AWS AmazonCloudFront documentation change
Summary
Added documentation for new optional parameters (hostHeader, sni, allowedCertificateNames) for non-S3 custom origins. Updated examples to show usage of these parameters and added warnings about their advanced usage.
Security assessment
The changes document new security features (SNI and allowedCertificateNames) that enhance TLS validation between CloudFront and origins. This helps prevent man-in-the-middle attacks by allowing strict certificate validation. However, there's no evidence of a specific security vulnerability being fixed.
Diff
diff --git a/AmazonCloudFront/latest/DeveloperGuide/helper-functions-origin-modification.md b/AmazonCloudFront/latest/DeveloperGuide/helper-functions-origin-modification.md index e6056ae40..d5cd6cb85 100644 --- a//AmazonCloudFront/latest/DeveloperGuide/helper-functions-origin-modification.md +++ b//AmazonCloudFront/latest/DeveloperGuide/helper-functions-origin-modification.md @@ -90 +90 @@ The domain name of the origin. If this is not provided, the domain name from the -Specify a DNS domain name, such as `www.example.com`. The domain name can't include a colon (:) and can't be an IP address. The domain name can be up to 253 characters. +Specify a DNS domain name, such as `www.example.com`. The domain name can't include a colon (`:`) and can't be an IP address. The domain name can be up to 253 characters. @@ -96,0 +97,5 @@ Specify the DNS domain name of the Amazon S3 bucket, such as `amzn-s3-demo-bucke +**hostHeader (optional, for non-S3 custom origins)** + + +The host header to use when making the request to the origin. If this is not provided, the value from the domainName parameter is used. If neither host header or domain name parameter are provided, the domain name from the assigned origin is used or the host header from the incoming request if the forward to origin (FTO) policy includes the host. The host header can't include a colon (`:`) and can't be an IP address. The host header can be up to 253 characters. + @@ -258,0 +264,16 @@ Specifies the IP address type that CloudFront uses to connect to the origin. Val +**sni (optional, for non-S3 custom origins)** + + +The Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) protocol by which a client indicates which hostname it's attempting to connect to at the start of the TLS handshake process. This value should match a common name on a TLS certificate on your origin server. Otherwise, your origin server may throw an error. + +If this is not provided, the value from the `hostHeader` parameter is used. If the host header not provided, the value from the `domainName` parameter is used. + +If neither host header or domain name parameter are provided, the domain name from the assigned origin is used or the host header from the incoming request if the forward to origin (FTO) policy includes the host. The SNI can't include a colon (`:`) and can't be an IP address. The SNI can be up to 253 characters. + +**allowedCertificateNames (optional, for non-S3 custom origins)** + + +You can include a list of valid certificate names to be used by CloudFront to validate the domain matching from your origin server TLS certificate during the TLS handshake with your origin server. This field expects an array of valid domain names and can include wildcard domains, such as `*.example.com`. + +You can specify up to 20 allowed certificate names. Each certificate name can have up to 64 characters. + @@ -301,0 +323,16 @@ In the following example, the origin in the distribution has Origin Shield enabl +###### Example – Update the host header, SNI, and allowed certificate names + +###### Warning + +For most use cases, you won't need to use this type of modification to requests going to your origin. These parameters shouldn't be used unless you understand the impact of changing these values. + +The following example changes the domain name, the host header, SNI, and allowed certificates on the request to the origin. + + + cf.updateRequestOrigin({ + "domainName": "www.example.com", + "hostHeader": "test.example.com", + "sni": "test.example.net", + "allowedCertificateNames": ["*.example.com", "*.example.net"], + }); + @@ -309,0 +347,30 @@ If you have a VPC origin configured in your distribution, you can use this metho +**Request** + + + cf.selectRequestOriginById(origin_id, {origin_overrides}) + +In the previous example, `origin_id` is a string that points to the origin name of an origin in the distribution that's running the function. The `origin_overrides `parameter can contain the following: + +**hostHeader (optional, for non-S3 custom origins)** + + +The host header to use when making the request to the origin. If this is not provided, the value from the `domainName` parameter is used. + +If neither host header or domain name parameter are provided, the domain name from the assigned origin is used or the host header from the incoming request if the forward to origin (FTO) policy includes the host. The host header can't include a colon (`:`) and can't be an IP address. The host header can be up to 253 characters. + +**sni (optional, for non-S3 custom origins)** + + +The Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) protocol by which a client indicates which