Menu
I am writing Cloudformation to deploy an ELB origin CloudFront distribution. I have it completed aside from one option that I can't find in the AWS documentation. I am redirecting all traffic to https and because of this I need to set the behavior on my distribution to use "All" or "Whitelist" for "Cache Based on Selected Request Headers". Can this be specified in Cloudformation anywhere? If so how?
The default is None, which is an invalid option and returns the error:
To use SSL with an ELB origin, either forward all headers or whitelist the Host header. If you do not want to forward any headers, change the Origin Protocol Policy to HTTP Only.
511
CloudFront caches your objects based on the values in all of the specified headers. CloudFront also forwards the headers that it forwards by default, but it caches your objects based only on the headers that you specify.
A complex type that describes how CloudFront processes requests. You must create at least as many cache behaviors (including the default cache behavior) as you have origins if you want CloudFront to serve objects from all of the origins.
By default, the cache key for a CloudFront distribution includes the following information: The domain name of the CloudFront distribution (for example, d111111abcdef8.cloudfront.net) The URL path of the requested object (for example, /content/stories/example-story. html )
CloudFront always caches responses to GET and HEAD requests. You can also configure CloudFront to cache responses to OPTIONS requests. CloudFront does not cache responses to requests that use the other methods.
In the DefaultCacheBehavior and members of CacheBehaviors, you would need a ForwardedValues that resembles this:
{
"Cookies" : Cookies,
"Headers" : [ String, ... ],
"QueryString" : Boolean,
"QueryStringCacheKeys" : [ String, ... ]
}
Headers is an array of strings of the headers to forward, e.g. Host.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-forwardedvalues.html
The error when you try to use an ELB as an Origin is new (added around January, 2018).
Previously, the configuration would have been accepted, but would not actually work with HTTPS because CloudFront requires that the origin present a valid SSL certificate.
"Valid" means all of these things:
Host header sent by CloudFront to the origin. (Unless you whitelist the Host header sent by the browser, these two values are the same -- the Host header of the outgoing request is set to the origin domain name.)That last condition is impossible to meet with an AWS issued ELB hostname as origin unless you forward the Host header and have a cert on the ELB that matches the Host header sent by the browser, because you can't get an SSL cert for a .amazonaws.com subdomain, since that isn't your domain. This also means you can't use the assigned dzczcexample.cloudfront.net hostname in your browser to test HTTPS through to an ELB origin that uses the ELB hostname as the origin domain name -- CloudFront will throw a 502 Bad Gateway error and complain that it could not connect to the origin. What it actually means is that it could not authenticate the origin, because the SSL cert's subject doesn't match the request that CloudFront is trying to forward.
177
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
