docs.aws.amazon.com
Open in
urlscan Pro
18.66.147.76
Public Scan
URL:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html
Submission: On September 15 via api from US — Scanned from DE
Submission: On September 15 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use cookies and similar tools to enhance your experience, provide our
services, deliver relevant advertising, and make improvements. Approved third
parties also use these tools to help us deliver advertising and provide certain
site features.
Accept all cookiesContinue without acceptingCustomize cookies
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice
.
CancelSave preferences
UNABLE TO SAVE COOKIE PREFERENCES
We will only store essential cookies at this time, because we were unable to
save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.
Dismiss
English
Sign In to the Console
1. AWS
2. ...
3. Documentation
4. Amazon CloudFront
5. Developer Guide
Feedback
Preferences
Amazon CloudFront
Developer Guide
* What is Amazon CloudFront?
* Use cases
* How CloudFront delivers content
* Locations and IP address ranges of CloudFront edge servers
* Accessing CloudFront
* How to get started with Amazon CloudFront
* AWS Identity and Access Management
* CloudFront pricing
* Savings bundle
* Choosing the price class for a CloudFront distribution
* Setting up
* Getting started
* Getting started with a simple distribution
* Getting started with AWS for WordPress
* Getting started with a secure static website
* Working with distributions
* Overview of distributions
* Actions you can use with distributions
* Required fields for creating and updating distributions
* Creating, updating, and deleting distributions
* Steps for creating a distribution
* Creating a distribution
* Values that you specify
* Values that are displayed
* Testing a distribution
* Updating a distribution
* Tagging a distribution
* Deleting a distribution
* Using various origins
* Using custom URLs
* Using WebSockets
* Working with policies
* Controlling the cache key
* Using the managed cache policies
* Understanding the cache key
* Controlling origin requests
* Using the managed origin request policies
* Adding the CloudFront HTTP headers
* Adding response headers
* Creating response headers policies
* Using the managed response headers policies
* Understanding response headers policies
* Adding, removing, or replacing content
* Adding and accessing content
* Updating existing content
* Removing content so CloudFront won’t distribute it
* Customizing file URLs
* Specifying a default root object
* Invalidating files
* Serving compressed files
* Generating custom error responses
* Configuring secure access and restricting access to content
* Using HTTPS with CloudFront
* Requiring HTTPS between viewers and CloudFront
* Requiring HTTPS to a custom origin
* Requiring HTTPS to an Amazon S3 origin
* Supported protocols and ciphers between viewers and CloudFront
* Supported protocols and ciphers between CloudFront and the origin
* Charges for HTTPS connections
* Using alternate domain names and HTTPS
* Choosing how CloudFront serves HTTPS requests
* Requirements for using SSL/TLS certificates with CloudFront
* Quotas on using SSL/TLS certificates with CloudFront (HTTPS between
viewers and CloudFront only)
* Configuring alternate domain names and HTTPS
* Determining the size of the public key in an SSL/TLS RSA certificate
* Increasing the quotas for SSL/TLS certificates
* Rotating SSL/TLS certificates
* Reverting from a custom SSL/TLS certificate to the default CloudFront
certificate
* Switching from a custom SSL/TLS certificate with dedicated IP addresses
to SNI
* Restricting content with signed URLs and signed cookies
* Overview of serving private content
* Task list for serving private content
* Specifying signers
* Choosing between signed URLs and signed cookies
* Using signed URLs
* Creating a signed URL using a canned policy
* Creating a signed URL using a custom policy
* Using signed cookies
* Setting signed cookies using a canned policy
* Setting signed cookies using a custom policy
* Using Linux commands and OpenSSL for base64 encoding and encryption
* Code examples for signed URLs
* Create a URL signature using Perl
* Create a URL signature using PHP
* Create a URL signature using C# and the .NET Framework
* Create a URL signature using Java
* Restricting access to an Amazon S3 origin
* Restricting access to Application Load Balancers
* Using AWS WAF to control access to your content
* Geographically restricting content
* Using field-level encryption to help protect sensitive data
* Optimizing caching and availability
* Caching with edge locations
* Improving your cache hit ratio
* Using Origin Shield
* Increasing availability with origin failover
* Managing cache expiration
* Caching and query string parameters
* Caching content based on cookies
* Caching content based on request headers
* Troubleshooting
* Troubleshooting distribution issues