hostname it's attempting to connect to at the start of the TLS handshake process. This value should match a common name on a TLS certificate on your origin server. Otherwise, your origin server may throw an error. + +If this is not provided, the value from the `hostHeader` parameter is used. If the host header not provided, the value from the `domainName` parameter is used. + +If neither host header or domain name parameter are provided, the domain name from the assigned origin is used or the host header from the incoming request if the forward to origin (FTO) policy includes the host. The SNI can't include a colon (`:`) and can't be an IP address. The SNI can be up to 253 characters. + +**allowedCertificateNames (optional, for non-S3 custom origins)** + + +You can include a list of valid certificate names to be used by CloudFront to validate the domain matching from your origin server TLS certificate during the TLS handshake with your origin server. This field expects an array of valid domain names and can include wildcard domains, such as `*.example.com`. + +You can specify up to 20 allowed certificate names. Each certificate name can have up to 64 characters. + @@ -330,0 +398,9 @@ The following example selects an Application Load Balancer origin named `myALB-p +###### Example – Select Application Load Balancer request origin and override the host header + +Like the previous example, the following example selects an Application Load Balancer origin named `myALB-prod` from the list of origins associated with the distribution, and applies the configuration settings of `myALB-prod` to the request. However, this example overrides the host header value using `origin_overrides`. + + + cf.overrideRequestOrigin("myALB-prod",{ + "hostHeader" : "test.example.com" + }); + @@ -350,0 +427,28 @@ Array of `origin_ids`, where the `origin_id` is a string that points to the orig +**originOverrides (optional)** + + +A few advanced settings are allowed to be overwritten by using the `{origin_overrides}` parameter. The `origin overrides` can contain the following: + +**hostHeader (optional, for non-S3 custom origins)** + + +The host header to use when making the request to the origin. If this is not provided, the value from the `domainName` parameter is used. + +If neither host header or domain name parameter are provided, the domain name from the assigned origin is used or the host header from the incoming request if the forward to origin (FTO) policy includes the host. The host header can't include a colon (`:`) and can't be an IP address. The host header can be up to 253 characters. + +**sni (optional, for non-S3 custom origins)** + + +The Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) protocol by which a client indicates which hostname it is attempting to connect to at the start of the TLS handshaking process. This value should match a common name on a TLS certificate on your origin server, otherwise your origin server may throw an error. + +If this is not provided, the value from the `hostHeader` parameter is used. If the host header not provided, the value from the `domainName` parameter is used. + +If neither host header or domain name parameter are provided, the domain name from the assigned origin is used or the host header from the incoming request if the forward to origin (FTO) policy includes the host. The SNI can't include a colon (`:`) and can't be an IP address. The SNI can be up to 253 characters. + +**allowedCertificateNames (optional, for non-S3 custom origins)** + + +You can include a list of valid certificate names to be used by CloudFront to validate the domain matching from your origin server TLS certificate during the TLS handshake with your origin server. This field expects an array of valid domain names and can include wildcard domains, such as `*.example.com`. + +You can specify up to 20 allowed certificate names. Each certificate name can have up to 64 characters. + @@ -373,0 +478,2 @@ The following example creates an origin group for a request using the origin IDs +Optionally, you can use `originOverrides` to override the origin group configurations for `sni`, `hostHeader`, and `allowedCertificateNames`. + @@ -374,0 +481,3 @@ The following example creates an origin group for a request using the origin IDs + import cf from 'cloudfront'; + + function handler(event) { @@ -376,3 +485,20 @@ The following example creates an origin group for a request using the origin IDs - originIds: ["us-east-1-s3-origin", "us-west-2-s3-origin"], - failoverCriteria: { - statusCodes: [500, 502, 503, 504] + "originIds": [ + { + "originId": "origin-1", + "originOverrides": { + "hostHeader": "hostHeader.example.com", + "sni": "sni.example.com", + "allowedCertificateNames": ["cert1.example.com", "cert2.example.com", "cert3.example.com"] + } + }, + { + "originId": "origin-2", + "originOverrides": { + "hostHeader": "hostHeader2.example.com", + "sni": "sni2.example.com", + "allowedCertificateNames": ["cert4.example.com", "cert5.example.com"] + } + } + ], + "failoverCriteria": { + "statusCodes": [500] @@ -381,0 +508,4 @@ The following example creates an origin group for a request using the origin IDs + event.request.headers['x-hookx'] = { value: 'origin-overrides' }; + return event.request; + } +