Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
How to configure CloudFront using CloudFormation to pass all headers

How to configure CloudFront using CloudFormation to pass all headers

How can you configure a CloudFront distribution to pass all headers to the origin if the CloudFront distribution is deployed using CloudFormation? If you deploy the distribution in the AWS Web Console, you can select between None, Whitelist and All. In CloudFront it appears that you can only assert a whitelist of allowed headers. This is done in this area of a CloudFormation resource describing a CloudFront distribution

Resources:
  CloudFrontDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        DefaultCacheBehavior:
          ForwardedValues:
            Headers:

Using *

Using a Headers element of * like this

            Headers:
              - '*'

as used in this AWS hosted example results in a 403 response from CloudFront, {"message":"Forbidden"}

Here it is in context

  CloudFrontDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Aliases:
          - !Ref CustomDomainName
        DefaultCacheBehavior:
          AllowedMethods:
            - GET
            - HEAD
          Compress: true
          DefaultTTL: 0
          ForwardedValues:
            Cookies:
              Forward: all
            QueryString: true
            Headers:
              - '*'
          TargetOriginId: CloudFrontOriginId
          ViewerProtocolPolicy: redirect-to-https
        # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-defaultrootobject
        DefaultRootObject: ''  # "If you don't want to specify a default root object when you create a distribution, include an empty DefaultRootObject element."
        Enabled: true
        IPV6Enabled: true
        Origins:
          - CustomOriginConfig:
              OriginProtocolPolicy: https-only
            DomainName: !Join [ '.', [ !Ref 'AwsFederatedRpApi', 'execute-api', !Ref 'AWS::Region', 'amazonaws.com' ] ]
            Id: CloudFrontOriginId
            OriginPath: !Join [ '', [ '/', !Ref 'AwsFederatedRpApiStage' ] ]
        PriceClass: PriceClass_100  # US, Canada, Europe, Israel
        ViewerCertificate:
          AcmCertificateArn: !Ref CertificateArn
          MinimumProtocolVersion: TLSv1.2_2018
          SslSupportMethod: sni-only

Using Items *

Using an "Headers": { "Items": [ "*" ] } solution as answered in this StackOverflow answer (and copied into this answer) like this

            Headers:
              Items:
                - '*'

results in this error before the stack even begins to deploy

Property validation failure: [Value of property {/DistributionConfig/DefaultCacheBehavior/ForwardedValues/Headers} does not match type {Array}]

Leaving out Headers

If you don't provide a Headers key then CloudFront removes all of the headers indicated as such in this table

Enumerating specific headers

Just Referer

            Headers:
              - Referer

This sends Referer and other headers on, but not all.

Referer and Host

            Headers:
              - Referer
              - Host

results in a 403 response from CloudFront, {"message":"Forbidden"}

This StackOverflow answer says that you can't pass the Host header because API Gateway needs the API Gateway host header because it uses SNI

@mhudson

This comment has been minimized.

Copy link

@mhudson mhudson commented Jun 2, 2020

I have exactly the same issue, and also found the discrepancies in the AWS documentation. I've raised with AWS Support and will report back.

@mims92

This comment has been minimized.

Copy link

@mims92 mims92 commented Jun 5, 2020

I just tested this code and it worked:

DefaultCacheBehavior:
    .
    .
    .
    ForwardedValues:
        Cookies:
            Forward: none
        Headers: ["*"]
        QueryString: True
    
@diegomachadosoares

This comment has been minimized.

Copy link

@diegomachadosoares diegomachadosoares commented Jul 15, 2020

I just tested this code and it worked:

DefaultCacheBehavior:
    .
    .
    .
    ForwardedValues:
        Cookies:
            Forward: none
        Headers: ["*"]
        QueryString: True
    

This works perfectly! Thanks a lot!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.