How can you configure a CloudFront distribution to pass all headers to the origin if the CloudFront distribution is deployed using CloudFormation? If you deploy the distribution in the AWS Web Console, you can select between None
, Whitelist
and All
. In CloudFront it appears that you can only assert a whitelist of allowed headers. This is done in this area of a CloudFormation resource describing a CloudFront distribution
Resources:
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
DefaultCacheBehavior:
ForwardedValues:
Headers:
Using a Headers
element of *
like this
Headers:
- '*'
as used in this AWS hosted example
results in a 403 response from CloudFront, {"message":"Forbidden"}
Here it is in context
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Aliases:
- !Ref CustomDomainName
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
Compress: true
DefaultTTL: 0
ForwardedValues:
Cookies:
Forward: all
QueryString: true
Headers:
- '*'
TargetOriginId: CloudFrontOriginId
ViewerProtocolPolicy: redirect-to-https
# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-defaultrootobject
DefaultRootObject: '' # "If you don't want to specify a default root object when you create a distribution, include an empty DefaultRootObject element."
Enabled: true
IPV6Enabled: true
Origins:
- CustomOriginConfig:
OriginProtocolPolicy: https-only
DomainName: !Join [ '.', [ !Ref 'AwsFederatedRpApi', 'execute-api', !Ref 'AWS::Region', 'amazonaws.com' ] ]
Id: CloudFrontOriginId
OriginPath: !Join [ '', [ '/', !Ref 'AwsFederatedRpApiStage' ] ]
PriceClass: PriceClass_100 # US, Canada, Europe, Israel
ViewerCertificate:
AcmCertificateArn: !Ref CertificateArn
MinimumProtocolVersion: TLSv1.2_2018
SslSupportMethod: sni-only
Using an "Headers": { "Items": [ "*" ] }
solution as answered in this StackOverflow answer (and copied into this answer) like this
Headers:
Items:
- '*'
results in this error before the stack even begins to deploy
Property validation failure: [Value of property {/DistributionConfig/DefaultCacheBehavior/ForwardedValues/Headers} does not match type {Array}]
If you don't provide a Headers
key then CloudFront removes all of the headers indicated as such in this table
Headers:
- Referer
This sends Referer
and other headers on, but not all.
Headers:
- Referer
- Host
results in a 403 response from CloudFront, {"message":"Forbidden"}
This StackOverflow answer says that you can't pass the Host
header because API Gateway needs the API Gateway host header because it uses SNI
I have exactly the same issue, and also found the discrepancies in the AWS documentation. I've raised with AWS Support and will report back.