I'm hosting my website on AWS through S3 with Cloudfront. I've noticed that Googlebot and also Apex Ping detect 403 errors when accessing my website. When I access it myself I don't see any 4xx or any 5xx errors in the network tab with Chrome Developer Tools enabled. I'm wondering what might be causing it.
My suspicion is that it may be a Cloudfront configuration. Specifically I've enabled Custom SSL Certificate and am using an AWS generated certificate (ACM). With this option I'm forced to use the Only Clients that Support Server Name Indication (SNI) configuration. Is this potentially causing the breakage? My understanding is that Googlebot supports SNI as per this post so I'm a bit perplexed as to what might be causing the 403s.
Your website is currently giving me the following error:
ERROR
The request could not be satisfied.
The Amazon CloudFront distribution is configured to block access from your country.
Generated by cloudfront (CloudFront)
Request ID: 5i6brNX28KLeWWp8CJ6oSLv96aggZCxlSsMtc6gvZ3I8STS3mtmS9g==
Googlebot and Apex Ping are probably seeing the same response.
So the problem may be that you need to open up more countries in your configuration. This is done on the "Geo-Restriction Settings" page. If your website doesn't need to be Geo Restricted, then don't: set "Enable Geo-Restriction" to "No".
Related
I distributed spring boot to aws ec2 and vue.js to s3 cloudfront.
Request for ec2 in my locality is performed normally performed.
However, requesting ec2 on cloudfront results in 403 access denied on the web without a server response.
It is being requested through vue.js proxy, and all settings such as security policies have been completed.
What is the problem?
There could be multiple issues with it. Follow the steps below to debug it
Ensure that your APIs are working without CloudFront. Try to access the APIs hosted on EC2 instance. (you have to open them up for public before using them from CloudFront so ensure that ports are open, etc.)
Check the cache settings. For APIs path (behaviour) it should be no-cache
Make sure the behaviours are setup correctly in the CloudFormation. Behaviours configuration set the path / routes of incoming requests and map them to origins
Enable logging for CloudFront and analyse that
CloudFront doesn't translate the error messages exactly for security reasons. If an object or path doesn't exists CF will show 403 rather than 404. This is to prevent exploits to identify which HTTP resource exists and which not.
Update your question with the findings which will help others to share the solutions.
I recently set up cloudfront on my s3 bucket with a custom domain to redirect http to https.
I am seeing this work perfectly fine in chrome and firefox on my desktop computer. But when I try to load it in safari, any browser on my ios device, or cURL - https requests hang forever, and http requests load but don't redirect as expected.
At the time of writing this, you can see this behavior with the url:
http://storage.flowtoys.com/poi4.png
(correctly redirecting in chrome + firefox, but not safari)
https://storage.flowtoys.com/poi4.png (loading securely in chrome + firefox, but hanging for ever in safari)
I have a configuration that is virtually the same for a different s3 bucket, and it is correctly redirecting to https in safari: http://app.flowtoys.com/index.html
These two urls have separate but virtually identical ssl certificates (only difference is the subdomain), both requested through aws certificate manager. They same settings on the S3 buckets (public read), the same settings in the certificate, and the same settings in the cloudfront distributions.
I can't figure out why they are behaving differently.
Does anyone have any idea what's going on here?
I believe that one of AWS's load balancers had an incorrect configuration somewhere down the line. It seemed like people in Asia were experiencing this issue, and people in the US were not.
I ended up removing and deleting the SSL certificate in AWS. I then created a new one, and attached it to the same CloudFront distribution exactly as before, and then after some number of hours, everything was working as expected everywhere.
I have a client requirement for whitelabelling, for which I need to forward all requests at hello.example.com to data.value.com.
The url in the browser will show hello.example.com but the page loaded will be of data.value.com.
hello.example.com is hosted on GoDaddy and I have made the corresponding entries in GoDaddy
data.value.com is hosted on AWS with a Cloudfront Distribution.
Now, when I hit hello.example.com I get a 403 error from Cloudfront with the following error Message:
403 ERROR
The request could not be satisfied.
