Request and response behavior for custom
origins

How CloudFront processes and forwards requests to your
custom origin

This subject contains information about how CloudFront processes viewer requests and forwards the requests to your custom beginning .

Authentication

For DELETE, GET, HEAD, PATCH, POST, and PUT requests, if you configure CloudFront to forward the Authorization header to your origin, you can configure your beginning server to request customer authentication .
For OPTIONS requests, you can configure your origin server to request client authentication only if you use the follow CloudFront settings :

• configure CloudFront to forward the Authorization header to your origin .
• configure CloudFront to not cache the reception to OPTIONS requests .

You can configure CloudFront to forward requests to your origin using either HTTP or HTTPS ; for more information, see Using HTTPS with CloudFront .

Caching duration and minimum TTL

To control how long your objects stay in a CloudFront hoard before CloudFront forwards another request to your origin, you can :

• Configure your origin to add a Cache-Control or an Expires header field to each object .
• Specify a value for Minimum TTL in CloudFront cache behaviors .
• Use the nonpayment value of 24 hours .

For more information, see Managing how farseeing message stays in the cache ( passing ) .

Client IP addresses

If a spectator sends a request to CloudFront and does not include an X-Forwarded-For request header, CloudFront gets the IP address of the viewer from the TCP joining, adds an X-Forwarded-For header that includes the IP address, and forwards the request to the origin. For exemplar, if CloudFront gets the IP address 192.0.2.2 from the TCP connection, it forwards the following header to the origin :
X-Forwarded-For: 192.0.2.2
If a viewer sends a request to CloudFront and includes an X-Forwarded-For request header, CloudFront gets the IP address of the spectator from the TCP joining, appends it to the goal of the X-Forwarded-For header, and forwards the request to the origin. For exemplar, if the viewer request includes X-Forwarded-For:
192.0.2.4,192.0.2.3 and CloudFront gets the IP cover 192.0.2.2 from the TCP connection, it forwards the come header to the lineage :
X-Forwarded-For: 192.0.2.4,192.0.2.3,192.0.2.2
Some applications, such as load balancers ( including Elastic Load Balancing ), web application firewalls, overrule proxies, intrusion prevention systems, and API Gateway, append the IP address of the CloudFront boundary server that forwarded the request onto the end of the X-Forwarded-For header. For example, if CloudFront includes X-Forwarded-For: 192.0.2.2 in a request that it forwards to ELB and if the IP address of the CloudFront edge server is 192.0.2.199, the request that your EC2 exemplify receives contains the follow header :
X-Forwarded-For: 192.0.2.2,192.0.2.199

Note

The X-Forwarded-For header contains IPv4 addresses ( such as 192.0.2.44 ) and IPv6 addresses ( such as 2001:0db8:85a3:0000:0000:8a2e:0370:7334 ) .

Client-side SSL authentication

CloudFront does not support customer authentication with client-side SSL certificates. If an origin requests a client-side certificate, CloudFront drops the request .

Compression

For more information, see Serving compressed files .

Conditional requests

When CloudFront receives a request for an object that has expired from an edge cache, it forwards the request to the origin either to get the latest interpretation of the object or to get confirmation from the origin that the CloudFront edge cache already has the latest version. typically, when the origin last sent the object to CloudFront, it included an ETag value, a LastModified value, or both values in the response. In the raw request that CloudFront forwards to the origin, CloudFront adds one or both of the comply :

• An If-Match or If-None-Match header that contains the ETag prize for the exhale interpretation of the aim .
• An If-Modified-Since header that contains the LastModified value for the die version of the object .

The beginning uses this information to determine whether the object has been updated and, therefore, whether to return the entire object to CloudFront or to return alone an HTTP 304 condition code ( not modified ) .

Cookies

You can configure CloudFront to forward cookies to your origin. For more information, see Caching subject based on cookies .

Cross-origin resource sharing (CORS)

If you want CloudFront to respect cross-origin resource sharing settings, configure CloudFront to forward the Origin header to your origin. For more data, see Caching capacity based on request headers .

