I've set up an API Gateway at https://api.friendless.com with a wildcard route that returns HTTP requests for testing. The API uses a custom domain and needs TLS 1.2. I also have CloudFront distributions pointing to this API, like https://bob.drfriendless.com, which should be using api.drfriendless.com as the origin. I've configured the origin to be HTTPS only, with no caching or access restrictions, but when I hit my CloudFront URL, I get a "{message: Forbidden}" response. I don't understand why I'm getting this error, especially since the API is public. It seems like CloudFront isn't routing my requests correctly to the API. Any thoughts?
3 Answers
You might also want to consider defining your origin in CloudFront as the API Gateway’s regional domain name instead of the custom domain. This helps avoid Host header mismatches and can simplify your setup. Also, it's easy to miss that API Gateway requires a specific Host header when using custom domains; make sure you're aware of that going forward!
Just to add to that, make sure you check the origin request policy in CloudFront. If it's set to `AllViewer`, it might be passing the wrong Host header. Consider switching it to `AllViewerExceptHostHeader` which is designed specifically for cases like yours. This should allow API Gateway to see the expected Host and resolve the issue.
It sounds like you're hitting a classic issue. API Gateway validates the **Host** header for custom domains. When CloudFront sends the request, it's likely using `bob.drfriendless.com` as the Host, but your API only accepts `api.friendless.com`. That's why you're seeing the Forbidden error. You need to change the CloudFront settings to ensure the correct Host header is sent. One way is to set up an origin request policy that overrides the Host to be `api.friendless.com`. Alternatively, you can use the API Gateway's regional URL instead, and CloudFront will handle the Host header correctly.
Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads