain provided by AWS. The reason is that you can have only a valid public SSL certificate for a domain that you (or your company) fully control, not for AWS default ALB domain.
My app structure is like the default traffic goes to S3 and traffic to /api will go to the application load balancer for my Node.js app API backend. My application has been set up and it's working when I test it like: myapplicationloadbalancerDNS:5000.
I have created a CloudFront with Alternate domain names with my domain name and add one origin - S3, and create a Default(*) to this S3 origin. It's working when I test with my domain mydomainname.com
I'm trying to create another distruibution to /api pointing to my ALB. On this setting, my origin domain is the ALB and protocal is HTTPS only. On its Behaviors setting, I created Path pattern: /api, origin and origin groups is the ALB, viewer is Redirect HTTP to HTTPS, Cache key and origin requests is Legacy cache settings with Include the following headers and Host on Add Header.
Then, when I test my domain on api link, mydomainname.com/api, I got 503 error. Even the link, mydomainname.com/api:5000, I got AccessDenied error.
On this setting, my origin domain is the ALB and protocal is HTTPS only
You have to properly setup https on the ALB. First, HTTPS works on port 443, not 5000. Then you also need a valid public SSL certificate and your own domain that you associate with the ALB.
Can you guys help me out in identifying what I am doing wrong in setting up the cloudfront for my ec2 instance (web server) for a custom domain of mine.
I am using my domain name (www.example.com) as the origin domain name.
I have also supplied a certificate to the cloudfront (*.example.com) using ACM.
The problem I am facing is, when i point out my custom domain name to the cloud fronts domain name in route53 using an alias record.
My website responds with an error 502. I'll really appreciate any help. I have explored all the content provided by AWS in respect to this but nothing seems to work till now.
Most 502 from CloudFront caused by the SSL communication between CloudFront and Origin.
CloudFront makes sure that your origin:
1.Has Trusted certificate
2. Ciphers matches
3. CloudFront uses the SNI filed in Client hello which is defined as Origin domain name, it most cases if you have cert on EC2 with www.example.com CN, you can forward HOST header and it should solve your problem.
If you don't have HTTPS running on Origin, you can select HTTP only in Origin protocol policy as its bydefault set to Viewer match.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/http-502-bad-gateway.html
I recently migrated my WordPress to an EC2 instance. I attached an Elastic IP address to it and created an A record in my Route 53. But all my requests were HTTP so I wanted to use CloudFront to redirect all my HTTP to https.
I created a CloudFront distribution and now all my HTTP requests are redirected to https. And since my SSL certificate is active, my site is secure.
But now my site (blog.insisivecloud.io) doesn't load and I get a 502 Error which says "CloudFront wasn't able to connect to the origin." I have given the public DNS of the EC2 instance as my origin.
When I go to the public DNS of the EC2 where the blog is hosted it works fine. (ec2-54-167-212-65.compute-1.amazonaws.com)
Where am I going wrong here?
As official documentation says:
For HTTPS viewer requests that CloudFront forwards to this origin, one of the domain names in the SSL certificate on your origin server must match the domain name that you specify for Origin Domain Name. Otherwise, CloudFront responds to the viewer requests with an HTTP status code 502 (Bad Gateway) instead of returning the requested object. For more information, see Requirements for Using SSL/TLS Certificates with CloudFront.