2

We want to forward all requests to domain.com/foo to a S3 Bucket fronted by Cloudfront. The idea being that our domain is used while the content is loaded from S3/Cloudfront. I have Apache setup to reverse proxy requests to /foo thusly:

<Location /foo>
    RequestHeader set X-Forwarded-Proto "https"

    ProxyPassReverseCookiePath / /foo

    ProxyPass http://bar.cloudfront.net/
    ProxyPassReverse http://bar.cloudfront.net/
</Location>

However when I hit domain.com/foo I get a 403 Forbidden from Cloudfront.

I tried adding the header RequestHeader set Host "bar.cloudfront.net", the page loads and I see the content in the s3 bucket, but then the domain is obviously the CDN domain.

Update:

I swapped out the cloudfront URL in the Apache config for the s3 bucket's public URL and it worked, while preserving the hostname. So I believe this confirms its an issue with Cloudfront.

I added our domain name as a CNAME on CloudFront. Then set the RequestHeader set Host to our domain name with the /foo. This preserves the host name but causes a 400 error from CloudFront.

mmcclannahan
  • 93
  • 2
  • 8
  • 1
    Have you considered setting up CloudFront with multiple origins, one path pointing at S3, the other pointing at your origin server? The documentation is a bit light in this area, but try setting up a distribution then adding additional behaviours once it's working. Someone else may be able to give you more details. – Tim Feb 20 '17 at 21:42
  • @Tim The content that Cloudfront is providing is only in the S3 bucket. I was under the impression the origins serve up content won't Cloudfront attempt to load files from my host if I se the origin to my EC2 instance? – mmcclannahan Feb 20 '17 at 22:40
  • Multiple origins means CloudFront will load content from different places based on a path match. I've never set it up, and something I read suggested it may in the past have been API only, but maybe there's a UI for it now. Interesting problem though, I do think you should follow up CF. – Tim Feb 20 '17 at 22:44
  • @Tim I setup the host as an origin and it didn't change the results. Still seeing the 403 error. – mmcclannahan Feb 20 '17 at 23:58
  • You have solved the question? – 030 Feb 21 '17 at 22:20
  • Don’t you lose the CDN benefits of cloudfront if you proxy through Apache? – Magnus Feb 03 '20 at 12:58

1 Answers1

2

Cloudfront needs to be aware of all Host headers it is going to receive. You can add domain.com as a CNAME entry in Cloudfront. This does not cause traffic to come to cloudfront, but it does identify that host header as related to your specific config.

Jason Martin
  • 5,023
  • 17
  • 24
  • I set our domain as a CNAME, and that allowed the content to load, but wihtout the `RequestHeader set Host` I ended up on the cloudfront domain. I set the `RequestHeader set Host` to our domain, and ended up on our homepage (domain.com). So I set the header to `domain.com/foo` and then I get the CloudFlare error page, though this time it is a `400` instead fo a `403`. I cannot set a CNAME as `domain.com/foo` in the CF console. So I guess I'm stuck then? – mmcclannahan Feb 21 '17 at 18:37
  • The CNAME would be just domain.com. Perhaps I am misunderstanding what you mean by 'end up on'. – Jason Martin Feb 22 '17 at 01:19