Only Https Post requests failing with cloudfront and ec2 instance running nginx reverse proxy

Question

I am running a nodejs server on ec2 on port 3000. In order to connect it to internet, I am running a nginx server to proxy requests from port 80 to 3000.

I have a ec2 domain "http://ec2-xxx.compute.amazonaws.com" and I am able to make both post and get requests here successfully.

Now I have a domain and want "api.mydomain.com" to point to this server. For that I am using ACM and Cloudfront, after configuring both of them I am successfully able to make GET requests over https however post requests keep getting 502 error response from cloudfront.

This is how a request looks like:

(https) -> route53 -> cloudfront -> (http) -> nginx -> nodejs

• GET request on http://ec2-xxx.compute.amazonaws.com: working

• POST request on http://ec2-xxx.compute.amazonaws.com: working

• GET request on http://dyyyyy.cloudfront.net: working

• POST request on http://dyyyyy.cloudfront.net: working

However,

• GET request on https://dyyyyy.cloudfront.net: working

• POST request on https://dyyyyy.cloudfront.net: not working [<- how do I debug this]

• GET request on https://api.mydomain.com: working

• POST request on https://api.mydomain.com: not working

This is the my nginx config file:

server { listen 80; server_name ec2-3-109-166-206.ap-south-1.compute.amazonaws.com; location / { proxy_pass http://127.0.0.1:3000/; proxy_redirect http://127.0.0.1:3000/ /; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Connection $http_connection; proxy_ssl_server_name on; proxy_ssl_session_reuse off; } } 

I cannot seem to figure out why are GET requests over https successful but POST requests give this error

<TITLE>ERROR: The request could not be satisfied</TITLE> </HEAD><BODY> <H1>502 ERROR</H1> <H2>The request could not be satisfied.</H2> 

Update: Adding Cloudfront Settings

1. Settings
2. price class: Use all edge locations (best performance)
3. Alternate domain name (CNAME): api.mydomain.com
4. Custom SSL certificate: domain.com (id generated by acm)
5. legacy client support: not enabled
6. security policy: TLSv1
7. Supported HTTP versions: HTTP1, HTTP2, HTTP3
8. Standard Logging: Off
9. IPv6: On

Origin:

1. domain: ec2-xxx.compute.amazonaws.com
2. protocol: match-viewer
3. http: 80
4. https: 443
5. Minimum Origin SSL protocol: TLSv1.2
6. origin path: [empty]
7. enable shield: No

Behavior

1. Path Pattern: default(*)
2. origin: ec2-xxx.compute.amazonaws.com
3. compress objects automatically: yes
4. viewer protocol policy: Http and Https
5. Allowed http methods: GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE
6. Restrict Viewer Access: No
7. Cache key and origin requests: Cache policy and origin request policy (recommended)
8. Cache Policy: CachingOptimized
9. Origin Request Policy: None
10. Response Headers Policy: CorsAndSecurityHeadersPolicy
11. SmoothStream: No
12. Field Encryption: No
13. Function Associations: No Association (for all requests and responses)

Answer 1

You have configured 'protocol: match-viewer' in your CloudFront configuration. This setting means that CloudFront uses HTTPS to connect to your origin server (EC2) when a client uses HTTPS to connect to api.mydomain.com but your nginx doesn't have HTTPS configured. Switch to protocol to HTTP-only or configure HTTPS in nginx. Reference: CloudFront documentation