Login/Register
Route53 and Cloudfront The request could not be satisfied?
Asked Answered
Solved amazon-web-servicesamazon-cloudfrontamazon-route53
A

6

34

I just want to serve my s3 files on cdn.mydomain.com

So I create cloudfront distribution which is working fine on https://dxxxxxxxx.cloudfront.net/test.jpg - I get the image.

And now I want to associate my domain at cdn.domain.com with cloudfront in route53.

So I create A record type A-IPv4 address. with name cdn.domain.com alias target I manully put dxxxxxxxx.cloudfront.net.

But when I open the url:

http://cdn.mydomain.com/test.jpg

I get the error:

403 ERROR
The request could not be satisfied.
Bad request. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
Generated by cloudfront (CloudFront)

What did I miss with my configuration?

Aurum answered 11/1, 2020 at 9:34 Comment(0)
R
45

I meet this issue some time before. The request blocked by CloudFront.

Please check this list:

  • CDN domain added in Cloudfront Alternate Domain Names. Once you add CDN domain to Cloudfront, you can select CloudFront endpoint without typing

  • WAF (if any) does not block your request

  • Check Http and Https

Rayborn answered 11/1, 2020 at 10:39 Comment(2)
Yes as you say. I was just need to fill "Alternate Domain Names": "cdn.mydomain.com" with ssl (without ssl - not allowed to save). after that I set A record alias point to cloudfront from the list. and it's works. thanks!Aurum
This specific case can be isolated to a missing/incorrect Alternate Domain name because of the self-contradiction found in the error -- it says "403" and it also says "Bad Request" yet a genuine Bad Request response is HTTP status 400, not 403. CloudFront does this when it can't find a distribution with an Alternate Domain Name matching the incoming HTTP Host header. WAF blocking is 403 but the error body wouldn't say "Bad Request."Pastor
R
9

In my case the error was caused by sending a GET request with a request body within it, removing this solved the issue.

Rockfish answered 8/3, 2023 at 11:34 Comment(1)
THIS. I just beat my head against the wall for 4 hours trying to figure out why my API was inaccessible. What made it worse is that we were purposefully stress testing my API at the time, so we thought that the cause of the error was something related to that. Thank you, sir!Greenwald
C
1

I had a similar issue. Say for example, If you are using Postman to test your endpoint, make sure all (or at least most that apply) of the default header keys and their respective values are checked. This is within the header tab.

The screenshot below shows the default keys and values within Postman (I excluded my Authorization key and its corresponding value)

default keys and values within postman(excluding the Authorization key and its corresponding value)

Ceremony answered 16/11, 2023 at 2:23 Comment(0)
A
0

You need an alternate domain set up in CFront. Put in the domain you are trying to alias (CNAME). For example, if my domain is example.com and I want a CNAME record of 'accounts' (as in accounts.example.com) to direct to my CFront distro, then put accounts.example.com as the alternate domain. Then you need a certificate for that. So create one in ACM using the same domain (accounts.example.com). you'll need to verify the cert, so choose the DNS option. Create the CNAME/Value they give you in ACM, this is to prove to AWS you own the domain example.com. After that is done, in a few minutes it will approve the cert. accounts.example.com should now redirect to your CFront distro endpoint. In my case my CFront origin was an S3 website so my flow was DNS CNAME -> CFront Distro URL -> S3 Website URL

Altis answered 30/11, 2023 at 17:27 Comment(0)
S
0

In my case it was user-agent blocking. Changing curl's user-agent to Firefox's with -A did the trick.

Simdars answered 3/6, 2024 at 21:6 Comment(0)
M
0

These settings were required for me:

A) If using S3 Bucket (skip if not)

  • Bucket Policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::your-bucket-name/*"
        }
    ]
}

B) CloudFront

  • Alternate domain name (CNAME)

    1. example.com
    2. *.example.com

  • ACM

    Has to be set for both above domains.

  • Viewer protocol policy (important!)

    HTTP and HTTPS

C) DNS in your Domain Registrar (Mine is CloudFlare)

  • CNAME

    Name: @

    Value: yours.cloudfront.net

NOTE: CNAME records normally can not be on the zone apex. Make sure your registerar can do CNAME flattening to make it possible. Otherwise enter all possible variants of the CNAME url.

Metritis answered 21/6, 2024 at 22:22 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.