* Troubleshooting error responses from your origin
* HTTP 400 status code (Bad Request)
* HTTP 500 status code (Lambda execution error)
* HTTP 502 status code (Bad Gateway)
* HTTP 502 status code (Lambda validation error)
* HTTP 503 status code (Lambda limit exceeded)
* HTTP 503 status code (Service Unavailable)
* HTTP 504 status code (Gateway Timeout)
* Load testing CloudFront
* Request and response behavior
* Request and response behavior for Amazon S3 origins
* How CloudFront processes HTTP and HTTPS requests
* Request and response behavior for custom origins
* Request and response behavior for origin groups
* Adding custom headers to origin requests
* How range GETs are processed
* How CloudFront processes HTTP 3xx status codes from your origin
* How CloudFront processes and caches HTTP 4xx and 5xx status codes from
your origin
* Video on demand (VOD) and live streaming video
* Delivering video on demand (VOD)
* Delivering live streaming video
* Customizing with edge functions
* Customizing with CloudFront Functions
* Tutorial: Creating a simple function
* Writing function code (programming model)
* Event structure
* JavaScript runtime features
* Example code
* Add a Cache-Control header to the response
* Add a cross-origin resource sharing (CORS) header to the response
* Add cross-origin resource sharing (CORS) header to the request
* Add security headers to the response
* Add a True-Client-IP header to the request
* Redirect the viewer to a new URL
* Add index.html to request URLs that don’t include a file name
* Validate a simple token in the request
* Managing functions
* Creating functions
* Testing functions
* Updating functions
* Publishing functions
* Associating functions with distributions
* Customizing with Lambda@Edge
* Get started creating and using Lambda@Edge functions
* Tutorial: Creating a simple function
* Setting IAM permissions and roles
* Writing and creating functions
* Writing functions for Lambda@Edge
* Creating a Lambda@Edge function in the Lambda console
* Editing a Lambda@Edge function
* Creating Lambda@Edge functions and CloudFront triggers
programmatically
* Adding triggers
* CloudFront events that can trigger a Lambda@Edge function
* How to decide which CloudFront event to use to trigger a Lambda@Edge
function
* Adding triggers by using the Lambda console
* Adding triggers by using the CloudFront console
* Testing and debugging
* Deleting functions and replicas
* Event structure
* Working with requests and responses
* Using Lambda@Edge functions with origin failover
* Generating HTTP responses in request triggers
* Updating HTTP responses in origin response triggers
* Accessing the request body by choosing the include body option
* Example functions
* Restrictions on edge functions
* Reports, metrics, and logs
* AWS billing and usage reports for CloudFront
* Interpreting your AWS bill and the AWS usage report for CloudFront
* CloudFront console reports
* CloudFront cache statistics reports
* CloudFront popular objects report
* CloudFront top referrers report
* CloudFront usage reports
* CloudFront viewers reports
* Monitoring CloudFront metrics with Amazon CloudWatch
* Viewing CloudFront and edge function metrics
* Creating alarms
* Downloading metrics data
* Getting metrics using the API
* CloudFront and edge function logging
* Using standard logs (access logs)
* Real-time logs
* Edge function logs
* Capturing API requests with CloudTrail
* Tracking configuration changes with AWS Config
* Security
* Data protection
* Identity and Access Management (IAM)
* Overview of managing access
* Using IAM policies for CloudFront
* CloudFront API permissions reference
* AWS managed policies
* Logging and monitoring
* Compliance validation
* Resilience
* Infrastructure security
* Quotas
* Related information
* Document history
* AWS glossary
Restricting access to Application Load Balancers - Amazon CloudFront
AWSDocumentationAmazon CloudFrontDeveloper Guide
Configuring CloudFront to add a custom HTTP header to requestsConfiguring an
Application Load Balancer to only forward requests that contain a specific
header(Optional) Improve the security of this solution
RESTRICTING ACCESS TO APPLICATION LOAD BALANCERS
PDFRSS
For a web application or other content that’s served by an Application Load
Balancer in Elastic Load Balancing, CloudFront can cache objects and serve them
directly to users (viewers), reducing the load on your Application Load
Balancer. CloudFront can also help to reduce latency and even absorb some
distributed denial of service (DDoS) attacks. However, if users can bypass
CloudFront and access your Application Load Balancer directly, you don’t get
these benefits. But you can configure Amazon CloudFront and your Application
Load Balancer to prevent users from directly accessing the Application Load
Balancer. This allows users to access the Application Load Balancer only through
CloudFront, ensuring that you get the benefits of using CloudFront.
