Why does my application fail on CloudFront when I can use the application from a custom origin?

Resolution

Identify the error response

To view the HTTP response headers that CloudFront returns, check the Network tab of your browser developer tools. Or, use a utility such as curl.

If you receive an HTTP 502 status code (Bad Gateway) response, then see HTTP 502 status code (Bad Gateway).

If you receive an HTTP 504 Status Code (Gateway Timeout) response, then see HTTP 504 status code (Gateway Timeout).

Verify forwarding based on request headers, cookies, or query strings

If your application requires specific request parameters, then update your distribution's cache behaviors to forward the required headers, cookies, or query strings to the origin. CloudFront might not forward the required parameters by default.

Check allowed HTTP methods

By default, CloudFront allows only the GET and HEAD HTTP methods. Determine the HTTP methods that are required for calls to your application, and then allow them. For example, if you're running an application to submit a form, then you allow the POST method on your distribution.

Resolve SSL/TLS issues between the client and CloudFront

If you can't use CloudFront to access your website or application because of SSL issues, then see Why isn't CloudFront serving my domain name over HTTPS?

Resolve constant redirection issues

If you see constant redirection when you use CloudFront to load your website or application, then check the origin configuration on CloudFront. Also, check the origin server's redirection policy.

In a typical workflow, a client connects to CloudFront, and then CloudFront connects to the origin server. The origin protocol policy of your distribution and the redirection policy of the origin server must be compatible.

For example, your origin server redirects all HTTP requests to HTTPS, and your distribution's origin protocol policy is set to HTTP. If the client requests http://d12345.cloudfront.net/example.image, then CloudFront makes a request to the origin server to get the content over HTTP. The request arrives at the origin server, and then the server redirects the request from HTTP to HTTPS. The request is routed back to CloudFront with HTTPS. Then, CloudFront uses HTTP to make a request to the origin, and restarts the request loop.

To resolve constant redirection, use one of the following configurations:

• Change your CloudFront distribution's origin protocol policy to use only HTTPS. You must have a valid SSL/TLS certificate on your custom origin server.
• If you don't have a valid SSL/TLS certificate on your origin server, then remove the redirection policy and configure the origin server to accept HTTP requests.
  Important: It's not a best practice to use HTTP requests for sensitive information because the communication is in plaintext.

Related information

Use Amazon EC2 (or another custom origin)