Write For Us
php
.htaccess
amazon-web-services
amazon-ec2
amazon-cloudfront

AWS Cloudfront + Load Balancer, url changes from main domain to load balancer subdomain

Viewed   132 times

My setup is as follows:

  1. user types example.com on the browser
  2. request goes to AWS CloudFront, which redirects HTTP to HTTPS, and forwards the request to the AWS Elastic LoadBalancer (elb.example.com)
  3. LoadBalancer forwards the request to the EC2 instance running PHP Laravel framework
  4. EC2 responds normally
  5. user views the page correctly at example.com with everything else transparent to him

All this is perfectly what I want, HOWEVER .....

  • If the user navigates to any button on the page, the url on the browser will become elb.example.com (it should stay example.com)
  • If I go to view page source, all the links to any button on the page has the base url of elb.example.com (it should be example.com)

The reason is because EC2 see the request coming from the load balancer so it assumes the base url is elb.example.com and generates all links accordingly.

How do make EC2 see the base url as example.com ?

 Answers

5

This behavior likely results from the fact that by default CloudFront sets the Host: HTTP request header to the origin hostname, in this case elb.example.com. The application then presumably generates links based on that hostname.

If, instead, you configure CloudFront to whitelist that header for forwarding to the origin, the Host header sent by the browser (example.com) will be sent on to the application by CloudFront, so the application should behave more like you'd expect and use that value when generating the links. With this, CloudFront still uses the origin domain name to do the DNS lookup needed in order to establish the TCP connection to the origin (the ELB in this case), but stops injecting that hostname into the HTTP request headers.

http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesForwardHeaders

You'll find the host header under cache behavior settings -> cache based on selected request headers -> whitelist.

Thursday, October 27, 2022
 
alden_be
 
alden_be
4

There's more in that error than you see. Your CloudFront signed URL is actually working. <HostId> and <RequestId> are not components in an Access Denied error from CloudFront. This error is coming from S3, after CloudFront accepts your signed request.

In the HTTP response headers, you should see...

Server: Amazon S3
x-amz-request-id: (same value as the XML RequestId)
x-amz-id-2: (same value as the XML HostId)

S3 is not allowing CloudFront to fetch your content.

See Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content and verify your configuration.

Also review the steps in Amazon CloudFront Latency to set your Error Caching Minimim TTL for 403 errors to 0 seconds, otherwise you will continue to see the error for up to 5 minutes (the default) after you fix the issue.

If everything looks correct, you may want to review your S3 bucket logs to ensure that you are requesting the object that you intend to. In CloudFront origin settings, there is a value called Origin Path that should almost always be left blank. Putting a value there will cause CloudFront to ask for a different object than the URL makes it appear you are requesting, so this value is not commonly something that you should set to anything.

Saturday, October 29, 2022
 
cgp
 
cgp
5

Cookies have a domain attribute, which specifies which domains they will be sent to from the client. For example, in PHP's setcookie function the 5th argument accepts a $domain string to set in the cookie. By default it's left blank which means it will use the domain the request came from when the client receives it.

The domain that the cookie is available to. Setting the domain to 'www.example.com' will make the cookie available in the www subdomain and higher subdomains. Cookies available to a lower domain, such as 'example.com' will be available to higher subdomains, such as 'www.example.com'. Older browsers still implementing the deprecated » RFC 2109 may require a leading . to match all subdomains.

So if you set your cookie to your main domain the client UA won't have a problem making it available to your sub domain.

Now, iframes are little trickier, however. For example, Internet Explorer can treat iframes differently due its varying privacy policy rules and block all cookies from an iframe. See this question for more details. However, Nginx really shouldn't play anything more than a passive role in all of this.

Saturday, December 10, 2022
 
semanticart
 
semanticart
4

Dumb mistake.

Needed to add this to my server config file:

<Directory /var/www/html/MYPROTECTEDDIRECTORY>
AllowOverride All     
</Directory>
Tuesday, December 20, 2022
 
mstrthealias
 
mstrthealias
3

I want to setup SSL certificate and HTTPS Listener for ALB at this subdomain that was provided by AWS - how I can do it?

You can't do this. This is not your domain (AWS owns it) and you can't associate any SSL certificate with it. You have to have your own domain that you control. Once you obtain the domain, you can get free SSL certificate from AWS ACM.

Saturday, September 24, 2022
 
swapnil_tandel
 
swapnil_tandel
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :
php
.htaccess
amazon-web-services
amazon-ec2
amazon-cloudfront
 
Share
Related Answers
258
 How to pass session / cookie from main domain to subdomains in Nginx?
204
 How to integrate API Gateway with internal ALB
233
 JavaScript access from parent domain to subdomain?
102
 CakePHP keep session from main domain across to a subdomain
119
 Cannot access airflow web server via AWS load balancer HTTPS because airflow redirects me to HTTP
66
 Passing variables from Main function to another C# class
111
 AWS Load Balancer 502
67
 Install Wildcard Certificate onto AWS EC2 Load Balancer
54
 How to make a HTTP call reaching all instances behind amazon AWS load balancer?
295
 EKS ALB is not to able to auto-discover subnets
Top Answers Related To

php,.htaccess,amazon-web-services,amazon-ec2,amazon-cloudfront

298
 How can I debug AWS Cloudfront signed URL access denied?
84
 How do I set write permissions for a directory in AWS for ec2-user?
255
 CloudFront + S3 Website: “The specified key does not exist” when an implicit index document should be displayed
391
 Multiple Cloudfront Origins with Behavior Path Redirection
620
 Steps to deploy a React app on S3 with CloudFront while managing caching?
98
 Cloudfront TTL not working
135
 Restricting access to CloudFront by IP
48
 Can someone walk me through serving gzipped files from Cloudfront via S3 origin?
73
 Using AWS iOS SDK to fetch files from cloudfront distribuition
314
 Serve SPA multi-tenants through AWS CloudFront from a single S3 bucket
Write For Us · Blog · Privacy · Faqs · Terms of Use · Contact us ·