AWS Developer Forums: HTTPS doesn't work the first time, ...

HTTPS doesn't work the first time, loading it via HTTP first and it works

Posted by:

Mr. Peter Bengtsson

Posted on: Dec 30, 2010 8:51 AM

cloudfront , https

This question is answered.

Here's a weird behaviour I'm having when trying to use a custom origin and HTTPS.
I make the file available and check that it works on http://mydomain/file.css and https://mydomain/file.css
Great, now I can try to pick them up via Cloudfront so I create a distribution and wait till it's deployed. Now, replace my domain in https://mydomain/file.css with the domain from Cloudfront. I.e. https://xyz123.cloudfront.net/file.css and load it. (Note that I'm testing the https URL first)

But! This gives me a 503 error from cloudfront with the message "The request could not be satisfied".
As I'm doing this I'm keeping a close eye on my Nginx log files on the custom origin. Nothing happens. I.e. Cloudfront is NOT even attempting to pick it up from my custom origin.

Right, let's try the http URL instead. I instead load: http://xyz123.cloudfront.net/file.css
It works! I see in my Nginx logs that it picked it up. Reloading again and it's clear that it now uses Cloudfront instead because it's not picked up a second time from Nginx.

Lastly, I now go back to the https URL that failed before. I load: https://xyz123.cloudfront.net/file.css
Now it works!!!

This is obviously annoying that I have to load its HTTP URL before I can load its HTTPS URL.

I suspect that the problem is that Cloudfront can't fetch it from me via HTTPS. Does that mean that HTTPS + Custom origin doesn't work?

At the moment I'm just doing HTTPS on my images, CSS and JS because my HTML is HTTPS and I don't want one of those warning messages saying the webpage is using some "insecure" stuff. (I don't care personally but my users will)

Replies: 10 | Pages: 1 - Last Post: Jun 19, 2011 12:51 AM by: ahmeij

Replies

Re: HTTPS doesn't work the first time, loading it via HTTP first and it works

Posted by:

streamdart

Posted on: Dec 30, 2010 3:35 PM

in response to: Mr. Peter Bengtsson

Re: HTTPS doesn't work the first time, loading it via HTTP first and it works

Posted by:

Mr. Peter Bengtsson

Posted on: Jan 1, 2011 10:27 AM

in response to: streamdart

An empty reply?

Re: HTTPS doesn't work the first time, loading it via HTTP first and it works

Posted by: stefanscheck

Posted on: Jan 3, 2011 1:55 AM

in response to: Mr. Peter Bengtsson

I have the same (unsolved) problem: see

"https://forums.aws.amazon.com/thread.jspa?threadID=55298"

Re: HTTPS doesn't work the first time, loading it via HTTP first and it works

Posted by:

Mustafa@AWS

Posted on: Jan 3, 2011 2:41 PM

in response to: Mr. Peter Bengtsson

Hi Peter Bengtsson,

A possible root cause could be that CloudFront and your custom origin server are unable to negotiate SSL ciphers.

This has been observed in the past with nginx.

Perhaps you can try adding the following line to your nginx config:

ssl_ciphers ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

-Mustafa

Re: HTTPS doesn't work the first time, loading it via HTTP first and it works

Posted by: somegeeks

Posted on: Jan 5, 2011 5:57 AM

in response to: Mr. Peter Bengtsson

I've observed the exact same behaviour but with Apache instead.
I got a couple of 503 errors "The request could not be satisfied" back from cloudfront for a file i was trying to fetch via HTTPS . As soon as I downloaded the exact same file using HTTP I didn't get the error anymore.

Actually I want cloudfront to terminate HTTPS for me so that my origin server doesn't have to.

I'm expecting that http://cloudfront/file.ext returns the same file as https://cloudfront/file.ext and fetches it either way from my origin server using HTTP. Cloudfront behaves differently. Is this a bug or a feature and (if it's a feature) I'm wondering if there is a way to force cloudfront to always use HTTP for fetching the original file?

Edited by: somegeeks on Jan 5, 2011 5:58 AM

Re: HTTPS doesn't work the first time, loading it via HTTP first and it works

Posted by:

Mustafa@AWS

Posted on: Jan 5, 2011 7:06 AM

in response to: somegeeks

somegeeks,

If you want CloudFront to do the SSL termination and only make requests via HTTP to your custom origin, you need to specify the following in your DistributionConfig:

<CustomOrigin>
   <DNSName>www.example.com</DNSName>
   <HTTPPort>80</HTTPPort>
   <HTTPSPort>443</HTTPSPort>
   <OriginProtocolPolicy>http-only</OriginProtocolPolicy>
</CustomOrigin>

In your case, the OriginProtocolPolicy element is most likely set to "match-viewer" in which case CloudFront will make the origin request in the same protocol as what the request came in as.

-Mustafa

Re: HTTPS doesn't work the first time, loading it via HTTP first and it works

Posted by:

Mr. Peter Bengtsson

Posted on: Jan 6, 2011 2:47 AM

in response to: Mr. Peter Bengtsson

For me, since I'm only hosting static files on my cloudfront, using http-only solved the problem.

Now files are picked up from my Nginx only via HTTP so it's not a problem with ciphers any more.

Re: HTTPS doesn't work the first time, loading it via HTTP first and it works

Posted by: J. Bachir

Posted on: Jan 10, 2011 5:38 PM

in response to: Mr. Peter Bengtsson

This is very helpful -- setting my ciphers to the recommended line fixed the problem.

BUT-- is it documented somewhere which cipher(s) cloudfront expects when it goes to the origin? It would be desirable to make the list more restrictive.

Edited by: J. Bachir on Jan 10, 2011 5:43 PM

Re: HTTPS doesn't work the first time, loading it via HTTP first and it works

Posted by: Alex Gile

Posted on: Apr 28, 2011 3:48 PM

in response to: J. Bachir

It would be desirable to make the list more restrictive.

I added (re-enabled) everything from the ssl_ciphers arglist on my IIS 6.5 box, and used "curl -v" to monitor things while I disabled ciphers. In my case I was able to get things working again with just the MD5 cipher and SSLv3.

Maybe the trick is to turn it all on and re-curl while disabling things until it stops working.