1

The HSTS Preload List Submission website has very specific prerequisites which disallow combining protocol changes and redirects into one step (classic example - redirecting requests for http://example.com directly to https://www.example.com fails their test - a protocol upgrade to HTTPS must occur first, then the 'www' subdomain may be added in a discrete step). Is it possible to meet these rules for sites hosted on Amazon CloudFront?

A related question is here, about sending the necessary headers, but I already have that part tested and working. My issue is the redirect, for a site that uses a www subdomain.

I have CloudFront configured to 'Redirect HTTP to HTTPS' under the default behavior and that works perfectly for all HTTP requests, however requests to https://example.com first redirect to the downgraded protocol http://www.example.com before being upgraded to HTTPS, and this is where I am stuck. I need to handle HTTP and HTTPS requests for the second-level domain differently.

For clarity, here is the redirect pattern I want to achieve:

http://example.com > https://example.com > https://www.example.com
http://www.example.com > https://www.example.com
https://example.com > https://www.example.com
https://www.example.com

And here is what CloudFront is doing now, with the third line (protocol downgrade) resulting in HSTS Preload submission failure:

http://example.com > https://example.com > https://www.example.com
http://www.example.com > https://www.example.com
https://example.com > http://www.example.com > https://www.example.com
https://www.example.com
Tom Brossman
  • 301
  • 3
  • 12
  • CloudFront doesn't have a built-in way to redirect to a different hostname... so, how are you generating that particular redirect? With an empty bucket, or something else? – Michael - sqlbot Jun 05 '18 at 21:43
  • Yes, I'm using an empty S3 bucket configured to redirect. "Target bucket or domain" is set to `www.example.com` and "Protocol" is set to "https or http". I've tested setting the first value to `https://www.example.com`, and the second to "https", but the results are exactly the same. – Tom Brossman Jun 06 '18 at 05:54

1 Answers1

1

I suspect you may have overlooked the need to purge the CloudFront cache after changing the redirect target protocol to https, because the configuration described (in comments) should work as expected -- setting the "protocol" to "https" in the redirecting bucket's configuration should not do this:

https://example.com > http://www.example.com > https://www.example.com

Create a CloudFront invalidation request using the pattern /*. Once the invalidarion request is complete, as shown in the console, test again. If you still see unexpected behavior, please capture the response headers and edit them into the question.

Michael - sqlbot
  • 21,988
  • 1
  • 57
  • 81
  • Thanks, I did try an invalidation command using the AWS CLI, however I can only guess I didn't wait long enough before testing (the web GUI reports when the invalidation completes, but the CLI can't). It appears this was user error and this question should probably be closed - any objection? – Tom Brossman Jun 06 '18 at 13:44