I recently migrated my WordPress to an EC2 instance. I attached an Elastic IP address to it and created an A record in my Route 53. But all my requests were HTTP so I wanted to use CloudFront to redirect all my HTTP to https.
I created a CloudFront distribution and now all my HTTP requests are redirected to https. And since my SSL certificate is active, my site is secure.
But now my site (blog.insisivecloud.io) doesn't load and I get a 502 Error which says "CloudFront wasn't able to connect to the origin." I have given the public DNS of the EC2 instance as my origin.
When I go to the public DNS of the EC2 where the blog is hosted it works fine. (ec2-54-167-212-65.compute-1.amazonaws.com)
Where am I going wrong here?
As official documentation says:
For HTTPS viewer requests that CloudFront forwards to this origin, one of the domain names in the SSL certificate on your origin server must match the domain name that you specify for Origin Domain Name. Otherwise, CloudFront responds to the viewer requests with an HTTP status code 502 (Bad Gateway) instead of returning the requested object. For more information, see Requirements for Using SSL/TLS Certificates with CloudFront.
Related
I have a EC2 Instance in which I've installed an SSL certificate via LetsEncrypt
The Instance hosts a FastApi and Gunicorn which serves as server for a mobile app
There's an elastic IP attached to the EC2 instance
All inbounds and outbounds EC2 ports are opened
I have imported in the Certificate Manager (east-2 Virginia) the SSL certificate generated by LetsEncrypt
I have created an hosted zone in Route53 adding a domain (www.example.com) and creating the CAA (0 issue "letsencrypt.org") + changed the nameservers in godaddy as per the ones in the Route53 NS
I have created a CloudFront distribution having as origin the Public IPv4 DNS of the EC2 instance, redirecting HTTP to HTTPS, setting the Custom SSL certificate equal to the one uploaded in the Certificate Manager (LetsEncrypt) and in the Alternate domain name (CNAME) added the www.example.com
I have added in Route53, in the A record, the CloudFront Distribution domain name
Given these premises, in the EC2 instance there is not a landing html page (like hello world!) to be reached if the CloudFront Distribution domain name or the domain name is pinged.
However, If I ping it, I get the 502 error (502 ERROR The request could not be satisfied.
CloudFront wasn't able to connect to the origin. We can't connect to the server for this app or website at this time).
The domain was validated in the SSLlab without throwing errors except a "Chain issues Incorrect order, Extra certs" in the "Additional Certificates section" (not in the "Server Key and Certificate #1") and the X-Cache says: Error from CloudFront.
How can I fix the 502 error?
EDIT
I've posted the solution in the comment
The solution was to keep everything as above stated but:
remove the ssl certificate from the instance
generate a new ssl certificate in Certificate Manager from Amazon (this also implies creating records in Route 53 of the CNAME of the new certificate and selecting the new certificate in the Cloudfront distribution).
At the end the issue was a conflict between the two ssl certificates. Only one had to be kept.
My app structure is like the default traffic goes to S3 and traffic to /api will go to the application load balancer for my Node.js app API backend. My application has been set up and it's working when I test it like: myapplicationloadbalancerDNS:5000.
I have created a CloudFront with Alternate domain names with my domain name and add one origin - S3, and create a Default(*) to this S3 origin. It's working when I test with my domain mydomainname.com
I'm trying to create another distruibution to /api pointing to my ALB. On this setting, my origin domain is the ALB and protocal is HTTPS only. On its Behaviors setting, I created Path pattern: /api, origin and origin groups is the ALB, viewer is Redirect HTTP to HTTPS, Cache key and origin requests is Legacy cache settings with Include the following headers and Host on Add Header.
Then, when I test my domain on api link, mydomainname.com/api, I got 503 error. Even the link, mydomainname.com/api:5000, I got AccessDenied error.
On this setting, my origin domain is the ALB and protocal is HTTPS only
You have to properly setup https on the ALB. First, HTTPS works on port 443, not 5000. Then you also need a valid public SSL certificate and your own domain that you associate with the ALB.
So I have a NextJS application hosted on Elastic Beanstalk (with it exposed on port 3000 in the docker file). Now, I have my domain registered with Godaddy. I initially had the DNS setup in Godaddy to point to Elastic Beanstalk. But then I wanted to use cloudfront for CDN/Caching.
