CloudFront Distribution with ELB origin HTTP 502 (Bad Gateway)

I have a CloudFront Distribution connected with a custom origin ELB (with EC2 instance). When executing a request curl https://xxx.cloudfront.net/atlassian-connect.json a HTTP/1.1 502 Bad Gateway response is returned.

HTTP/1.1 502 Bad Gateway
Content-Type: text/html
Content-Length: 587
Connection: keep-alive
Server: CloudFront
Date: Sun, 29 May 2016 14:32:18 GMT
Age: 23
X-Cache: Error from cloudfront
Via: 1.1 fb7ff691963d3e3600808dccbe4422d2.cloudfront.net (CloudFront)
X-Amz-Cf-Id: HymCU2TweM0e6O4bDhluvDOj0gd2BoAqCnDtVyTOZBz2wOIYHN-Qhg==

When sending a request (bypassing the CloudFront distribution) straight to the ELB I'm able to get the response that is expected:

curl  -kv https://xxx.eu-central-1.elb.amazonaws.com/atlassian-connect.json

After trying to tweak some of the cloudfront distribution options I'm not able to get it to work.


Solution 1:

The SSL certificate on your server is not usable in this configuration.

You're bypassing validation with curl, but CloudFront (sensibly enough) provides no such bypass mechanism.

Your cert must match either the origin hostname or the Host: header in the original request, if you have the Host: header whitelisted for forwarding to the origin.

If your certificate doesn't contain any domain names that match either Origin Domain Name or the domain name in the Host header, CloudFront returns an HTTP status code 502 (Bad Gateway) to the viewer.

...and, it has to be current, valid, not self-signed, with a properly constructed trust chain:

If the origin server returns an expired certificate, an invalid certificate or a self-signed certificate, or if the origin server returns the certificate chain in the wrong order, CloudFront drops the TCP connection, returns HTTP error code 502, and sets the X-Cache header to Error from cloudfront.

Citations are from http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html.

Solution 2:

In case the problem is not with the certificates (like in my case), it can be related to the headers not being passed to the origin. After setting AllViewer for the Origin request policy option in the CloudFront behavior setting (see picture), the 502 Bad Gateway error was gone.

enter image description here

Origin request policy values are further explained here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html