Encryption

You can require viewers to use HTTPS to send requests to CloudFront and require CloudFront to forward requests to your customs origin by using the protocol that is used by the viewer. For more data, see the stick to distribution settings :
CloudFront forwards HTTPS requests to the origin server using the SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 protocols. For custom origins, you can choose the SSL protocols that you want CloudFront to use when communicating with your beginning :

• If you ‘re using the CloudFront comfort, choose protocols by using the Origin
  SSL Protocols hindrance boxes. For more data, see Creating a distribution .
• If you ‘re using the CloudFront API, pin down protocols by using the OriginSslProtocols component. For more data, see OriginSslProtocols and DistributionConfig in the Amazon CloudFront API Reference .

If the lineage is an Amazon S3 bucket, CloudFront always uses TLSv1.2 .

Important

other versions of SSL and TLS are not supported. For more information about using HTTPS with CloudFront, see Using HTTPS with CloudFront. For lists of the ciphers that CloudFront supports for HTTPS communication between viewers and CloudFront, and between CloudFront and your origin, see hold protocols and ciphers between viewers and CloudFront .

GET requests that include a body

If a viewer GET request includes a body, CloudFront returns an HTTP status code 403 ( Forbidden ) to the spectator .

HTTP methods

If you configure CloudFront to process all of the HTTP methods that it supports, CloudFront accepts the watch requests from viewers and forwards them to your custom beginning :

• DELETE
• GET
• HEAD
• OPTIONS
• PATCH
• POST
• PUT

CloudFront always caches responses to GET and HEAD requests. You can besides configure CloudFront to cache responses to OPTIONS requests. CloudFront does not cache responses to requests that use the other methods .
For information about configuring whether your custom beginning processes these methods, see the software documentation for your beginning .

Important

If you configure CloudFront to accept and forward to your origin all of the HTTP methods that CloudFront supports, configure your origin server to handle all methods. For example, if you configure CloudFront to accept and forward these methods because you want to use POST, you must configure your origin server to handle DELETE requests appropriately so viewers ca n’t delete resources that you do n’t want them to. For more information, see the software documentation for your HTTP server .

HTTP request headers and CloudFront behavior
(custom and Amazon S3 origins)

The follow table lists HTTP request headers that you can forward to both custom and Amazon S3 origins ( with the exceptions that are noted ). For each header, the board includes information about the pursuit :

• CloudFront behavior if you do n’t configure CloudFront to forward the header to your origin, which causes CloudFront to cache your objects based on header values .
• Whether you can configure CloudFront to cache objects based on header values for that heading .
  You can configure CloudFront to cache objects based on values in the Date and User-Agent headers, but we do n’t recommend it. These headers have many potential values, and caching based on their values would cause CloudFront to forward importantly more requests to your origin .

For more information about caching based on header values, see Caching content based on request headers .

HTTP version

CloudFront forwards requests to your custom origin using HTTP/1.1 .

Maximum length of a request and maximum
length of a URL

The maximum length of a request, including the path, the question string ( if any ), and headers, is 20,480 bytes .
CloudFront constructs a url from the request. The maximum duration of this URL is 8192 bytes .
If a request or a url exceeds these maximums, CloudFront returns HTTP status code 413, Request Entity Too Large, to the viewer, and then terminates the TCP connection to the spectator .

OCSP stapling

When a spectator submits an HTTPS request for an object, either CloudFront or the viewer must confirm with the certificate authority ( CA ) that the SSL certificate for the sphere has not been revoked. OCSP stapling speeds up certificate validation by allowing CloudFront to validate the certificate and to cache the response from the CA, so the client does n’t need to validate the certificate immediately with the CA .
The performance improvement of OCSP staple is more marked when CloudFront receives numerous HTTPS requests for objects in the same world. Each server in a CloudFront edge placement must submit a branch establishment request. When CloudFront receives a set of HTTPS requests for the same domain, every server in the edge location soon has a reception from the CA that it can “ staple ” to a mailboat in the SSL handshake ; when the viewer is meet that the certificate is valid, CloudFront can serve the requested object. If your distribution does n’t get much dealings in a CloudFront edge placement, fresh requests are more likely to be directed to a server that has n’t validated the certificate with the CA yet. In that case, the viewer individually performs the validation step and the CloudFront server serves the object. That CloudFront server besides submits a validation request to the CA, so the future fourth dimension it receives a request that includes the lapp world name, it has a establishment reception from the CA .

