AWS Cloudfront – restrict access to origin using custom headers

AWS Cloudfront – restrict access to origin using custom headers

Links on Code Thump may pay us an affiliate commission. Details here.

If you’ve set up HTTPS for AWS Lightsail and have added a Cloudfront CDN for Lightsail WordPress, one more thing to do is to prevent direct access to the Lightsail instance on its IP address.

To restrict access to the contents of your origin server by forcing all traffic to go through your CDN, you can pass custom headers to the origin and check the header at the origin.

You can tell Cloudfront to use HTTPS when talking to your origin server but it is up to you to secure the content in your origin server.

If your origin is an S3 bucket there is a setting in Cloudfront to restrict bucket access to go via the CDN only. For a custom origin like Lightsail, you need to:

  • Tell Cloudfront to forward a custom header to the origin
  • Configure the origin to respond only when the header is present
  • Use HTTPS between Cloudfront and the origin so that custom headers and not exposed

Here’s what AWS says:

“If you use a custom origin, you can optionally set up custom headers to restrict access. For CloudFront to get your files from a custom origin, the files must be publicly accessible. But by using custom headers, you can restrict access to your content so that users can access it only through CloudFront, not directly.”

In another tutorial we’ll cover restricting access for specific bits of content only to members or paid users etc, using signed URLs.

Here’s a graphic to show the problem we want to solve. Users could go direct to the Lightsail instance if they know the IP, bypassing the Cloudfront CDN.

This could allow search engines to index your site by its IP address, instead of by its domain name, polluting your index and potentially causing a mess if your IP address changed and was picked up by a server hosting somebody else’s site.

You might believe that’s not possible, but I’ve seen it happen. Fixing the damage was a slow and painful process, and the other site that picked up the IP address was one serving adult content….

cloudfront restrict access origin custom headers

Cloudfront custom headers

The config is simple. Go to the Cloudfront management console and click on your distribution in the list. Go to the Origins and Origin Groups tab, select your origin and choose Edit.

In Origin Custom Headers you need a Header Name and a Value.

It is usual to prefix custom header names with an X-, so you could use X-MyDomain-CF, for example. The value is also a completely free choice, eg you could use mydomain-cf.

AWS Lightsail access control with custom headers for Cloudfront

Connect to your Lightsail instance using SSH, from the Lightsail dashboard. Enter the command:

sudo vi /opt/bitnami/apache2/conf/bitnami/bitnami.conf

That command opens the bitnami.conf file in the vi editor program:

  1. Type i, to enter insert mode
  2. Use the arrow keys to move down to this block: <VirtualHost _default_:80>
  3. Inside that block, after any existing RewriteRules, add these 3 lines, supplying your custom header name and value:

# Block access unless request header X-SomeHeader has value some-value
RewriteCond %{HTTP:X-SomeHeader} !^some-value$
RewriteRule ^ - [F]

  1. Move down to the block beginning: <VirtualHost _default_:443>
  2. Add the same rewrite rule after any existing RewriteRules in that block
  3. Press esc, to come out of insert mode
  4. Type :wq and press return, to write the changes and quit the editor
  5. Restart Apache with this command:

sudo /opt/bitnami/ restart apache

Try to access your Lightsail instance via its static IP or any subdomain that isn’t exposed via the CDN and you will now get a 403 Forbidden error.

Remember that this is of no use unless you have configured your Cloudfront CDN to require HTTPS between the distribution and the origin, as described in this tutorial about setting up HTTPS for Lightsail WordPress.

The RewriteCond says “if the HTTP header X-SomeHeader is not some-value”, and the RewriteRule uses the F flag which means “reply Forbidden”.

RewriteRule is documented here. RewriteCond is documented here.

Other articles in this series about AWS Lightsail WordPress can be found here.

Scroll to Top