I've set up a CloudFront distribution for my personal domain www.mysite.com, with an S3 bucket as the default origin. However, for certain paths, I route requests to my home web server. One such path is /.well-known/acme-challenge/*, which certbot uses for SSL certificate creation and renewal before I push the certificates to CloudFront via boto3.
The issue is that when I run certbot for www.mysite.com, it correctly routes to my origin web server, but the 'host' header is being sent as origin.mysite.com instead of www.mysite.com. This mismatch is causing certbot to fail. It seems like passing the 'host' header to the origin should be straightforward, but AWS documentation has left me confused. I've come across references to an 'origin request policy,' but I can't find that option anywhere, just an option for setting custom headers, which gives me an error when I try to use 'host'. What am I missing?
3 Answers
You might want to check the Behaviors tab in your CloudFront settings. Try editing the behavior that applies to your origin server and see if you can select the "HostHeaderOnly" option in the Origin request policy dropdown. I haven’t tried it myself, but it could be what you're looking for!
In the past, I've had to use a Lambda@Edge function to rewrite the host header to make this work. Check out this post for guidance: https://serverfault.com/questions/888714/send-custom-host-header-with-cloudfront. It should get you on the right track!
You might find this article helpful: https://repost.aws/knowledge-center/configure-cloudfront-to-forward-headers. It covers how to configure headers in CloudFront which could solve your issue!
I looked for that option but couldn't find the "Origin request policy" dropdown in the behavior settings. Am I missing something?