I have an Application LoadBalancer with HTTPS cert and a few listener rules, In front, I deployed a CloudFront that will communicate to the load balancer and serve the content in the web , When the origin protocol in CF is HTTP the communication between origin and the CloudFront happens, but when the origin protocol is configured to HTTPS in CF, I am getting a 502 bad gateway error.
4
-
Does your website work when you access it using HTTP through ALB?– MarcinCommented Dec 1, 2021 at 11:02
-
yes, 502 bad gateway happens when I use the HTTPS– ShazamCommented Dec 1, 2021 at 11:04
-
So how exactly did you setup your SSL cert, https listeners, custom domain? Sadly your question lacks any relevant details.– MarcinCommented Dec 1, 2021 at 11:04
-
- I have an SSL cert provided to me by my company that's been generated in ACM, - I have attached that to the ALB in the listener and added rules to forward the request to the TargateGroup. - The DNS name of the ALB is: openn-dev-alb4-1497166043.us-east-1.elb.amazonaws.com - Then I created the CloudFront and pointed this DNS as its origin, and set the protocol HTTPS What I want is web request ==> cloudFront (redirects to ALB origin) ==> ALB ==> targate Group ==> Container– ShazamCommented Dec 1, 2021 at 11:14
Add a comment
|
2 Answers
To use HTTPS for connection from CloudFront to ALB, while still using ALB's DNS name as origin, set a custom Cache policy in the CloudFront's behavior setting.
In the custom Cache policy's settings, specify Host header to be included in the cache key. Refer to the following image:
This way, ALB will know to use the correct SSL certificate by referring to the hostname defined in the Host header, not the one in ALB's DNS name. (Assuming that the SSL certificate in ALB's listener is valid and matches the domain name being used to access the CloudFront)
Quoted from: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/http-502-bad-gateway.html
One of the domain names in the certificate must match one or both of the following values:
- The value that you specified for Origin Domain Name for the applicable origin in your distribution.
- The value of the Host header if you configured CloudFront to forward the Host header to your origin.
-
Great answer! Well pointed out, the cert (when host is not included in the header) would infact be for .cloudfront.net or the origin domain name (for example *..elb.amazonaws.com) (most likely), and the way to fix the SSL mismatch would be to enable the host header. Note that with this, going to the cloudfront URL would also have a 502 error due to the above mentioned issue. Commented Jan 25, 2023 at 7:22
The DNS name of the ALB is: openn-dev-alb4-1497166043.us-east-1.elb.amazonaws.com
You can't use that domain with HTTPS. Your SSL cert must be setup for your own domain, not the domain provided by AWS. The reason is that you can have only a valid public SSL certificate for a domain that you (or your company) fully control, not for AWS default ALB domain.
-
thanks for the answer, then How can I communicate with the ALB from the CF? In the origin section I can only give the ALB DNS name that's what the AWS docs suggested– ShazamCommented Dec 1, 2021 at 11:28
-
1@Shazam You can provide your own domain. If you don't have one, only http can be used with default AWS domain.– MarcinCommented Dec 1, 2021 at 11:43
-
Like create a Route53 entry for the ALB DNS with my own domain name and configure the own domain name in the CloudFront origin , That would solve the problem ?– ShazamCommented Dec 1, 2021 at 12:02
-
@Shazam You have to buy your own domain. Just an entry in R53 is not enough. But if your company generated SSL, it probably has some domain for that already? You have to check with it.– MarcinCommented Dec 1, 2021 at 21:27