CloudFront fails to communicate with ELB 502 bad gateway

Question

I have an Application LoadBalancer with HTTPS cert and a few listener rules, In front, I deployed a CloudFront that will communicate to the load balancer and serve the content in the web , When the origin protocol in CF is HTTP the communication between origin and the CloudFront happens, but when the origin protocol is configured to HTTPS in CF, I am getting a 502 bad gateway error.

Answer 1

The DNS name of the ALB is: openn-dev-alb4-1497166043.us-east-1.elb.amazonaws.com

You can't use that domain with HTTPS. Your SSL cert must be setup for your own domain, not the domain provided by AWS. The reason is that you can have only a valid public SSL certificate for a domain that you (or your company) fully control, not for AWS default ALB domain.

Answer 2

To use HTTPS for connection from CloudFront to ALB, while still using ALB's DNS name as origin, set a custom Cache policy in the CloudFront's behavior setting.

In the custom Cache policy's settings, specify Host header to be included in the cache key. Refer to the following image:

Cache key settings

This way, ALB will know to use the correct SSL certificate by referring to the hostname defined in the Host header, not the one in ALB's DNS name. (Assuming that the SSL certificate in ALB's listener is valid and matches the domain name being used to access the CloudFront)

Quoted from: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/http-502-bad-gateway.html

One of the domain names in the certificate must match one or both of the following values:

1. The value that you specified for Origin Domain Name for the applicable origin in your distribution.
2. The value of the Host header if you configured CloudFront to forward the Host header to your origin.