I have a web server behind a load balancer which is behind a cloudfront distribution. The idea for the cloudfront distribution with load balancer as origin was to restrict requests to the load balancer to only come from a front end web app. I followed this tutorial https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html ensuring that
- the elb origin cloudfront distribution puts in an origin header with a secret key value pair and
- the load balancer has a rule to check for the http header with the correct key and value.
Hitting the loadbalancer directly with its DNS gives the expected 403 as desired. However, with postman when I make requests to the Cloudfront dns I get a 403.
Cloudfront ELB Origin Configuration:
Load Balancer Rule:
Error Message from Postman:
UPDATE:
I've added an error response action so that it redirects to the 'root' of my api. After doing this, requests with Postman no longer returns the 403 error from Cloudfront but returns the fixed 403 response message configured in the loadbalancer listener rule. It seems this way the request at least makes it through to the load balancer. Does this mean that the origin header is not being passed by Cloudfront? Also when I make a GET request to one of my endpoints pointing to the Cloudfront DNS with curl in the terminal it returns a good response, while the same request fails with Postman. Any other endpoint fails whether with curl or Postman with the 403 message of the listener rule.
