How to redirect non-www traffic to www for site hosted on EC2 instance behind CloudFront?

6
votes

I host a site on a single EC2 instance behind CloudFront and need to redirect all non-www traffic to www.

From other Q/A here on SO I was able to configure an A record on Route53 to redirect traffic from example.com to www.example.com. However, this only works for http traffic, not https traffic.

How can I get the https traffic for the naked (non-www) URL to redirect to my canonical URL https://www.example.com?

I know there are similar questions asked already, but I don't see any with my same configuration (most are for sites hosted in an S3 bucket or for redirecting from www to non-www).

Current URL handling situation

https://www.example.com - Canonical URL for the site, handled by CloudFront
http://www.example.com - CloudFront redirects to https://www.example.com
https://example.com - Unreachable!!!
http://example.com - Route53 redirects to https://www.example.com via S3 bucket

Other details

The CloudFront distribution uses an AWS-generated certificate which covers the following domains:

*.example.com
example.com

Alternate Domain Names (CNAMEs) listed in the distribution are:

www.example.com
example.com

Route53 has the following A records:

www.example.com -> CloudFront distribution
example.com -> S3 bucket, configured to redirect to www.example.com
3
amazon-web-servicesredirectamazon-cloudfrontamazon-route53

3 Answers

8
votes

Like I described in this answer to a slightly different question, the solution is to create a second CloudFront distribution in front of an empty bucket for the variant of your domain name that you want to redirect.

Configure the bucket to redirect, and when you configure the second CloudFront distribution to point to that redirecting bucket, be sure you type in the web site hosting endpoint for the bucket -- don't select the bucket from the Origin Domain Name drop-down list.

Remove example.com from the Alternate Domain Name setting on the existing distribution, and configure it on the new one.

You can use the same ACM cert on both distributions.

Point example.com to the new CloudFront distribution in DNS.

0
votes

The short answer is: There is no good way. (Personally, I don't consider hacky workarounds a solution.)

The long answer is:

There is no good way, but there is a way. I guess.

I've seen S3 and EC2 recommended by AWS staff in their forums. S3 is a non-option as you've noted. EC2 is probably the most "correct" until route53 or cloudfront can handle this.

  1. Create an ec2 web server and install ssl suitable for example.com (letsencrypt)
  2. Configure it to redirect example.com -> www.example.com
  3. Add an A record that points to the ec2 server
  4. (This won't work because EC2 doesn't support public IPv6) Add an AAAA record that points to the ec2 server

You can probably get away with skipping IPv6 support, but if you need it, ELBs support it -- so have fun with that.

0
votes

You need one more cloudfront distribution so there are 2 cloudfront distributions in total. Then, you don't need any s3 buckets. Just use 2 cloudfront distributions. Finally, you configure route 53.

This is the instruction below ↓↓↓

Step 1: Create the first cloudfront distribution.

Configuration:

Origin Domain Name : "www.example.com"

Viewer Protocol Policy : "Redirect HTTP to HTTPS"

Cache Policy : "Managed-CachingDisabled" (Default is "Managed-CachingOptimized")

Alternate Domain Names(CNAMEs) : "example.com"

then, select "Custom SSL Certificate".

Step 2: Create the second cloudfront distribution.

Configuration:

Origin Domain Name : "33.72.129.67" (Input your ec2 instance public ip like this)

Viewer Protocol Policy : "Redirect HTTP to HTTPS"

Alternate Domain Names(CNAMEs) : "www.example.com"

then, select "Custom SSL Certificate".

Step 3: Assign the first(step 1's) cloudfront distribution to "example.com" on route 53.

Step 4: Assign the second(step 2's) cloudfront distribution to "www.example.com" on route 53.

That's it!!

Supplementally saying, you cannot connect cloudfront to the ec2 instance in private subnet. The ec2 instance in public subnet is ok to connect to cloudfront.