To prevent users from directly accessing an Application Load Balancer and allow
access only through CloudFront, complete these high-level steps:
1. Configure CloudFront to add a custom HTTP header to requests that it sends
to the Application Load Balancer.
2. Configure the Application Load Balancer to only forward requests that
contain the custom HTTP header.
3. (Optional) Require HTTPS to improve the security of this solution.
For more information, see the following topics. After you complete these steps,
users can only access your Application Load Balancer through CloudFront.
Topics
* Configuring CloudFront to add a custom HTTP header to requests
* Configuring an Application Load Balancer to only forward requests that
contain a specific header
* (Optional) Improve the security of this solution
CONFIGURING CLOUDFRONT TO ADD A CUSTOM HTTP HEADER TO REQUESTS
You can configure CloudFront to add a custom HTTP header to the requests that it
sends to your origin (in this case, an Application Load Balancer).
Important
This use case relies on keeping the custom header name and value secret. If the
header name and value are not secret, other HTTP clients could potentially
include them in requests that they send directly to the Application Load
Balancer. This can cause the Application Load Balancer to behave as though the
requests came from CloudFront when they did not. To prevent this, keep the
custom header name and value secret.
You can configure CloudFront to add a custom HTTP header to origin requests with
the CloudFront console, AWS CloudFormation, or the CloudFront API.
To add a custom HTTP header (CloudFront console)
In the CloudFront console, use the Origin Custom Headers setting in Origin
Settings. Enter the Header Name and its Value, as shown in the following
example.
Note
The header name and value in this example are just for demonstration. In
production, use randomly generated values. Treat the header name and value as a
secure credential, like a user name and password.
You can edit the Origin Custom Headers setting when you create or edit an origin
for an existing CloudFront distribution, and when you create a new distribution.
For more information, see Updating a distribution and Creating a distribution.
To add a custom HTTP header (AWS CloudFormation)
In an AWS CloudFormation template, use the OriginCustomHeaders property, as
shown in the following example.
Note
The header name and value in this example are just for demonstration. In
production, use randomly generated values. Treat the header name and value as a
secure credential, like a user name and password.
AWSTemplateFormatVersion: '2010-09-09'
Resources:
TestDistribution:
Type: 'AWS::CloudFront::Distribution'
Properties:
DistributionConfig:
Origins:
- DomainName: app-load-balancer.example.com
Id: Example-ALB
CustomOriginConfig:
OriginProtocolPolicy: https-only
OriginSSLProtocols:
- TLSv1.2
OriginCustomHeaders:
- HeaderName: X-Custom-Header
HeaderValue: random-value-1234567890
Enabled: 'true'
DefaultCacheBehavior:
TargetOriginId: Example-ALB
ViewerProtocolPolicy: allow-all
CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6
PriceClass: PriceClass_All
ViewerCertificate:
CloudFrontDefaultCertificate: 'true'
For more information, see the Origin and OriginCustomHeader properties in the
AWS CloudFormation User Guide.
To add a custom HTTP header (CloudFront API)
In the CloudFront API, use the CustomHeaders object inside Origin. For more
information, see CreateDistribution and UpdateDistribution in the Amazon
CloudFront API Reference, and the documentation for your SDK or other API
client.
There are some header names that you can’t specify as origin custom headers. For
more information, see Custom headers that CloudFront can’t add to origin
requests.
CONFIGURING AN APPLICATION LOAD BALANCER TO ONLY FORWARD REQUESTS THAT CONTAIN A
SPECIFIC HEADER
After you configure CloudFront to add a custom HTTP header to the requests that
it sends to your Application Load Balancer (see the previous section), you can
configure the load balancer to only forward requests that contain this custom
header. You do this by adding a new rule and modifying the default rule in your
load balancer’s listener.
Prerequisites
To use the following procedures, you need an Application Load Balancer with at
least one listener. If you haven’t created one yet, see Create an Application
Load Balancer in the User Guide for Application Load Balancers.
