5

I'm getting Cloudfront 502 errors in the communication to the ALB origin, which results in:

CloudFront wasn't able to connect to the origin.

The Cloudfront logs show me OriginConnectError.

I've gone back and forth regarding what the issue could be, and I'm not sure how to debug this further.

Any ideas greatly appreciated!

Detailed

  • My application uses a wildcard A-record to handle all subdomains. It routes to Cloudfront
  • Cloudfront has a certificate in us-east-1 with *.example.com as domain name
  • Cloudfront points to ALB in eu-west-1 with a different *.example.com certificate from eu-west-1
  • Creating an alias record that points directly to ALB works, but I want it to point to Cloudfront. So the App is up and running.
DKo
  • 820
  • 1
  • 9
  • 19
  • Can you show the entire CloudFront log? – jellycsc Jun 13 '22 at 21:48
  • @jellycsc 2022-06-13 16:05:32 AMS1-C1 1201 ... GET .cloudfront.net / 502 - Mozilla/5.0%20(Macintosh;%20Intel%20Mac%20OS%20X%2010_15_7)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome%20Safari/537.36 - - Error some.example.com https 572 0.073 - TLSv1.3 TLS_AES_128_GCM_SHA256 Error HTTP/2.0 - - 62799 0.072 OriginConnectError text/html 951 - - – DKo Jun 13 '22 at 22:11
  • These are the fields: #Fields: date time x-edge-location sc-bytes c-ip cs-method cs(Host) cs-uri-stem sc-status cs(Referer) cs(User-Agent) cs-uri-query cs(Cookie) x-edge-result-type x-edge-request-id x-host-header cs-protocol cs-bytes time-taken x-forwarded-for ssl-protocol ssl-cipher x-edge-response-result-type cs-protocol-version fle-status fle-encrypted-fields c-port time-to-first-byte x-edge-detailed-result-type sc-content-type sc-content-len sc-range-start sc-range-end – DKo Jun 13 '22 at 22:12
  • The issue is not related to TLSv1.3. The log simply says "The server couldn’t connect to the origin". – jellycsc Jun 13 '22 at 22:20
  • Yeah the Cloudfront couldn't connect to the origin; which results in `TLS_AES_128_GCM_SHA256 Error`, that can most likely be translated to: due to an SSL negotiation error between Cloudfront and ALB. Seeing TLSv1.3 is a red flag for me since I know that ALB doesn't support it, so I'm assuming that that is the issue?? – DKo Jun 13 '22 at 22:51
  • No, those two are in separate columns. `ssl-cipher: TLS_AES_128_GCM_SHA256`, `x-edge-response-result-type: Error` – jellycsc Jun 13 '22 at 23:07
  • Ahh yeah! You're right. Back to square 1 . Not sure why this is failing... any pointers to where I can start debugging this? – DKo Jun 14 '22 at 09:27
  • I would suggest looking at the alb logs first – jellycsc Jun 14 '22 at 12:48
  • 5
    Have you checked to see if your ALB is receiving the Host header from CloudFront? That could be causing the TLS connection to fail. See https://aws.amazon.com/premiumsupport/knowledge-center/configure-cloudfront-to-forward-headers/ – Cristian Jun 14 '22 at 17:10
  • That was the issue @Cristian ... thanks for this! If you post this as an answer, I'll mark it as the "correct" one :). Thank you all for the help. – DKo Jun 15 '22 at 15:15
  • For the next person - @Cristian was spot on. For the "default" behavior if you choose to set it up through the console - make sure you select ALLViewer for the Origin Request Policy (it defaults to no selection) - which was my problem. – JDBennett Jan 12 '23 at 02:58

2 Answers2

4

Very common mistake when use CloudFront with ALB as origin is we forgot to set the Origin request policy to allow Cloudfront to forward Cloudfront "Host" header to ALB.

  • If you created a custom domain for your ALB with valid ACM Cert and use that domain name as origin in Cloudfront, then the problem won't happen
  • If you directly select ALB DNS name from Cloudfront console, the domain name is now ALB DNS name which will failed TLS when running resulted in 502. To solve this you need to set Origin request policy to ALL_VIEWER or ALL_VIEWER_AND_CLOUDFRONT. This will tell Cloudfront to forward "Host" header that client type in browser to your ALB, which matches the ALB rule (with valid ACM cert).

Hope it helps

Dominic Nguyen
  • 753
  • 6
  • 11
0

I encountered similar issues with CloudFront and an ALB origin, which only had HTTPS enabled. While accessing the origin through CloudFront, I experienced numerous OriginConnectError and 502 errors.

Upon inspecting the ALB's "Monitoring" page, I discovered a high number of "Client TLS Negotiation Errors."

I attempted adjusting the TLS version without success. Ultimately, I enabled HTTP on the ALB, and made CloudFront protocol "HTTP only", this resolved the issue.

jerryleooo
  • 843
  • 10
  • 16