amazon-web-servicesamazon-cloudfrontaws-application-load-balancer

cloudfront domain replaced by application load balancer dns name when redirecting from http to https


I'm using AWS cloudfront & AWS application load balancer(ALB) for my application. Alb is configured for two listeners for port 80 & 443, both forward traffic to single target group(instance type) on HTTP(default rule). Cloudfront is set to use ALB as origin which has settings as given. Origin Protocol Policy = HTTP, Delivery Method = Web, Viewer Protocol Policy = HTTP & HTTPS & Using default cloudfront ssl certificate.

Since my ALB is listening on ports 80 & 443, my application works well on both http & https. Now when I edit the default rule for listener for port 80 to redirect traffic to port 443(previously set to forward to target group on 80 as mentioned earlier) for https redirection, my cloudfront domain got replaced by my ALB domain, and resouces(css, images etc.) are failing to load.

e.g. Before redirection Url for a resource - daxxxxxxxxxxxx.cloudfront.net/media/jdfghusfe/abc.png ( with cloudfront domain)

After redirection -
Url for a resoucrce - main-albxxxxxx-amazonaws.com/media/jdfghusfe/abc.png

Can anyone help? Thanks in advance.


Solution

  • Okay we've resolved this. Firstly, we were not bypassing the Host header. So to get it working we set 'Cache Based on Selected Request Headers' to whitelist & whitelist Host header. (To know more see this answer AWS Cloudfront + Load Balancer, url changes from main domain to load balancer subdomain) Now when host is set correctly, we were either hitting the infinite redirect loop or wrong certificate error. to get out of this we changed how CDN (cloudfront) is establising connection with our load balancer. Previously it was only by HTTP to avoid any problems with certificates. But now it's impossible, because we're redirecting from HTTP and it'd create an infinite redirection loop. So we configured HTTPS in CDN <-> ALB connection(updated Origin Protocol Policy to HTTPS). And in order to bypass problems with certificates, changed xxxxx.cloudfront.net domain to the cdn.mysite.com(using CNAME in route53 configurations) and added our custom certificate used for *.mysite.com.