Viewed   132 times

My setup is as follows:

  1. user types on the browser
  2. request goes to AWS CloudFront, which redirects HTTP to HTTPS, and forwards the request to the AWS Elastic LoadBalancer (
  3. LoadBalancer forwards the request to the EC2 instance running PHP Laravel framework
  4. EC2 responds normally
  5. user views the page correctly at with everything else transparent to him

All this is perfectly what I want, HOWEVER .....

  • If the user navigates to any button on the page, the url on the browser will become (it should stay
  • If I go to view page source, all the links to any button on the page has the base url of (it should be

The reason is because EC2 see the request coming from the load balancer so it assumes the base url is and generates all links accordingly.

How do make EC2 see the base url as ?



This behavior likely results from the fact that by default CloudFront sets the Host: HTTP request header to the origin hostname, in this case The application then presumably generates links based on that hostname.

If, instead, you configure CloudFront to whitelist that header for forwarding to the origin, the Host header sent by the browser ( will be sent on to the application by CloudFront, so the application should behave more like you'd expect and use that value when generating the links. With this, CloudFront still uses the origin domain name to do the DNS lookup needed in order to establish the TCP connection to the origin (the ELB in this case), but stops injecting that hostname into the HTTP request headers.

You'll find the host header under cache behavior settings -> cache based on selected request headers -> whitelist.

Thursday, October 27, 2022

There's more in that error than you see. Your CloudFront signed URL is actually working. <HostId> and <RequestId> are not components in an Access Denied error from CloudFront. This error is coming from S3, after CloudFront accepts your signed request.

In the HTTP response headers, you should see...

Server: Amazon S3
x-amz-request-id: (same value as the XML RequestId)
x-amz-id-2: (same value as the XML HostId)

S3 is not allowing CloudFront to fetch your content.

See Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content and verify your configuration.

Also review the steps in Amazon CloudFront Latency to set your Error Caching Minimim TTL for 403 errors to 0 seconds, otherwise you will continue to see the error for up to 5 minutes (the default) after you fix the issue.

If everything looks correct, you may want to review your S3 bucket logs to ensure that you are requesting the object that you intend to. In CloudFront origin settings, there is a value called Origin Path that should almost always be left blank. Putting a value there will cause CloudFront to ask for a different object than the URL makes it appear you are requesting, so this value is not commonly something that you should set to anything.

Saturday, October 29, 2022

Cookies have a domain attribute, which specifies which domains they will be sent to from the client. For example, in PHP's setcookie function the 5th argument accepts a $domain string to set in the cookie. By default it's left blank which means it will use the domain the request came from when the client receives it.

The domain that the cookie is available to. Setting the domain to '' will make the cookie available in the www subdomain and higher subdomains. Cookies available to a lower domain, such as '' will be available to higher subdomains, such as ''. Older browsers still implementing the deprecated » RFC 2109 may require a leading . to match all subdomains.

So if you set your cookie to your main domain the client UA won't have a problem making it available to your sub domain.

Now, iframes are little trickier, however. For example, Internet Explorer can treat iframes differently due its varying privacy policy rules and block all cookies from an iframe. See this question for more details. However, Nginx really shouldn't play anything more than a passive role in all of this.

Saturday, December 10, 2022

Dumb mistake.

Needed to add this to my server config file:

<Directory /var/www/html/MYPROTECTEDDIRECTORY>
AllowOverride All     
Tuesday, December 20, 2022

I want to setup SSL certificate and HTTPS Listener for ALB at this subdomain that was provided by AWS - how I can do it?

You can't do this. This is not your domain (AWS owns it) and you can't associate any SSL certificate with it. You have to have your own domain that you control. Once you obtain the domain, you can get free SSL certificate from AWS ACM.

Saturday, September 24, 2022
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :