Configure a Cloudfront reverse proxy for a subfolder install

documentation sysadmin
,
1

This topic is a companion to another, which focuses on the Discourse configuration. Here we will set up a Cloudfront distribution as the reverse proxy before Discourse.

:warning: The only time you need this combination is when you already have a Cloudfront distribution for the primary hostname and would like to proxy a subfolder to a Discourse forum. This guide assumes the reader to have previous experience using Cloudfront in production.

Flow of Traffic

When a user loads the site there are two network connections involved. Each has a different hostname:

  • The web browser will issue a request to Cloudfront for the public hostname.
  • Then Cloudfront will issue a request to the Discourse servers for the origin hostname.
 .───────.      .───────.      .─────────.
( browser )───▶(   CF    )───▶( discourse )
 `───────'      `───────'      `─────────'

For our example, we’re going to pretend your Discourse site will load from https://www.example.com/forum/, using:

purpose hostname
public hostname www.example.com
origin hostname discourse.example.com

Cloudfront Setup

This means there will be at least two origins defined – a default for the primary site and a second for the Discourse servers.

image
image1568×224 24 KB

There will also be at least two behaviors, one pointing to each origin.

image
image1124×226 17.1 KB

The default behavior and origin are not relevant for our purposes here; it must already be configured as appropriate to your needs. The Discourse-specific origin and behavior should be configured as follows.

Origin

The second origin for the Discourse servers should be pointed at the origin hostname.

image
image1186×200 13.5 KB

Do not configure an origin path.

image
image1194×196 15.7 KB

The protocol policy should be HTTPS, with TLSv1 as the minimum version.

image
image1206×964 46.3 KB

Behavior

The pattern needs to match the subfolder.

image
image1208×170 5.88 KB

It should be attached to the origin configured as above.

image
image1200×154 5.13 KB

It should redirect HTTP → HTTPS.

image

It should permit all HTTP verbs.

image
image762×416 24.5 KB

It should disable caching.

image
image1368×282 19.5 KB

It should forward all client headers.

image
image1342×264 20.1 KB

Configuring Lambda@edge

Shared hosting environments (including discourse.org) use SNI. To make this work with Cloudfront, you’ll need to use Lambda@edge to make sure that Cloudfront uses the origin hostname for SNI, rather than the Host header from the viewer’s request.

Visit the AWS Lambda dashboard and create a new function. Use the Node.js runtime environment, and create a new role with “Basic Lambda@Edge permissions”:

Screenshot 2022-03-29 at 20.52.31
Screenshot 2022-03-29 at 20.52.311920×1691 139 KB

Click “Create Function”

Once the code editor appears, replace the example with this:

exports.handler = async (event, context) => {
    const request = event.Records[0].cf.request;
    request.headers['x-forwarded-host'] = [{
        key: 'x-forwarded-host',
        value: request.headers['host'][0]['value']
    }];
    request.headers["host"] = [{
        key: 'host',
        value: request.origin.custom.domainName
    }];
    return request;
};

Click “Deploy”.

In the top left, choose Actions → Deploy to Lambda@Edge

Screenshot 2022-03-29 at 20.55.58
Screenshot 2022-03-29 at 20.55.58820×520 28.7 KB

Choose your Cloudfront distribution, and select the correct Behavior from the list:

Screenshot 2022-03-29 at 20.56.13
Screenshot 2022-03-29 at 20.56.131660×1134 106 KB

If you need to make changes for any reason, make sure to “Deploy”, then “Publish new Version” from the versions tab, then update your distribution to use the new version of the Lambda.

10 Likes