I'm using an Amazon Elastic Compute Cloud (Amazon EC2) instance or a load balancer as the custom origin for my website or application. I can connect to the custom origin directly, but I can't get the same content from Amazon CloudFront, or Amazon CloudFront returns an error. How can I troubleshoot this?

Try the following troubleshooting steps:

Identify the error response

Determine the HTTP response headers returned by Amazon CloudFront by reviewing the network tab on your browser developer tools, or by using a utility such as curl.

If you're receiving an HTTP 502 status code (Bad Gateway) response, the issue is likely due to the SSL connection between Amazon CloudFront and the origin. For troubleshooting instructions, see HTTP 502 Status Code (Bad Gateway).

If you're receiving an HTTP 504 Status Code (Gateway Timeout) response, the issue is likely due to access configurations in the associated security groups or firewall. For troubleshooting instructions, see HTTP 504 Status Code (Gateway Timeout).

Verify forwarding based on request headers, cookies, or query strings

If your application requires certain request headers, cookies, or query strings, update your CloudFront distribution's cache behaviors to forward the required parameters to the origin. Amazon CloudFront might not forward the required parameters in the default settings.

For more information, see Caching Content Based on Cookies, Caching Content Based on Query String Parameters, and Caching Content Based on Request Headers.

Check allowed HTTP methods

By default, Amazon CloudFront allows only GET and HEAD HTTP methods. If you're running an application on your origin server and you're accessing your application through CloudFront, be sure that the HTTP methods required for calls to your application are also allowed on your distribution. For example, if you're running an application to submit a form, you might need to allow the POST method on your distribution. For instructions on how to change allowed HTTP methods on your distribution, see Allowed HTTP Methods.

Resolve SSL issues between the client and Amazon CloudFront

If you can't access your website or application through CloudFront because of SSL issues, see Why isn't CloudFront serving my domain name over HTTPS?

Resolve constant redirection issues

If you're seeing constant redirection when you try to load your website or application through CloudFront, then the issue might be from the origin configuration on CloudFront and the origin server's redirection policy.

In a typical workflow, a client connects to CloudFront, and then CloudFront connects to the origin server. The origin protocol policy of your CloudFront distribution and the redirection policy of the origin server must be compatible with each other for the workflow to succeed.

For example, if your origin server is set to redirect all HTTP requests to HTTPS, and your distribution's origin protocol policy is set to HTTP, then requests are sent in a loop. In this scenario, if the client requests http://d12345.cloudfront.net/example.image, CloudFront makes a request to the origin server to get the content over HTTP. The request lands at the origin server, which then redirects the request from HTTP to HTTPS. The request is routed back to CloudFront using HTTPS, then CloudFront makes a request to the origin again using HTTP, which restarts the request loop.

To resolve the constant redirection, use one of the following configurations:

  • Change your CloudFront distribution's origin protocol policy to use only HTTPS. This requires your custom origin server to have a valid SSL certificate installed.
  • If you don't have a valid SSL certificate installed on your origin server, you can remove the redirection policy and configure the origin server to accept HTTP requests.
    Warning: HTTP requests are not recommended for sensitive information because the communication is in plaintext.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-06-28