Persistent connections

When CloudFront gets a answer from your lineage, it tries to maintain the connection for respective seconds in case another request arrives during that period. Maintaining a haunting connection saves the meter required to re-establish the TCP association and perform another TLS handshake for subsequent requests .
For more information, including how to configure the duration of dogged connections, see Keep-alive timeout ( custom origins only ) in the section Values that you specify when you create or update a distribution .

Protocols

CloudFront forwards HTTP or HTTPS requests to the lineage server based on the follow :

• The protocol of the request that the viewer sends to CloudFront, either HTTP or HTTPS .
• The value of the Origin Protocol Policy field in the CloudFront console table or, if you ‘re using the CloudFront API, the OriginProtocolPolicy chemical element in the DistributionConfig complex type. In the CloudFront console, the options are HTTP Only, HTTPS Only, and Match Viewer .

If you specify HTTP Only or HTTPS Only, CloudFront forwards requests to the origin server using the specified protocol, careless of the protocol in the viewer request .
If you specify Match Viewer, CloudFront forwards requests to the origin waiter using the protocol in the spectator request. note that CloudFront caches the object only once flush if viewers make requests using both HTTP and HTTPS protocols .

Important

If CloudFront forwards a request to the lineage using the HTTPS protocol, and if the origin server returns an invalid certificate or a self-signed certificate, CloudFront drops the TCP connection. For information about how to update a distribution using the CloudFront cabinet, see Updating a distribution. For information about how to update a distribution using the CloudFront API, go to UpdateDistribution in the Amazon CloudFront API Reference .

Query strings

You can configure whether CloudFront forwards question string parameters to your origin. For more information, see Caching message based on question chain parameters .

Origin connection timeout and
attempts

Origin connection timeout is the total of seconds that CloudFront waits when trying to establish a connection to the origin .
Origin connection attempts is the count of times that CloudFront attempts to connect to the lineage .
together, these settings determine how long CloudFront tries to connect to the beginning before failing over to the secondary origin ( in the case of an origin group ) or returning an erroneousness reply to the spectator. By default, CloudFront waits adenine long as 30 seconds ( 3 attempts of 10 seconds each ) before attempting to connect to the secondary beginning or returning an error reaction. You can reduce this clock time by specifying a shorter connection timeout, fewer attempts, or both .
For more information, see Controlling origin timeouts and attempts .

Origin response timeout

The origin response timeout, besides known as the origin read timeout or origin request timeout, applies to both of the follow :

• The amount of time, in seconds, that CloudFront waits for a reception after forwarding a request to the beginning .
• The total of time, in seconds, that CloudFront waits after receiving a mailboat of a response from the origin and before receiving the following packet .

CloudFront behavior depends on the HTTP method of the spectator request :

• GET and HEAD requests – If the beginning doesn ’ t respond or stops responding within the duration of the reception timeout, CloudFront drops the connection. If the intend number of lineage connection attempts is more than 1, CloudFront tries again to get a complete answer. CloudFront tries up to 3 times, as determined by the value of the lineage joining attempts setting. If the origin doesn ’ t answer during the final attack, CloudFront doesn ’ triiodothyronine attempt again until it receives another request for content on the lapp origin .
• DELETE, OPTIONS, PATCH, PUT, and POST requests – If the origin doesn ’ thymine respond within 30 seconds, CloudFront drops the connection and doesn ’ t try again to contact the lineage. The client can resubmit the request if necessary .

For more information, including how to configure the beginning reaction timeout, see reply timeout ( custom origins merely ) .

Simultaneous requests for the same object
(traffic spikes)

When a CloudFront edge location receives a request for an object and either the object isn’t presently in the hoard or the object has expired, CloudFront immediately sends the request to your origin. If there ‘s a traffic spike—if extra requests for the same aim arrive at the border localization before your lineage responds to the first request—CloudFront pauses concisely before forwarding extra requests for the object to your origin. typically, the reaction to the beginning request will arrive at the CloudFront edge location before the response to subsequent requests. This brief pause helps to reduce unnecessary warhead on your beginning server. If extra requests are not identical because, for example, you configured CloudFront to cache based on request headers or cookies, CloudFront forwards all of the alone requests to your origin .

