I'm using OAuth2 with my PHP EC2 server.
From my frontend client hosted in S3, I'm making requests to my ElasticBeanstalk EC2 server (both frontend and backend are served through Cloudfront with SSL cert).
These requests are sent with required access token header as Authorization: header ...
It seems Cloudfront strips these headers as I'm getting error:
error_description: "The request is missing a required parameter,
includes an invalid parameter value, includes a parameter more than
once, or is otherwise malformed. Check the "access token" parameter."
I'm trying to "whitelist" this header through Cloudfront as instructed by this documentation but find it very confusing. Where in Cloudfront can I actually add the Authorization header to accept?
Part of the docs say:
You can configure each cache behavior in a web distribution to do one
of the following:
Forward all headers to your origin
But I've already done this when I set it up:
You need to specifically whitelist headers you want, otherwise choosing None (Improves Caching) strips headers needed:
Related
I writing a serverless website using Amazon Web Services S3, Lambda, and the HTTP API Gateway, not the REST API Gateway. I am trying to set a cookie with one of my lambda functions and it works when I hit the lambda function directly using the lambda function url, but when I hit the url using the HTTP API Gateway, the Set-Cookie header is stripped off. The body, and all other custom headers are present, but the set-cookie header is just gone.
I've tried with and without the domain=***.com in the header and that doesn't make a difference.
I've tried messing with CORS and enabling Access-Control-Allow-Credentials. I've set Access-Control-Allow-Origin to the correct domain name. I've tried both set-cookie and * for Access-Control-Allow-Headers and Access-Control-Expose-Headers. Although I don't think CORS really matters because I'm using Postman and my understanding is it doesn't require CORS.
Does the HTTP API Gateway just not support setting cookies? It would be great if that was documented somewhere.
I forgot that I was using CloudFront. By default CloudFront does not forward cookies to or from the origin, so I had to set the CloudFront caching policy to allow that. More information here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Cookies.html
I have a NextJs application running in an AWS EC2 instance. The application includes static pages and APIs for login. Now, I am trying to setup AWS Cloudfront distribution. However, I am facing a challenge because CloudFront removes the Set-Cookie header from the login API Response and it's breaking the login functionality.
Below is the reference of the cache behavior setup in which I have disabled caching for the /api/* path.
Precedence
Path pattern
Cache policy name
0
/api/*
Managed-CachingDisabled
1
Default (*)
Managed-CachingOptimized
After referring AWS docs https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Cookies.html, I have noticed that it's possible to forward cookies from viewer to origin.
But, it's still not clear to me,
How to forward the Set-Cookie header from the origin response to viewer.
Why CloudFront removes the Set-Cookie header for the path /api/* in which caching has been disabled.
Appreciate any help on this. Thanks.
I have an aws lambda setup using nodejs to basically receive a request with query parameters, trigger another https request and then send the response back.
Configuration for this otherwise is essentially default.
I have then added a trigger to this lambda in the form of an api gateway HTTP api (not REST api).
I have managed to get the api itself to work however I am getting blocked with the usual CORS issues. (i verified the path with Moesif CORS and origin changer to make sure everything else works and it does).
My CORS configuration in the api gateway is basically set to have
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: *
Access-Control-Expose-Headers: No Expose Headers are allowed
Access-Control-Max-Age: 0 seconds
Access-Control-Allow-Credentials: No
I keep finding different pages explaining how to enable cors and so on but mostly seem to be either for an old version of the configuration or for REST api's which look to be quite different.
As it stands, I get this error so i never am allowed to use my api:
Access to fetch at 'https://path.to.my.api?query1=a' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
I would want to either allow all origins or disable CORS completely for this really.
Disclaimer: I am quite new to the whole aws infrastructure so some terminology related to it might still be not yet understood.
Edit 1:
After some more digging. I have realised that the call that is failing with the cors error is the first of the two calls happening.
That is to say, this is the call that is ending up on my google domain (which normally would redirect temporarily to my aws gateway - this was setup following instrctions on aws to make a "synthetic record" on the domain settings to return a 302 to the execute-api.eu-central-1.amazonaws.com url), not the call that returns the actual data.
Edit 2:
I have tried adding a route in my api gateway for OPTIONS on the same path, pointed to my lambda which returns the appropriate headers when triggered, however this doesn't seem to get called at all in this case. So i imagine api gateway is trying to handle it on its own but failing somehow
I'm using aws mediapackage and aws cloudfront to serving video on demand.
Due to the security reasons, I have have cdn authorization for my packaging group in mediapackage and it works which means all assets are available only from cloudfront. But for more security, i need to restrict access by using signed urls. when i enable this feature in cloudfront console, restriction works fine and my urls return 403 forbidden. when i sign a url, i won't receive 403 but the problem is streaming is not working anymore. which means i have below error in my browser's console:
Access to XMLHttpRequest at 'https://xxxxxxxxxx.cloudfront.net/out/v1/xxxxxxxxxxxxxxx.m3u8' from origin '127.0.0.1:8000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
CORS policy is irrelevant here. I think the main issue is that the player you are using is not requesting child manifest with signed URL or the signature used in the signed URL is invalid.
Can you check URL requesting
"https://xxxxxxxxxx.cloudfront.net/out/v1/xxxxxxxxxxxxxxx.m3u8" in the
debug mode whether it includes Expires, signature and Key-Pair-Id
Each manifest and segments has a different base URL. This means the signature used in the signed URL is different. You have to make sure your player uses the correct signature when playback
Thanks,
Sam
I am trying to get an object from AWS S3 via Cloudfront but I'm running into CORS problems.
As far as I understand it, my request to Cloudfront includes a header entitled Origin which tells the server where the request is coming from. When Cloudfront requests the object, S3 returns the object along with headers based upon S3's CORS configuration. Among these headers is Access-Control-Allow-Origin, which specifies to the browser which origins are allowed to access the object.
My problem is that I need to support dynamic subdomains in my CORS configuration, so I've configured CORS in S3 like so:
<AllowedOrigin>*</AllowedOrigin>
But since I'm using the Access-Control-Allow-Credentials: true header, wildcards are not permitted.
Now, according to this article, which states:
In other words, there are 2 ways for resources to be shared with multiple Origins:
Server returns Access-Control-Allow-Origin: * in HTTP response header
Server dynamically generates Access-Control-Allow-Origin based on the Origin specified in the HTTP request header (this is what S3 does)
S3 should be able to look at my Origin header and return it's value as Access-Control-Allow-Origin, thus preventing any errors regarding the wildcard character. But all I get back from S3 is Access-Control-Allow-Origin: *.
What Can I do to get S3 to mirror my Origin as the value of Access-Control-Allow-Origin?
The article is a little old so I imagine S3 has updated how they handle these headers since 2013, but is there still a way to do this?
NOTE: This is a rails application using aws-sdk-ruby V2
I found the answer in another question here. S3 has updated how this works and you must now use the following configuration to have S3 mirror your Origin.
<AllowedOrigin>http://*</AllowedOrigin>
<AllowedOrigin>https://*</AllowedOrigin>