Bad request. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
Generated by cloudfront (CloudFront)
When I do ping or traceroute on hello.example.com, I am able to see that the ping happens on data.value.com.
What configuration changes do I need to make in order to re-direct my domain requests.
I was trying to host a simple Cloud Run application on Google Cloud Platform with Cloudflare in front of it. I kept getting 404s on all pages so gave up and switched to using buckets because it's a simple static website.
Cloudflare is pointing to the load balancer static external IP address.
I'm now encountering the exact same issue. I have a load balancer pointing to a GCP bucket with static content. With Cloudflare on, it serves up a 404 error for all pages. With Cloudflare off, it works fine.
What could be the cause of this?
I needed full SSL turned on at Cloudflare's end
To prevent getting 404s when Cloud Run is behind Cloudflare, you need to either create a "Domain Mapping" on Cloud Run with the domain you use (so that Host headers match), or you need to use Host Header Rewrite feature in Cloudflare Page Rules (might be a pro/enterprise feature) to set the header to Run service's *.run.app url.
In either case, see the note on this page, that is:
For example, if you are using Cloudflare CDN, you should turn off the "Always use https" option in the "Edge Certificates" tab of the SSL/TLS tab.
My Situation
I have a web api hosted in an EC2 instance. I am trying to configure a cloudfront instance "infront" of that EC2 instance.
However, I have not been able to get my cloudfront to forward requests to the EC2 instance. I get hit with an error response like this:
Access to XMLHttpRequest at 'https://api.example.com' from origin 'https://example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No access-control-Allow-Origin header is present on the requested resource
However, if I change my DNS to point https://api.example.com to EC2 instance's IP address, it works.
What I have done so far
Configured to use correct SSL certificate (for a different problem earlier)
Configured my CF distribution's behaviors to Whitelist Headers: "Origin"
Configure my CF distribution's behaviors to "All" - (which disables caching)
Invalidated cloudfront cache
What I am trying to do
I came across this AWS doc titled "Configuring CloudFront to Respect CORS Settings".
Link
However, it only says "Custom origins – Forward the Origin header along with any other headers required by your origin."
But... How do I do that? How do I forward origin header along with any other headers required? The docs doesn't specify or link to another docs to do it.
I have spent 4 hours or so now and it's extremely frustrating because Cloudfront takes ~30 minutes to deploy.
I have managed to fix this issue it turned out I had overlooked another error returned by Cloudfront: 502 Bad Gateway. Even though Chrome will show the abovementioned error "Access to XMLHttpRequest...". This was caused by my improper DNS and SSL certificates configuration due to my inexperience.
I will try to answer my own question, seeing after hours of searching, there wasn't a straight answer regarding (Cloudfront, EC2 and HTTPS) in Stackoverflow and there are many unaswered questions.
The goal my group was trying to achieve was enabling HTTPS connectivity for the entire set-up: Users' browsers, Cloudfront distribution and my EC2 instance.
What I did to fix this:
Generated a free SSL certificate (e.g. Let's Encrypt) to use for EC2 instance using a sub-domain (i.e. ec2.example.com or wildcard *.example.com). *Note: ACM does not allow public SSL certificates to be exported that can be used in EC2 instances, so use other free online SSL services. Do not use self-signed certs.
Import this certificate into ACM to be used for Cloudfront later too.
Created a new DNS A record to map the sub-domain to the EC2 instance. (e.g. ec2.example.com to ec2-xx-xxx-xx.ap1-location.amazonaws)
Created a new Cloudfront distribution and set the origin as the sub-domain, ec2.example.com. Also, under "Cache Based on Selected Request Headers", set it to "Whitelist" and to forward "Origin" headers. For SSL cert in Cloudfront, use back the one generated back in step 1)
Created a new DNS A record and map an "api" sub-domain to the Cloudfront. (e.g. api.example.com to abcdxyz.cloudfront.net)
I am now able to use a sub-domain (api.example.com) to communicate with Cloudfront which in turns communicates back to my EC2 and performs caching, using HTTPS all along.
Reference links: link1,
link2
There is probably a better way to set this up and if so, please do correct me so I can improve too! Hopefully this answer will help someone else new like me in the future too.