The following procedures modify an HTTPS listener. You can use the same process
to modify an HTTP listener.
To update the rules in an Application Load Balancer listener
1. Open the Load Balancers page in the Amazon EC2 console.
2. Choose the load balancer that is the origin for your CloudFront
distribution, then choose the Listeners tab.
3. For the listener that you are modifying, choose View/edit rules.
4. Choose the icon to add rules.
5. Choose Insert Rule.
6. For the new rule, do the following:
1. Choose Add condition and then choose Http header. Specify the HTTP header
name and value that you added as an origin custom header in CloudFront.
2. Choose Add action and then choose Forward to. Choose the target group
where you want to forward requests.
3. Choose Save to create the new rule.
7. Choose the icon to edit rules.
8. Choose the edit icon for the default rule.
9. For the default rule, do the following:
1. Delete the default action.
2. Choose Add action and then choose Return fixed response.
3. For Response code, enter 403.
4. For Response body, enter Access denied.
5. Choose Update to update the default rule.
After you complete these steps, your load balancer listener has two rules, as
shown in the following image. The first rule forwards requests that contain the
HTTP header (requests that come from CloudFront). The second rule sends a fixed
response to all other requests (requests that don’t come from CloudFront).
You can verify that the solution works by sending a request to your CloudFront
distribution and one to your Application Load Balancer. The request to
CloudFront returns your web application or content, and the one sent directly to
your Application Load Balancer returns a 403 response with the plain text
message Access denied.
(OPTIONAL) IMPROVE THE SECURITY OF THIS SOLUTION
To improve the security of this solution, you can configure your CloudFront
distribution to always use HTTPS when sending requests to your Application Load
Balancer. Remember, this solution only works if you keep the custom header name
and value secret. Using HTTPS can help prevent an eavesdropper from discovering
the header name and value. We also recommend rotating the header name and value
periodically.
Use HTTPS for origin requests
To configure CloudFront to use HTTPS for origin requests, set the Origin
Protocol Policy setting to HTTPS Only. This setting is available in the
CloudFront console, AWS CloudFormation, and the CloudFront API. For more
information, see Protocol (custom origins only).
When you configure CloudFront to use HTTPS for origin requests, you need to make
sure that your Application Load Balancer has an HTTPS listener (as shown in the
preceding section). This requires that you have an SSL/TLS certificate that
matches the domain name that is routed to your Application Load Balancer. For
more information, see Create an HTTPS listener in the User Guide for Application
Load Balancers.
If the end users (also known as viewers, or clients) of your web application can
use HTTPS, you can also configure CloudFront to prefer (or even require) HTTPS
connections from the end users. To do this, use the Viewer Protocol Policy
setting. You can set it to redirect end users from HTTP to HTTPS, or to reject
requests that use HTTP. This setting is available in the CloudFront console, AWS
CloudFormation, and the CloudFront API. For more information, see Viewer
protocol policy.
Rotate the header name and value
In addition to using HTTPS, we also recommend rotating the header name and value
periodically. The high-level steps for doing this are as follows:
1. Configure CloudFront to add an additional custom HTTP header to requests
that it sends to the Application Load Balancer.
2. Update the Application Load Balancer listener rule to forward requests that
contain this additional custom HTTP header.
3. Configure CloudFront to stop adding the original custom HTTP header to
requests that it sends to the Application Load Balancer.
4. Update the Application Load Balancer listener rule to stop forwarding
requests that contain the original custom HTTP header.
For more information about accomplishing these steps, see the preceding
sections.
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
Restricting access to an Amazon S3 origin
Using AWS WAF to control access to your content
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Did this page help you?
YesNo
Provide feedback
Edit this page on GitHub
Next topic:Using AWS WAF to control access to your content
Previous topic:Restricting access to an Amazon S3 origin
Need help?
* Try AWS re:Post
* Connect with an AWS IQ expert
PrivacySite termsCookie preferences
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
On this page
--------------------------------------------------------------------------------
* Configuring CloudFront to add a custom HTTP header to requests
* Configuring an Application Load Balancer to only forward requests that
contain a specific header
* (Optional) Improve the security of this solution
DID THIS PAGE HELP YOU? - NO
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Feedback