Origin settings
When you use the CloudFront console to create or update a distribution, you provide information about one or more locations, known as origins, where you store the original versions of your web content. CloudFront gets your web content from your origins and serves it to viewers via a worldwide network of edge servers.
For the current maximum number of origins that you can create for a distribution, or to request a higher quota, see General quotas on distributions.
If you want to delete an origin, you must first edit or delete the cache behaviors that are associated with that origin.
Important
If you delete an origin, confirm that files that were previously served by that origin are available in another origin and that your cache behaviors are now routing requests for those files to the new origin.
When you create or update a distribution, you specify the following values for each origin.
Topics
Origin domain
The origin domain is the DNS domain name of the resource where CloudFront will get objects for your origin, such as an Amazon S3 bucket or HTTP server. For example:
-
Amazon S3 bucket –
amzn-s3-demo-bucket.s3.us-west-2.amazonaws.comNote
If you recently created the S3 bucket, the CloudFront distribution might return
HTTP 307 Temporary Redirectresponses for up to 24 hours. It can take up to 24 hours for the S3 bucket name to propagate to all Amazon Regions. When the propagation is complete, the distribution automatically stops sending these redirect responses; you don't need to take any action. For more information, see Why am I getting an HTTP 307 Temporary Redirect response from Amazon S3?and Temporary Request Redirection. -
Amazon S3 bucket configured as a website –
amzn-s3-demo-bucket.s3-website.us-west-2.amazonaws.com -
MediaStore container –
examplemediastore.data.mediastore.us-west-1.amazonaws.com -
MediaPackage endpoint –
examplemediapackage.mediapackage.us-west-1.amazonaws.com -
Amazon EC2 instance –
ec2-203-0-113-25.compute-1.amazonaws.com -
Elastic Load Balancing load balancer –
example-load-balancer-1234567890.us-west-2.elb.amazonaws.com -
Your own web server –
www.example.com
Choose the domain name in the Origin domain field, or type the name. Resources from opt-in Regions must be entered manually. The domain name is not case-sensitive. Your origin domain must have a publicly resolvable DNS name that routes requests from clients to targets over the internet.
If you configure CloudFront to connect to your origin over HTTPS, one of the domain names in the certificate must match the domain name that you specify for Origin Domain Name. If no domain name matches, CloudFront returns HTTP status code 502 (Bad Gateway) to the viewer. For more information, see Domain names in the CloudFront distribution and in the certificate and SSL/TLS negotiation failure between CloudFront and a custom origin server.
Note
If you are using an origin request policy that forwards the viewer host header to the origin, the origin must respond with a certificate that matches the viewer host header. For more information, see Add CloudFront request headers.
If your origin is an Amazon S3 bucket, note the following:
-
If the bucket is configured as a website, enter the Amazon S3 static website hosting endpoint for your bucket; don’t select the bucket name from the list in the Origin domain field. The static website hosting endpoint appears in the Amazon S3 console, on the Properties page under Static website hosting. For more information, see Use an Amazon S3 bucket that's configured as a website endpoint.
-
If you configured Amazon S3 Transfer Acceleration for your bucket, do not specify the
s3-accelerateendpoint for Origin domain. -
If you're using a bucket from a different Amazon account and if the bucket is not configured as a website, enter the name, using the following format:
bucket-name.s3.region.amazonaws.comIf your bucket reside in a US Region, and you want Amazon S3 to route requests to a facility in northern Virginia, use the following format:
bucket-name.s3.us-east-1.amazonaws.com -
The files must be publicly readable unless you secure your content in Amazon S3 by using a CloudFront origin access control. For more information about access control, see Restrict access to an Amazon S3 origin.
Important
If the origin is an Amazon S3 bucket, the bucket name must conform to DNS naming requirements. For more information, go to Bucket restrictions and limitations in the Amazon Simple Storage Service User Guide.
When you change the value of Origin domain for an origin, CloudFront immediately begins replicating the change to CloudFront edge locations. Until the distribution configuration is updated in a given edge location, CloudFront continues to forward requests to the previous origin. As soon as the distribution configuration is updated in that edge location, CloudFront begins to forward requests to the new origin.
Changing the origin does not require CloudFront to repopulate edge caches with objects from the new origin. As long as the viewer requests in your application have not changed, CloudFront continues to serve objects that are already in an edge cache until the TTL on each object expires or until seldom-requested objects are evicted.
Protocol (custom origins only)
Note
This applies only to custom origins.