User-Agent header

If you want CloudFront to cache different versions of your objects based on the device that a drug user is using to view your content, we recommend that you configure CloudFront to forward one or more of the following headers to your custom lineage :

• CloudFront-Is-Desktop-Viewer
• CloudFront-Is-Mobile-Viewer
• CloudFront-Is-SmartTV-Viewer
• CloudFront-Is-Tablet-Viewer

Based on the measure of the User-Agent heading, CloudFront sets the value of these headers to true or false before forwarding the request to your origin. If a device falls into more than one class, more than one prize might be true. For model, for some pill devices, CloudFront might set both CloudFront-Is-Mobile-Viewer and CloudFront-Is-Tablet-Viewer to true. For more information about configuring CloudFront to cache based on request headers, see Caching subject based on request headers .
You can configure CloudFront to cache objects based on values in the User-Agent header, but we do n’t recommend it. The User-Agent header has many possible values, and caching based on those values would cause CloudFront to forward importantly more requests to your beginning .
If you do not configure CloudFront to cache objects based on values in the User-Agent heading, CloudFront adds a User-Agent header with the following respect before it forwards a request to your origin :
User-Agent = Amazon CloudFront
CloudFront adds this header regardless of whether the request from the viewer includes a User-Agent header. If the request from the spectator includes a User-Agent header, CloudFront removes it .

How CloudFront processes responses from your custom
origin

This topic contains information about how CloudFront processes responses from your custom origin .

100 Continue responses

Your origin can not send more than one 100-Continue response to CloudFront. After the first 100-Continue reaction, CloudFront expects an HTTP 200 OK response. If your origin sends another 100-Continue reception after the first gear one, CloudFront will return an error .

Caching

• see that the beginning server sets valid and accurate values for the Date and Last-Modified heading fields .
• CloudFront normally respects a Cache-Control: no-cache header in the response from the beginning. For an exception, see coincident requests for the same object ( traffic spikes ) .

Canceled requests

If an object is not in the edge cache, and if a spectator terminates a school term ( for example, closes a browser ) after CloudFront gets the object from your origin but before it can deliver the request object, CloudFront does not cache the object in the edge placement .

Content negotiation

If your origin returns Vary:* in the response, and if the rate of Minimum TTL for the comparable hoard behavior is 0, CloudFront caches the object but even forwards every subsequent request for the object to the origin to confirm that the cache contains the latest interpretation of the object. CloudFront does n’t include any conditional headers, such as If-None-Match or If-Modified-Since. As a resultant role, your beginning returns the object to CloudFront in answer to every request .
If your origin returns Vary:* in the reply, and if the value of Minimum TTL for the corresponding cache behavior is any other respect, CloudFront processes the Vary header as described in HTTP answer headers that CloudFront removes or replaces .

Cookies

If you enable cookies for a cache behavior, and if the origin returns cookies with an object, CloudFront caches both the object and the cookies. note that this reduces cacheability for an object. For more information, see Caching content based on cookies .

Dropped TCP connections

If the TCP connection between CloudFront and your beginning drops while your origin is returning an aim to CloudFront, CloudFront behavior depends on whether your origin included a Content-Length header in the response :

• Content-Length header – CloudFront returns the object to the spectator as it gets the object from your origin. however, if the value of the Content-Length header does n’t match the size of the object, CloudFront does n’t cache the object .
• Transfer-Encoding: Chunked – CloudFront returns the object to the viewer as it gets the object from your origin. however, if the collocate response is not dispatch, CloudFront does not cache the object .
• No Content-Length header – CloudFront returns the object to the spectator and caches it, but the object may not be complete. Without a Content-Length header, CloudFront can not determine whether the TCP connection was dropped unintentionally or on purpose .

We recommend that you configure your HTTP server to add a Content-Length header to prevent CloudFront from caching fond objects .

