skip to Main Content

I hosted an ASP.Net server on EC2 ubuntu instance. I want to connect to this using AWS Cloudfront distribution to incorporate a certificate for secure HTTPS connection to my server.

I am usign the domain of ecomserver.co.za with an SSL certificate and cloudfront distribution.

I pointed my ecomserver.co.za to my distribution with A alias records using Route 53.

I have created a certificate with ACM and is in the issued state. Also, I have tested the certificate with online tester and it is in order.

I created a CF distribution with the following values:

  • Origina domain: My EC2 Public IPv4 DNS
  • Protocol: Match Viewer with defualt ports of 80 and 443 (TLSv1.2)
  • Vier Protocol: Redirect HTTP to HTTPS
  • Allowed HTTP methods: I selected all the methods
  • Alternative domain names: ecomserver.co.za and *.ecomserver.co.za (I have created an A Alias record for both in AWS Route 53)
  • Certificate: I chose the certiciate I created
  • Rest of the settings I left on default
    Note: IPv6 is enabled

My ASP .Net server runs on port 7000 for HTTP and 7001 for HTTPS on Ubuntu on the EC2 isntance. I don’t know if this is the issue.

My EC2 instance accepts all inbound traffic due to the following inbound rules in the security group:
enter image description here
I have also added rules for
TCP IPv4 Port80 0.0.0.0/0
TCP IPv4 Port443 0.0.0.0/0

The problem is when I call this with postman with https://ecomserver.co.za:7001/api/products/4/get I get connection timed out. (I know this call works when I use the EC2 public domain, e.g. https://13.244.94.168:7001/api/products/4/get)

I know my domain of ecomserver.co.za is pointing to my distribution because when I type it in web browser I get 502 Error with the following error message: CloudFront attempted to establish a connection with the origin, but either the attempt failed or the origin closed the connection. We can’t connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.

What am I missing or doing wrong?

2

Answers


  1. Looks like your CloudFront distribution is presenting ports 80 and 443 as expected, and your TLS cert is working as expected. That means that you won’t be able to connect to your CloudFront distribution (the domain name ecomserver.co.za) over port 7000 or 7001 because those ports are open on your EC2 instance, not on the public leg of the CloudFront distribution.

    The 502 is because the CloudFront origin (the internal leg) will need to be set to port 7000 or 7001, meaning that CloudFront will connect to your EC2 instance on either 7000 or 7001 (depending on whether you want TLS on the back end or not).

    Login or Signup to reply.
  2. Make sure you are fowarding the headers. This was alittle bit buried in the documentation but Cloudfront uses it to verfiy the origin.

    Under the setting header Cache key and origin requests select Legacy cache settings. Then select all in the headers drop down.

    For reference

    The certificate returned from the origin must include one of the
    following domain names:

    • The domain name in the origin’s Origin domain field (the DomainName field in the CloudFront API).
    • The domain name in the Host header, if the cache behavior is configured to forward the Host header to the origin.

    https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search