The protocol policy that you want CloudFront to use when fetching objects from your origin.
Choose one of the following values:
-
HTTP only: CloudFront uses only HTTP to access the origin.
Important
HTTP only is the default setting when the origin is an Amazon S3 static website hosting endpoint, because Amazon S3 doesn’t support HTTPS connections for static website hosting endpoints. The CloudFront console does not support changing this setting for Amazon S3 static website hosting endpoints.
-
HTTPS only: CloudFront uses only HTTPS to access the origin.
-
Match viewer: CloudFront communicates with your origin using HTTP or HTTPS, depending on the protocol of the viewer request. CloudFront caches the object only once even if viewers make requests using both HTTP and HTTPS protocols.
Important
For HTTPS viewer requests that CloudFront forwards to this origin, one of the domain names in the SSL/TLS certificate on your origin server must match the domain name that you specify for Origin domain. Otherwise, CloudFront responds to the viewer requests with an HTTP status code 502 (Bad Gateway) instead of returning the requested object. For more information, see Requirements for using SSL/TLS certificates with CloudFront.
HTTP port
Note
This applies only to custom origins.
(Optional) You can specify the HTTP port on which the custom origin listens. Valid values include ports 80, 443, and 1024 to 65535. The default value is port 80.
Important
Port 80 is the default setting when the origin is an Amazon S3 static website hosting endpoint, because Amazon S3 only supports port 80 for static website hosting endpoints. The CloudFront console does not support changing this setting for Amazon S3 static website hosting endpoints.
HTTPS port
Note
This applies only to custom origins.
(Optional) You can specify the HTTPS port on which the custom origin listens. Valid values include ports 80, 443, and 1024 to 65535. The default value is port 443. When Protocol is set to HTTP only, you cannot specify a value for HTTPS port.
Minimum origin SSL protocol
Note
This applies only to custom origins.
Choose the minimum TLS/SSL protocol that CloudFront can use when it establishes an HTTPS connection to your origin. Lower TLS protocols are less secure, so we recommend that you choose the latest TLS protocol that your origin supports. When Protocol is set to HTTP only, you cannot specify a value for Minimum origin SSL protocol.
If you use the CloudFront API to set the TLS/SSL protocol for CloudFront to use, you cannot set a minimum protocol. Instead, you specify all of the TLS/SSL protocols that CloudFront can use with your origin. For more information, see OriginSslProtocols in the Amazon CloudFront API Reference.
Origin path
If you want CloudFront to request your content from a directory in your origin,
enter the directory path, beginning with a slash (/). CloudFront appends the
directory path to the value of Origin domain, for
example, cf-origin.example.com/production/images. Do
not add a slash (/) at the end of the path.
For example, suppose you’ve specified the following values for your distribution:
-
Origin domain – An Amazon S3 bucket named
amzn-s3-demo-bucket -
Origin path –
/production -
Alternate domain names (CNAME) –
example.com
When a user enters example.com/index.html in a browser, CloudFront
sends a request to Amazon S3 for
amzn-s3-demo-bucket/production/index.html.
When a user enters example.com/acme/index.html in a browser,
CloudFront sends a request to Amazon S3 for
amzn-s3-demo-bucket/production/acme/index.html.
Name
A name is a string that uniquely identifies this origin in this distribution. If you create cache behaviors in addition to the default cache behavior, you use the name that you specify here to identify the origin that you want CloudFront to route a request to when the request matches the path pattern for that cache behavior.
Origin access (Amazon S3 origins only)
Note
This applies only to Amazon S3 bucket origins (those that are not using the S3 static website endpoint).
Choose Origin access control settings (recommended) if you want to make it possible to restrict access to an Amazon S3 bucket origin to only specific CloudFront distributions.
Choose Public if the Amazon S3 bucket origin is publicly accessible.
For more information, see Restrict access to an Amazon S3 origin.
For information about how to require users to access objects on a custom origin by using only CloudFront URLs, see Restrict access to files on custom origins.
Add custom header
If you want CloudFront to add custom headers whenever it sends a request to your origin, specify the header name and its value. For more information, see Add custom headers to origin requests.
For the current maximum number of custom headers that you can add, the maximum length of a custom header name and value, and the maximum total length of all header names and values, see Quotas.
Enable Origin Shield
Choose Yes to enable CloudFront Origin Shield. For more information about Origin Shield, see Use Amazon CloudFront Origin Shield.
