I set up an Amazon Lightsail (Wordpress) server and I'm using CDN distributions with a custom domain and SSL certificate as described in this official article. All works well, and I'm able to access the site from the cloudfront distribution's HTTPS terminated endpoint (with the custom domain).
The problem is that I can still access the site directly via http and https on the server's static public IP address (which is the origin that cloudfront connects to). I went into Networking->IPv4 Firewall and disabled HTTPS because I read that cloudfront will only use http to connect to the origin. However I'm not sure if it will work if I disable http also, and I'm a bit puzzled by why Amazon never mentions this in the documentation. Are we supposed to leave the HTTP/HTTPS ports open in the firewall when serving lightsail through cloudfront, or should we limit it to cloudfront's proxy client's IP range? I know that in general leaving the proxied server open to public can cause (security) issues with certain code (or wp plugins) that expect always being called from behind a reverse proxy, as well as performance issues and possibly other issues if people, bots or hackers connect directly to the server instead of going through the CDN.
This article might be what you are looking for: Access An Application Using Only A Single Domain With Apache.
My self I followed the instructions on the last paragraph:
"Redirect All Domains To Your Own Domain And Force HTTPS"
To redirect all domains to your own domain and force HTTPS, add the following configuration into the /opt/bitnami/apache2/conf/bitnami/bitnami.conf file.
Remember to replace example.com with your own domain.
<VirtualHost _default_:80>
RewriteEngine On
RewriteCond %{HTTP_HOST} !^(localhost|127.0.0.1)
RewriteRule ^(.*)$ https://example.com$1 [R=permanent,L]
...
<VirtualHost _default_:443>
RewriteEngine On
RewriteCond %{HTTP_HOST} !^example.com$
RewriteCond %{HTTP_HOST} !^(localhost|127.0.0.1)
RewriteRule ^(.*)$ https://example.com$1 [R=permanent,L]
...
By adding the above configuration to your bitnami.conf file it will force HTTPS protocol for your website and it will redirect all the traffic from your static IP address to your domain name. To change the communication protocol between your distribution and origin to https you'll need to have installed an SSL certificate on the Cloudfront distribution of your Lightsail Instance and an SSL certificate on the origin IP address.
To access the file /opt/bitnami/apache2/conf/bitnami/bitnami.conf you must connect to your static IP using FTP or SSH. You can do this easily using a program like Filezilla.