'Cloudfront passes request to incorrect origin if AllViewer origin policy is enabled

I created a cloudfront distribution with the below details:

  • Origin1 -> S3Bucket
  • Origin2 -> APIGateway endpoint with base /Prod appended
  • DefaultBehavior -> *, Origin1, CachingEnabled, no Origin Policy
  • APIBehavior -> /api/*, Origin2, CachingDisabled

With the above setup, I see the desired behavior i.e., all requests to any path starting with /api/ is redirected to Origin2 and the rest to Origin1. Also the caching policy works fine.

But now I wish to forward headers/query parameters to origin without affecting the caching schema. So for Origin2's behavior (/api/*), I added AllViewer Origin policy (Forwards all headers, query requests etc.). But now the /api/* calls are redirected to Prod/api/* and Origin1 is used instead of Origin2.

This seems so counterintuitive to me, could anyone please enlighten if I'm missing something?

aws-api-gatewayamazon-cloudfront


Solution 1:[1]

Hope you're doing well.

Regarding your inquiry, it seems like the managed origin request policy AllViewer is the culprit. If you use AllViewer policy, it forwards the host header to your origin. Please refer to the response below:

Let's say your configuration is like:

  • DefaultBehavior (*) -> Origin1(S3Bucket)
  • APIBehavior (/api/*) -> Origin2(APIG/w endpoint with base /Prod appended)

The request flow would be:

  1. example.com/api/getdata --(Host: example.com)--> CloudFront

Match the APIBehavior (/api/*) path behavior, CloudFront append the path and forward the request.

  1. CloudFront --(Host: example.com)--> example.com/Prod/api/getdata

example.com is a custom domain of your CloudFront distribution; it will go back to you CloudFront distribution again.

  1. example.com/Prod/api/getdata --(Redirect)--> CloudFront

Match the DefaultBehavior (*), CloudFront use Origin1(S3Bucket)

  1. CloudFront --(Forward request/Prod/api/getdata)--> Origin1(S3Bucket)

To fix it, I'll suggest you should create a new origin request policy which forwards the necessary headers and query strings only.

Note: If you make you origin to service like S3 or APIG/w, please don't forward the host header. It will cause some unexpected behaviors.

I hope this information has been helpful Feel free let me know if you have any question

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function