Setting up AWS CloudFront with Blossom

Categories: aws cdn cloudfront security

2 min read

This guide walks you through setting up AWS CloudFront as a Content Delivery Network (CDN) in front of your Blossom application.

Prerequisites

A Blossom application
A custom domain (e.g., mysite.com)
AWS CloudFront distribution

Configuration Steps

1. DNS Configuration

Create a CNAME record for your domain pointing to your CloudFront distribution:
```
mysite.com -> d34jqxq7ceb9eo.cloudfront.net (CNAME)
```

Create a subdomain for your origin server:

origin.mysite.com -> [Your Blossom Load Balancer IP] (A record)

2. CloudFront Configuration

Create a CloudFront distribution with the following settings:
- Origin domain: origin.mysite.com
- Origin protocol: HTTP only
- Viewer Protocol Policy: “Redirect HTTP to HTTPS”

4. Blossom Custom Domain

Configure two custom domains in your Blossom application:

mysite.com (HTTP Only)
origin.mysite.com (HTTP Only)

You'll also need to add the mysite.com domain because CloudFront makes requests using mysite.com as the Host header. Even though mysite.com only responds to HTTP, you'll point its DNS to CloudFront, which will handle the HTTPS for you. This setup just makes sure Blossom's servers accept the connection from CloudFront over plain HTTP.

Important Notes

CloudFront communicates with origin servers using HTTP
End users access the site via HTTPS
CloudFront automatically redirects HTTP to HTTPS for end users
Self-signed Caddy SSL certificates are not supported by CloudFront
For HTTPS between CloudFront and origin, consider using wildcard certificates with Caddy DNS-01 challenge

Rails CDN SSL Configuration

When using Rails with a CDN, you might need to configure SSL settings in your Rails application.

If you’re using a Blossom Custom Domain with HTTP Only then you need assume_ssl = true and force_ssl = true
If you’re using SSL at the origin servers though, then you want assume_ssl = false and force_ssl = true.

Here’s a clean way configuring this with an environment variable.

config/environments/production.rb

# When using a CDN, we assume all access to the app is happening through a SSL-terminating reverse proxy
config.assume_ssl = ENV["CDN"]
# Disable force_ssl since the CDN handles SSL termination
config.force_ssl = !ENV["CDN"]

This configuration is important because:

Rails by default enables force_ssl in production mode
This can cause redirect loops when behind a CDN
The redirects will show as coming from Caddy (your reverse proxy) rather than Rails
Setting assume_ssl = true tells Rails to behave as if it’s behind SSL while allowing HTTP connections
Instead, you should configure your CDN to perform the redirect of http to https

Debugging Tips

To test your setup, use:

curl -svo /dev/null -H "Host: mysite.com" http://origin.mysite.com

Always include the Host header in your requests as CloudFront does
If experiencing stale content, invalidate the CloudFront cache

Troubleshooting

TLS Handshake Error: This typically occurs when using self-signed certificates. Switch to proper SSL certificates or use HTTP between CloudFront and origin. Eg: caddy-1 {"level":"debug","ts":1746066331.6404607,"logger":"http.stdlib","msg":"http: TLS handshake error from 1.1.1.1:33942: EOF"}
Stale Content: Use CloudFront cache invalidation to force content refresh.
Connection Issues: Verify DNS records and ensure the origin server is accessible.

Setting up Cloudflare with Blossom Azure IAM Permissions

Tip: Use ← → arrow keys to navigate between pages

On this page

Blossom Docs