[SOLVED] CloudFront CDN <> Amazon EC2 ProcessWire Issues

[skeltern]

I've a client with a fresh setup ProcessWire@EC2 plus CloudFront CDN on top. ProcessWire@EC2 is installed and PW admin login works by "hard" IP access over HTTP only (access to EC2 without CloudFront).

But I can't login into PW admin panel over the "default" admin path (over CloudFront). With or without HTTPS. I'm the webdev but not the sysadmin. The sysadmin means:

"It seems that you've to configure something specific in ProcessWire to allow requests through the CloudFront CDN (with SSL/TLS offloading). ... The fact that CloudFront terminates SSL/TLS could also confuse ProcessWire. Keep in mind that the connection between "client" and "CloudFront" is SSL/TLS encrypted. The connection between CloudFront and ProcessWire is HTTP."

I tried some PW configs but with no luck so far (PW config HTTPS full off, DB sessions on, CHMODs). BTW I've never ever seen a stored session file at EC2 in site/assets/sessions.

I guess we're not the first people on earth with this setup. Unfortunately I can't find the "magic button" or config to solve the barrier between CloudFront <> EC2. That might by anyone CloudFront settings and/or PW configs. Or some special .htaccess rules? Google did not help me.

I would be happy about any hint. ?

[poljpocket]

PW has quite strict session spoofing protection enabled by default. It is called a session fingerprint. Take a look at the session fingerprint settings here. I would start by trying to relax this setting and try to log in again. I have encountered problems with the fingerprint when using proxies and multiple-forwarding as it is usually the case in a cloud environment.

EDIT: Yes, in AWS environments, the SSL is usually done on the proxy and then internally, only HTTP is used. But I am pretty sure this is handled correctly (host rewriting and such) in order for PW to function correctly. What is your "HTTP hosts whitelist" configuration?

Edited September 5, 2023 by poljpocket

[skeltern]

Hi poljpocket,

thanks for your helpful and quick answer. It seems that the sessionFingerprint config is the "magic button" here. With fingerprinting false it's possible to login and do things in admin area. Even with HTTPS. That's a huge step forward. The PW config "HTTP hosts whitelist" includes just the main domain plus one dev subdomain. This config is fine.

Okay, I think I've to test out the fingerprinting config details now. And to check out CloudFront differences. Can't still see user sessions in EC2 asssets. I think user sessions are stored in CloudFront. However, I hope my main issue is solved.