3

I'm trying to figure out why cloudfront distribution does not cache / send through access-control-allow-origin.

When I curl my website:

HTTP/1.1 200 OK
Date: Sat, 03 Mar 2018 07:42:01 GMT
Content-Type: application/font-woff2
Content-Length: 77160
Connection: keep-alive
Set-Cookie: __cfduid=dda822a428a2dddb9113bbd425dba93e91520062921; expires=Sun, 03-Mar-19 07:42:01 GMT; path=/; domain=.flexrc.com; HttpOnly
Last-Modified: Fri, 02 Mar 2018 03:01:32 GMT
ETag: "5a98be8c-12d68"
Access-Control-Allow-Origin: *
CF-Cache-Status: HIT
Expires: Sat, 03 Mar 2018 11:42:01 GMT
Cache-Control: public, max-age=14400
Accept-Ranges: bytes
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 3f5a76ca7ddd3b50-YVR

but when I curl cloudfront file:

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 66624
Connection: keep-alive
Date: Sat, 03 Mar 2018 03:13:25 GMT
Last-Modified: Sun, 21 Feb 2016 22:02:50 GMT
ETag: "56ca340a-10440"
CF-Cache-Status: HIT
Expires: Sat, 03 Mar 2018 07:13:25 GMT
Cache-Control: public, max-age=14400
Accept-Ranges: bytes
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 3f58ed5738b09668-SJC
X-Cache: RefreshHit from cloudfront
Via: 1.1 f42a8d19b16850af801ce5662fc9fdab.cloudfront.net (CloudFront)
X-Amz-Cf-Id: HBJgB_UBz1pKdUQf-08bsZDXGE3Cv9GD6X9e3aUx_R8ejPdlQxGD8g==

In "Edit Behavior" for "Cache Based on Selected Request Headers" I've added whitelist for Origin and Access-Control-Allow-Origin

I've also invalidated Object several times, as well I was waiting for the progress to finish on the distribution.

I'm not using S3.

I've also checked Setting Access-Control-Allow-Origin on Cloudfront

but it didn't help me.

Any advice is appreciated.

Distribution Settings

tijko
  • 111
  • 3
user1371169
  • 31
  • 1
  • 3
  • It looks like you have CloudFront pointing to Cloudflare, and you aren't getting the expected header back from Cloudflare, so you need to troubleshoot there. If the header is in the response, CloudFront will return it. – Michael - sqlbot Mar 02 '18 at 23:31
  • I've updated my post, somehow copy pasted wrong output at first, sorry about it. You can see there that I'm actually getting Access-Control-Allow-Origin but not via cloudfront – user1371169 Mar 03 '18 at 22:34
  • You say you have invalidated the object "multiple times" but you definitely had not successfully invalidated it when you captured this response -- otherwise `RefreshHit from cloudfront` would not happen. You need to invalidate exactly what the browser is requesting, or just invalidate `/*`. – Michael - sqlbot Mar 03 '18 at 23:22
  • I keep getting hits because I have a lot of traffic on my website. I've done exactly * for clear it all. Is it possible that I have to set distribution or some other settings different in cloudfront? – user1371169 Mar 04 '18 at 04:34
  • Are you sending an Origin header when you test? `curl -v -H 'Origin: http://example.com' http://example.org/my/path`? – Michael - sqlbot Mar 04 '18 at 04:39
  • nope running curl without origin, why would it matter? – user1371169 Mar 04 '18 at 06:35

1 Answers1

1

Try purging your Cloudfront cache before retesting - the entire response is cached, including headers. I'm guessing what happened is:

  1. ACAO for CF was turned off
  2. curl made to CF - pulled response without ACAO into cache
  3. setting was changed to enable ACAO
  4. request was made - HIT in CF so the setting change was not reflected.

As a result, if you purge the cache and retry, you will get a new cache object generated with the proper headers.

Brennen Smith
  • 1,742
  • 8
  • 11
  • Hey Brennen, what is ACAO and how it can be turned off? – user1371169 Mar 03 '18 at 03:11
  • Sorry - ACAO = Access-Control-Allow-Origin. However I just re-read your post, and realized that I missed the bit about you purged the cache multiple times :( – Brennen Smith Mar 03 '18 at 03:15
  • I'm wondering if cloudfront needs me to setup different origin because I'm using cloudflare? I've also updated post to show that my domain returns ACAO – user1371169 Mar 03 '18 at 07:45