Search code examples
amazon-cloudfront

Where is the `Origin Protocol Policy` field in the AWS Cloudfront console?

UPDATE

Some specifics:

The Cloudfront distribution uses an S3 Static website hosting endpoint which looks something like: bucket.name.s3-website-us-east-1.amazonaws.com.

This redirects to the actual website.

According to this http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html?shortFooter=true#DownloadDistValuesOriginProtocolPolicy :

Origin Protocol Policy (Amazon EC2, Elastic Load Balancing, and Other Custom Origins Only)

The protocol policy that you want CloudFront to use when fetching objects from your origin server.

Important
If your Amazon S3 bucket is configured as a website endpoint, you must specify HTTP Only. Amazon S3 doesn't support HTTPS connections in that configuration.

it seems you can only have HTTP Only. Is that correct? Is there no say to specify HTTPS Only or Match Viewer?

I'm asking because I've seen blogs that seem to indicate that Match Viewer is possible. E.g.

https://simonecarletti.com/blog/2016/08/redirect-domain-https-amazon-cloudfront/

https://karelledru.com/2016/06/static-site-hosting-on-S3-and-CloudFront/

This link says

The value of the Origin Protocol Policy field in the CloudFront console or, 
if you're using the CloudFront API, the OriginProtocolPolicy element in the 
DistributionConfig complex type. In the CloudFront console, the options are 
HTTP Only, HTTPS Only, and Match Viewer.

but I don't see an Origin Protocol Policy field in the console.

Solution

  • The blogs are using screen shots from an older version of the console that allowed you potentially to misconfigure your distribution.

    Origin Protocol Policy is an attribute of the Origin, and is only applicable to custom origins, not S3 origins.

    However, an S3 website on a static website hosting endpoint is not an S3 origin, it's a custom origin. ("S3 origin" refers to cases where you're using the REST endpoint of the bucket, not the web site hosting endpoint.)

    For custom origins, it appears on Origin Settings, after you select an origin from the Origins tab, as well as when creating a new custom origin... unless your custom origin is an S3 website endpoint.

    When CloudFront recognizes that you've specified an S3 website hosting endpoint, it does not display the options for the origin that would not make sense in this context... and Origin Protocol Policy is not applicable to an S3 website hosting endpoint, because the S3 static website hosting endpoints do not support SSL connections. CloudFront can still accept HTTPS connections from the browser, but the connection between CloudFront and S3 will always use HTTP, for a static website origin. This is usually not a cause for concern, for several reasons:

    • the content being returned is static, by definition, so it should contain nothing custom or personal
    • S3 website endpoints don't support authenticated requests, so the content is also public, or at least not genuinely private, by definition
    • CloudFront won't (by default) forward any headers identifying the viewer or compromising their credentials in the request that it sends to S3 such as cookies or the user agent string
    • the traffic between CloudFront and S3 runs on a global network owned by Amazon, not the public Internet
    • the connection between CloudFront and the browser still supports HTTPS, so you still get a green lock, and the specific requests and responses exchanged by the browser and CloudFront are still encrypted

    See Website Endpoints in the S3 Developer Guide for documentation of my assertions, above, that the website endpoints do not support HTTPS or authenticated requests, as well as a full feature and functionality comparison between the REST endpoints and website endpoints.