I can use my application from a custom origin (EC2 instance or load balancer), but it fails on CloudFront. Why?
Last updated: 2022-01-11
To troubleshoot, try the following steps:
Identify the error response
Determine the HTTP response headers returned by CloudFront by reviewing the network tab on your browser developer tools. Or, use a utility like cURL.
If you're receiving an HTTP 502 status code (Bad Gateway) response, the issue is likely from the SSL connection between CloudFront and the origin. For troubleshooting instructions, see HTTP 502 Status Code (Bad Gateway).
If you're receiving an HTTP 504 Status Code (Gateway Timeout) response, the issue is likely from access configurations in the security groups or firewall. For troubleshooting instructions, see HTTP 504 Status Code (Gateway Timeout).
Verify forwarding based on request headers, cookies, or query strings
If your application requires certain request headers, cookies, or query strings, update your distribution's cache behaviors to forward the required parameters to the origin. CloudFront might not forward the required parameters in the default settings.
Check allowed HTTP methods
By default, CloudFront allows only GET and HEAD HTTP methods. If you're running an application on your origin server and you're accessing your application through CloudFront, review the HTTP methods required for calls to your application. Those HTTP methods must also be allowed on your distribution. For example, if you're running an application to submit a form, you might need to allow the POST method on your distribution. For instructions on how to change allowed HTTP methods on your distribution, see Allowed HTTP methods.
Resolve SSL issues between the client and CloudFront
If you can't access your website or application through CloudFront because of SSL issues, see Why isn't CloudFront serving my domain name over HTTPS?
Resolve constant redirection issues
If you're seeing constant redirection when you try to load your website or application through CloudFront, check the origin configuration on CloudFront. Additionally, check the origin server's redirection policy.
In a typical workflow, a client connects to CloudFront, and then CloudFront connects to the origin server. The origin protocol policy of your distribution and the redirection policy of the origin server must be compatible with each other for the workflow to succeed.
For example, if your origin server redirects all HTTP requests to HTTPS, and your distribution's origin protocol policy is set to HTTP, then requests are sent in a loop. In this scenario, if the client requests http://d12345.cloudfront.net/example.image, CloudFront makes a request to the origin server to get the content over HTTP. The request lands at the origin server, which then redirects the request from HTTP to HTTPS. The request is routed back to CloudFront using HTTPS, then CloudFront makes a request to the origin again using HTTP, which restarts the request loop.
To resolve the constant redirection, use one of the following configurations:
- Change your CloudFront distribution's origin protocol policy to use only HTTPS. This requires your custom origin server to have a valid SSL certificate installed.
- If you don't have a valid SSL certificate installed on your origin server, you can remove the redirection policy. Then, you can configure the origin server to accept HTTP requests.
Warning: HTTP requests are not recommended for sensitive information, because the communication is in plaintext.