CloudFront - How to put ELB with HTTPS as custom origin while DNS is different

0
votes

I have a cloudfront distribution with custom domain, say www.x.com, which is listed in alternative domain name in the distribution.

The origin that I wanted it to forward to is an ELB, with a HTTPS listener which has www.x.com cert on it.

The origin domain is the ELB dns name (xxxx.ap-east-1.elb.amazonaws.com) - I can't put another subdomain there for some other reason.

I was following suggestion that on the behavior page, we can forward the header (Host) header so it will be able to authenticate the cert. However I keep having problem that Cloudfront says unable to contact the origin.

Is there a way to solve this beside using subdomain to point to that ELB? Does forwarding Host / Origin header is not enough?

1
amazon-web-servicescertificateamazon-cloudfrontamazon-elb
whitelisting host header is enough for the cert problem, making sure that you're accessing cloudfront using www.x.com not cloudfront.net url - James Dean
Yes i am connecting thru www.x.com. one thing is this cloudfront is used to serve two different origin. The fefault one is for static content (s3), which is going to be for all path. Above that is for this elb (certain path like /api) . I put this as higher precedence. Does it cause a problem? - Rey Wijojo
I got an update - the issue is gone if i set minimum origin SSL to be tlsv1. If it is v1.1 or v1.2 it does not work. Any idea why? - Rey Wijojo

1 Answers

0
votes

So finally figured out the answer.

Whitelisting Host will correctly forward the header to origin (ELB). However, elb created by Beanstalk by default is using ELBSample-ELBDefaultNegotiationPolicy policy for the HTTPS apparently. This way, it will use TlSv1 Protocol and it won't work when your origin setting is using TLSv1.1 or higher.

To set this correctly, make sure you set right namespace setting from elasticbeanstalk

    {
      namespace = "aws:elb:policies:sslpolicy"
      name      = "SSLReferencePolicy"
      val       = "ELBSecurityPolicy-TLS-1-2-2017-01"
    },
    {
      namespace = "aws:elb:policies:sslpolicy"
      name      = "LoadBalancerPorts"
      val       = "443"
    }

This way you can configure which Protocol that you want your HTTPS port to use.

Make sure to also set your origin domain setting from cloudfront to match the reference version.