Configure your Cloudfront Cache Behaviours to avoid SSL Failures

 

 AWS CloudFront

 AWS CloudFront is a content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to users with low latency and high transfer speeds. It works by caching content at edge locations globally, reducing the distance between users and the content, improving performance. CloudFront integrates with other AWS services like S3, EC2, and Lambda, providing scalability and security features such as DDoS protection and SSL/TLS encryption.

Why need encryption between Cloufdfront and ALB ?

Data encryption is a critical requirement for every organization. SSL is the protocol used over TCP to secure communication between two points, typically between a client and a server. This approach is equally important in the cloud, where data encryption is necessary for communication between various components.

For example, you can encrypt communication between your CloudFront and the Application Load Balancer (ALB) by using an SSL certificate at the ALB. However, without proper configuration, you may encounter numerous issues.

 Using Alternative Domains ??

In this blog I am going to discuss about a scenario where you use an alternative domain at your CloudFront . Assume you use an alternative domain at your cloudfront instead of the cloudfront default domain , and you have a certificate added to the ALB generated for the same domain.
In the below example 

Alternative Domain : abc.mysite.com

What happen if your CloudFront does not forward the same DNS name to your ALB even-though you have configured alternative domain properly. Then there will be SSL failures. Most probably you will receive HTTP 502 error . This is because you configured CloudFront to require HTTPS between CloudFront and your origin, and the domain names are mismatched. 

One reason for this is the Cache behaviors configuration of the CloudFront.If the caching configurations are incorrect it would not properly propagate your DNS name .

Make sure you add proper Cache settings based on your requirements. You can add your own Cache policies or AWS Managed Cache policies .

You can add Origin request policy by following this guide on AWS.

 

If you are using legacy Cache settings : Make sure you add add the Host header 

Anyhow legacy cache settings are not recommended.