So, I started configuring Cloudfront (using this article). I created the custom SSL certificate and got it verified through DNS as well. I set the origin in cloudfront to points to ELB.
Now, once the cloudfront distribution was deployed, I tried using the cloudfront URL xxxxx.cloudfront.net but I got a "504 ERROR - The request could not be satisfied" error.
If I go to the ELB URL I am able to access my application. So, I am not sure what's the issue here. If the cloudfront is pointed to ELB and ELB works then why would cloudfront URL won't work.
Any advice/recommendations?
If you receive a 504 error you are getting a timeout whilst connecting to the origin.
You should check the following:
Does the security group for the ELB allow inbound traffic from anyone (on port 80/443)? If it does not CloudFront is blocked.
Have you misconfigured your "Origin Protocol Policy", by selecting "Match Viewer" it will expect that HTTPS requests that hit CloudFront attempt to connect to the origin via HTTPS.
Does your application have a start time that exceeds the value of the Origin Response Timeout? By default this is 30 seconds.
Ensure the origin is the correct domain name.
There are additional steps to debug a 504 in CloudFront within the HTTP 504 Status Code (Gateway Timeout) page on AWS.
I am trying to setup HTTPS across my app which consists in a frontend (S3 bucket distributed with CloudFront), and a backend (node.js app inside Elastic Beanstalk).
For the CloudFront part, I created an SSL certificate in N. Virginia (apparently I don't have a choice here) and I made the binding in the CloudFront distribution. It works and my app is served over HTTPS.
For the Elastic Beanstalk part, I created an SSL certificate in Ireland (where my EBS app is hosted) and I bound this certificate to the EBS load balancer using the port 443. It works and I can reach my server with HTTPS using Postman.
However, when my frontend tries to make an API call to the backend I get this error :
I guess I made a mistake while creating the certificates, but I cannot find it. I gave both certificates the same set of CNAMES, I am not sure if I am supposed to do that.
EDIT :
I get the exact same error after updating the frontend so that it points the DName of the load balancer (also mapped to subdomain with Route 53).
CloudFront is attempting to load an HTTPS URL from your load balancer. I assume you have an SSL certification assigned to the load balancer. The domain name of the SSL certificate on the load balancer needs to match the domain name that CloudFront is requesting.
For example if the load balancer's SSL certificate is something like beanstalk.mydomain.com then CloudFront would need to be making requests for https://beanstalk.mydomain.com. The error CloudFront is giving you says that the domain name of the SSL certificate served by the load balancer does not match the domain name djumbo-back-debug.eu-west-1.elasticbeanstalk.co.
You need to setup something like the following:
DNS Name www.mydomain.com points to CloudFront Distribution
Configured to serve www.mydomain.com
Configured with an SSL certificate for the domain www.mydomain.com
Configure to pull from the origin beanstalk.mydomain.com
DNS Name beanstalk.mydomain.com points to Elastic Beanstalk application
With a Load Balancer, with an SSL certificate for beanstalk.mydomain.com
I have a blog(codeoverflow.in) hosted on aws-ec2 instance. I am using cloudfront and acm certificate to provide ssl for my blog. But when I access codeoverflow.in or www.codeoverflow.in, cloudfront redirect me to https version successfully but gives the following error:
The request could not be satisfied. CloudFront wasn't able to connect
to the origin. Generated by cloudfront (CloudFront) Request ID:
TE89T-COJiVFgBGUpBG_2gWd6Iim3c-svHsborUct49O9Owjb3nl6g==
I have type A and type AAAA alias records for both codeoverflow.in and www.codeoverflow.in in route 53, all pointing to cloudfront distribution.custom ssl certificate is also configured for both domains.as of now I have dissociated elastic ip from ec2, but I want to use it as well together with cloudfront and ec2. Please help me to configure all three together.
It looks like you're trying to connect to your origin via HTTPS, but it doesn't sound like you have SSL enabled on your instance.
The easiest thing to do is use a hostname for your origin - i.e. www-origin.codeoverflow.in. Create a load balancer that listens on both 80 & 443, deploy an appropriate cert to that (you may have to create a new one, or create a wildcard) and put your instance behind that listening on port 80. Finally, create an ALIAS record in Rour53 from www-origin to your load balancer.