HTTP response headers that CloudFront removes or
replaces

CloudFront removes or updates the play along header fields before forwarding the reception from your beginning to the viewer :

• Set-Cookie – If you configure CloudFront to forward cookies, it will forward the Set-Cookie header field to clients. For more information, see Caching content based on cookies .
• Trailer
• Transfer-Encoding – If your origin returns this header field, CloudFront sets the value to chunked before returning the response to the viewer .
• Upgrade
• Vary – Note the watch :
  • If you configure CloudFront to forward any of the device-specific headers to your origin ( CloudFront-Is-Desktop-Viewer, CloudFront-Is-Mobile-Viewer, CloudFront-Is-SmartTV-Viewer, CloudFront-Is-Tablet-Viewer ) and you configure your origin to return Vary:User-Agent to CloudFront, CloudFront returns Vary:User-Agent to the spectator. For more information, see Configuring caching based on the device type .
  • If you configure your origin to include either Accept-Encoding or Cookie in the Vary header, CloudFront includes the values in the reception to the viewer .
  • If you configure CloudFront to forward headers to your lineage, and if you configure your origin to return the header names to CloudFront in the Vary heading ( for example, Vary:Accept-Charset,Accept-Language ), CloudFront returns the Vary header with those values to the viewer .
  • For information about how CloudFront processes a prize of * in the Vary header, see capacity negotiation .
  • If you configure your origin to include any early values in the Vary header, CloudFront removes the values before returning the answer to the spectator .
• Via – CloudFront sets the value to the following in the answer to the viewer :
  Via: http-version alphanumeric-string .cloudfront.net
(CloudFront)
  For exemplar, if the client makes a request over HTTP/1.1, the value is something like the adopt :
  Via: 1.1 1026589cc7887e7a0dc7827b4example.cloudfront.net (CloudFront)

Maximum file size

The utmost size of a reaction body that CloudFront saves in its cache is 30 GB. This includes collocate transfer responses that don ’ thymine specify the Content-Length header value .
When hoard is disabled, CloudFront can retrieve an aim that is larger than 30 GB from the origin and exceed it along to the viewer. however, CloudFront doesn ’ metric ton cache the object .
You can use CloudFront to cache an object that is larger than 30 GB by using range requests to request the objects in parts that are each 30 GB or smaller. CloudFront caches these parts because each of them is 30 GB or smaller. After the spectator retrieves all the parts of the aim, it can reconstruct the original, larger object. For more information, see Use crop requests to cache large objects .

Origin unavailable

If your origin server is unavailable and CloudFront gets a request for an object that is in the edge hoard but that has expired ( for case, because the period of meter specified in the Cache-Control max-age directive has passed ), CloudFront either serves the die interpretation of the object or serves a customs error page. For more information about CloudFront behavior when you ‘ve configured custom-made error pages, see How CloudFront processes errors when you have configured custom error pages .
In some cases, an aim that is rarely requested is evicted and is no longer available in the edge cache. CloudFront ca n’t serve an object that has been evicted .

Redirects

If you change the location of an object on the origin server, you can configure your network server to redirect requests to the modern placement. After you configure the redirect, the first prison term a viewer submits a request for the object, CloudFront Front sends the request to the beginning, and the origin responds with a redirect ( for exemplar, 302 Moved
Temporarily ). CloudFront caches the redirect and returns it to the spectator. CloudFront does not follow the redirect .
You can configure your web server to redirect requests to one of the trace locations :

• The new URL of the object on the origin server. When the spectator follows the redirect to the new URL, the spectator bypasses CloudFront and goes straight to the origin. As a result, we recommend that you not redirect requests to the new URL of the object on the lineage .
• The new CloudFront URL for the object. When the viewer submits the request that contains the newly CloudFront URL, CloudFront gets the object from the new placement on your origin, caches it at the edge placement, and returns the object to the viewer. subsequent requests for the object will be served by the edge location. This avoids the rotational latency and load associated with viewers requesting the object from the origin. however, every new request for the object will incur charges for two requests to CloudFront.

  Read more: How to Make Your Own Website Without a Host

Transfer-Encoding header

CloudFront supports entirely the chunked value of the Transfer-Encoding header. If your beginning returns Transfer-Encoding:
chunked, CloudFront returns the object to the node as the object is received at the edge localization, and caches the object in collocate format for subsequent requests .
If the viewer makes a Range GET request and the beginning returns Transfer-Encoding: chunked, CloudFront returns the stallion object to the viewer alternatively of the request compass .
We recommend that you use collocate encode if the contentedness length of your response can not be predetermined. For more information, see Dropped TCP connections .