Connection attempts
You can set the number of times that CloudFront attempts to connect to the origin. You can specify 1, 2, or 3 as the number of attempts. The default number (if you don’t specify otherwise) is 3.
Use this setting together with Connection timeout to specify how long CloudFront waits before attempting to connect to the secondary origin or returning an error response to the viewer. By default, CloudFront waits as long as 30 seconds (3 attempts of 10 seconds each) before attempting to connect to the secondary origin or returning an error response. You can reduce this time by specifying fewer attempts, a shorter connection timeout, or both.
If the specified number of connection attempts fail, CloudFront does one of the following:
-
If the origin is part of an origin group, CloudFront attempts to connect to the secondary origin. If the specified number of connection attempts to the secondary origin fail, then CloudFront returns an error response to the viewer.
-
If the origin is not part of an origin group, CloudFront returns an error response to the viewer.
For a custom origin (including an Amazon S3 bucket that’s configured with static website hosting), this setting also specifies the number of times that CloudFront attempts to get a response from the origin. For more information, see Response timeout (custom and VPC origins only).
Connection timeout
The connection timeout is the number of seconds that CloudFront waits when trying to establish a connection to the origin. You can specify a number of seconds between 1 and 10 (inclusive). The default timeout (if you don’t specify otherwise) is 10 seconds.
Use this setting together with Connection attempts to specify how long CloudFront waits before attempting to connect to the secondary origin or before returning an error response to the viewer. By default, CloudFront waits as long as 30 seconds (3 attempts of 10 seconds each) before attempting to connect to the secondary origin or returning an error response. You can reduce this time by specifying fewer attempts, a shorter connection timeout, or both.
If CloudFront doesn’t establish a connection to the origin within the specified number of seconds, CloudFront does one of the following:
-
If the specified number of Connection attempts is more than 1, CloudFront tries again to establish a connection. CloudFront tries up to 3 times, as determined by the value of Connection attempts.
-
If all the connection attempts fail and the origin is part of an origin group, CloudFront attempts to connect to the secondary origin. If the specified number of connection attempts to the secondary origin fail, then CloudFront returns an error response to the viewer.
-
If all the connection attempts fail and the origin is not part of an origin group, CloudFront returns an error response to the viewer.
Response timeout (custom and VPC origins only)
The origin response timeout, also known as the origin read timeout or origin request timeout, applies to both of the following values:
-
How long (in seconds) CloudFront waits for a response after forwarding a request to the origin.
-
How long (in seconds) CloudFront waits after receiving a packet of a response from the origin and before receiving the next packet.
Tip
If you want to increase the timeout value because viewers are experiencing HTTP 504 status code errors, consider exploring other ways to eliminate those errors before changing the timeout value. See the troubleshooting suggestions in HTTP 504 status code (Gateway Timeout).
CloudFront behavior depends on the HTTP method in the viewer request:
-
GETandHEADrequests – If the origin doesn’t respond or stops responding within the duration of the response timeout, CloudFront drops the connection. CloudFront tries again to connect according to the value of Connection attempts. -
DELETE,OPTIONS,PATCH,PUT, andPOSTrequests – If the origin doesn’t respond for the duration of the read timeout, CloudFront drops the connection and doesn’t try again to contact the origin. The client can resubmit the request if necessary.
Keep-alive timeout (custom and VPC origins only)
The keep-alive timeout is how long (in seconds) CloudFront tries to maintain a connection to your custom origin after it gets the last packet of a response. Maintaining a persistent connection saves the time that is required to re-establish the TCP connection and perform another TLS handshake for subsequent requests. Increasing the keep-alive timeout helps improve the request-per-connection metric for distributions.
Note
For the Keep-alive timeout value to have an effect, your origin must be configured to allow persistent connections.
Response and keep-alive timeout quotas
Note
This applies only to custom origins.
-
For response timeout, the default is 30 seconds.
-
For keep-alive timeout, the default is 5 seconds.
-
For either quota, you can specify a value from 1 to 60 seconds. To request an increase, create a case in the Amazon Support Center Console/
.
After you request a timeout increase for your Amazon Web Services account, update your distribution origins so that they have the response timeout and keep-alive timeout values that you want. A quota increase for your account doesn't automatically update your origins. For example, if you're using a Lambda@Edge function to set a keep-alive timeout of 90 seconds, your origin must already have a keep-alive timeout of 90 seconds or more. Otherwise, your Lambda@Edge function might fail to execute.
For more information about distribution quotas, see General quotas on distributions.