cloudfront domain replaced by application load balancer dns name when redirecting from http to https

Question

I'm using AWS cloudfront & AWS application load balancer(ALB) for my application. Alb is configured for two listeners for port 80 & 443, both forward traffic to single target group(instance type) on HTTP(default rule). Cloudfront is set to use ALB as origin which has settings as given. Origin Protocol Policy = HTTP, Delivery Method = Web, Viewer Protocol Policy = HTTP & HTTPS & Using default cloudfront ssl certificate.

Since my ALB is listening on ports 80 & 443, my application works well on both http & https. Now when I edit the default rule for listener for port 80 to redirect traffic to port 443(previously set to forward to target group on 80 as mentioned earlier) for https redirection, my cloudfront domain got replaced by my ALB domain, and resouces(css, images etc.) are failing to load.

e.g. Before redirection Url for a resource - daxxxxxxxxxxxx.cloudfront.net/media/jdfghusfe/abc.png ( with cloudfront domain)

After redirection -
Url for a resoucrce - main-albxxxxxx-amazonaws.com/media/jdfghusfe/abc.png

Can anyone help? Thanks in advance.

Answer 1

When you encounter an issue where your CloudFront distribution redirects from HTTP to HTTPS, but the redirect uses the Application Load Balancer (ALB) DNS name instead of the CloudFront domain name, it's likely due to CloudFront not passing certain headers to the origin. Specifically, the Host header, which is crucial for ensuring that redirects point back to the CloudFront domain instead of the ALB's DNS name.

Here's how you can resolve this issue by configuring the Cache Behavior of your CloudFront distribution to use an Origin Request Policy that includes all viewer headers:

Create an Origin Request Policy:

Go to the AWS Management Console. Navigate to the CloudFront dashboard. In the left-hand menu, click on "Origin Request Policies" under "Policies." Click on the "Create origin request policy" button. Name your policy (e.g., AllViewerHeadersPolicy). Under "Headers," select "All Viewer Headers." Save the policy. Update Cache Behavior to Use the Origin Request Policy:

Go back to your CloudFront distribution. Select your distribution and click on the "Behaviors" tab. Edit the behavior that corresponds to your HTTP to HTTPS redirection (usually the default behavior). Scroll down to the "Origin Request Policy" section. Select the policy you created (AllViewerHeadersPolicy). Save the changes. By ensuring that CloudFront forwards all viewer headers, including the Host header, your origin (ALB) will receive the correct Host header from the client request. This will ensure that any redirects performed by your application or ALB will correctly point back to the CloudFront domain name, not the ALB DNS name.

Answer 2

Okay we've resolved this. Firstly, we were not bypassing the Host header. So to get it working we set 'Cache Based on Selected Request Headers' to whitelist & whitelist Host header. (To know more see this answer AWS Cloudfront + Load Balancer, url changes from main domain to load balancer subdomain) Now when host is set correctly, we were either hitting the infinite redirect loop or wrong certificate error. to get out of this we changed how CDN (cloudfront) is establising connection with our load balancer. Previously it was only by HTTP to avoid any problems with certificates. But now it's impossible, because we're redirecting from HTTP and it'd create an infinite redirection loop. So we configured HTTPS in CDN <-> ALB connection(updated Origin Protocol Policy to HTTPS). And in order to bypass problems with certificates, changed xxxxx.cloudfront.net domain to the cdn.mysite.com(using CNAME in route53 configurations) and added our custom certificate used for *.mysite.com.