Using Cloudfront as a HAProxy backend server using https

Question

I have a CloudFront resource sitting in front of my S3 bucket. It's accessible at —

https://<id>.cloudfront.net

but if I hit —

<id>.cloudfront.net:443

I get a 400 Bad Request. I want to point to CloudFront in my HAProxy configuration, but I can't use the 443 port because of the above-mentioned issue. Nor can I use the https URL protocol in the server statement.

backend my_cloudfront_app
    http-response set-header Strict-Transport-Security max-age=31536000
    server my_server <id>.cloudfront.net:443 ssl verify none

How can I hit HTTPS cloudfront from this server block in HAProxy?

Answer 1

Isn't it the same question as this https://stackoverflow.com/questions/62935547/using-cloudfront-as-a-haproxy-backend-server-with-https

I assume You will need to add some infos to the request headers for the cloudfront backend.

This example works with HAProxy 2.0

backend my_cloudfront_app
    http-response set-header Strict-Transport-Security max-age=31536000

    # Add backend header for cloudfront backend request
    http-request set-header Host <id>.cloudfront.net

    # maybe you will need to add a S3 prefix to the request path
    # http-request set-path <CLOUDFRONT_S3_Prefix>%[path] 

    server my_server <id>.cloudfront.net:443 sni str(<id>.cloudfront.net) ssl verify none

Answer 2

haproxy assumes the connection to the backend is done via http. In order to connect to a backend via https, you would need a ssl after the ip:port part in the server config:

server micros-amkt-frontend <id>.cloudfront.net:443 ssl verify none

NOTE: I'm including some extra parameters (verify none) I found in an example as I couldn't find further documentation.