Redirecting a domain with HTTPS using Amazon S3 and CloudFront

Written by Simone Carletti / Original link on Jul. 31, 2016

Table of Contents

This article assumes you want to redirect an entire host name to a different one, and the source host name (the one that is redirecting) should be configured to accept HTTPS connections and redirect via HTTPS. For example, this is the case if you want to redirect the www-version of a domain, such as, to the corresponding non-www version,

Requested Redirected to

For the purpose of this article we'll use Amazon S3 static hosting to configure the redirect, and Amazon CloudFront to handle the HTTPS traffic. In fact, it's not possible to install a certificate for a custom name using Amazon S3 static hosting.

Initial considerations

Before we start, there are a few important notes to keep in mind:

Configuring the Amazon S3 static site with redirect

The first step is to configure a site in Amazon S3 that will trigger the redirect. The site will be used as the origin for the CloudFront distribution.

  1. Create a new Amazon S3 bucket with exactly the same name as the origin domain. For example, if the origin is, then you must give the bucket the same name.

    There are several ways to create a new bucket in Amazon S3, and this is beyond the scope of this article. In this particular case, I will use the Amazon AWS web console:

    You can use the region you prefer. If you don't have a specific preference, leave US Standard.

  2. Configure the bucket to redirect all requests to another host name. Select the bucket from the list, click Properties, and in the Static Website Hosting section configure the redirect.

    The value of the Redirect all requests to field should be the domain or host name where you want to redirect the requests. In this example, it's the non-www version of the redirecting domain, but you can use any host name you want, even on a completely separate domain.

    Press Save to confirm.

  3. Before we move to the next step, take note of the Endpoint. We'll need this host name in our final step to configure Amazon CloudFront.

For the rest of the article the screenshot will use as the redirect source (instead of and as the target (instead of, as the other host names were just examples.

Installing the SSL certificate

As already mentioned, in order to redirect via HTTPS you need a valid SSL certificate for the redirecting host name. In this case, since I want to redirect, I need an SSL certificate for it.

Here's the steps to request a new SSL certificate with Amazon Certificate Manager:

  1. Go to the ACM page and make sure to switch to the US East (N. Virginia) zone (us-east-1). In this case, the zone is relevant: you won't be able to use the certificate in CloudFront if it was requested in a different zone.

  2. Click Request a certificate and in the Domain name section list all the host names you want the certificate to cover. Note that you will have to validate ownership via email for each host name you enter. Keep the list short, and only add the host names you really need at this moment. You can always issue another certificate later.

    For static site redirects, I generally add only the source host name, both in www and not www form. Just note that if want to redirect to, it's sufficient to have only the first host in the certificate.

  3. Click Review and request to continue. Confirm and proceed to the validation.

  4. Read the information, and finalize the request.

  5. At the end of the request process you'll get back to the certificate list. You will find the new certificate, with a pending validation warning. This is expected, as you still need to validate the host names in order to issue the certificate.

  6. Monitor your inbox. You will receive a validation email like the following one for each host name you added into the certificate:

    Click on the links and follow the instructions.

  7. Once all the host name are validated, Amazon will issue the certificate. The state will change from pending validation to issued in the ACM console.

We are now ready to configure the HTTPS redirect in CloudFront.

Configuring the Amazon CloudFront HTTPS redirect

We have created a redirect via bucket, and we have an SSL certificate that covers the redirecting host name. The final step is to configure CloufFront with our HTTPS certificate.

  1. Go to the CloudFront page and create a new distribution:

  2. Select the Web distribution, as we want to use our Amazon AWS bucket as the distribution origin.

  3. Configure the distribution Origin Settings. Get the Amazon S3 endpoint you saved before:

    and use it as Origin Domain Name.

    Make sure to use the web site endpoint and NOT the REST endpoint, since the redirect feature is only available in the web site endpoint as explained in the Amazon documentation. Don't use the endpoint auto-suggested by CloudFront.

    Disable the SSLv3 protocol (as it's buggy and insecure) and leave the other options to defaults, unless you have specific needs.

  4. Scroll down to the Distribution Settings to configure the SSL certificate.

    In the CNAME section add the origin host name, the one that will be redirecting. In our case, it's

    Select Custom SSL Certificate and, from the drop down, select the certificate you previously requested or imported in IAM. If the certificate is not there, go back and check that you followed all the instructions contained in this article. See common errors.

  5. Confirm and create the distribution. It will take up to 10-15 minutes for the distribution to be fully deployed.

Each distribution in CloudFront has an unique CloudFront Domain Name.

You can query that host name to check if the redirect was configured properly. Here's an example of a cURL request:

$ curl -I -H 'Host:'
HTTP/1.1 301 Moved Permanently
Content-Length: 0
Connection: keep-alive
Date: Sun, 31 Jul 2016 10:38:54 GMT
Server: AmazonS3
X-Cache: Miss from cloudfront
Via: 1.1 (CloudFront)
X-Amz-Cf-Id: 8ZVGdzS-7aXJmsJ849TRuCIaEbp5K_UzSXaNdbFklPsV_UgNZwtz4Q==

Notice the explicit use of the Host: header. This is required as we haven't configured the redirecting host name to resolve to the new CloudFront distribution yet. Therefore, querying without telling Amazon what is the request host may confuse CloudFront.

If the configuration is correct, the response of the cURL request should be similar to the one above. The Location header contains the target of the redirect, which is the domain originally configured in our Amazon S3 bucket redirect.

If the configuration of the SSL certificate is correct, the cURL request will also work with HTTPS:

➜  ~ curl -I -H 'Host:'
HTTP/1.1 301 Moved Permanently
Content-Length: 0
Connection: keep-alive
Date: Sun, 31 Jul 2016 10:38:54 GMT
Server: AmazonS3
Age: 184
X-Cache: Hit from cloudfront
Via: 1.1 (CloudFront)
X-Amz-Cf-Id: r2UGlaEhEq3oO1KstW82VHs_E_kSbgfs3EVlSwXJ9oI6hSp8XS3Zyg==

Pointing the DNS record to CloudFront endpoint

The final step is to configure the DNS record for the redirecting host name. The host name must point to the CloudFront distribution domain name. That way when a user visits the domain, they are redirected to the target URL.

The specific steps depend on the DNS hosting you use. The following instructions assume you are using DNSimple.

There are two possible configurations:

Once configured, a simple dig lookup will tell you if the DNS record resolves correctly.

$ dig

; <<>> DiG 9.8.3-P1 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63501
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0

;			IN	A

;; ANSWER SECTION:		3599	IN	CNAME 59 IN	A 59 IN	A 59 IN	A 59 IN	A 59 IN	A 59 IN	A 59 IN	A 59 IN	A

As expected, a cURL request shows that the domain is successfully redirecting via HTTPS:

➜  ~ curl -I
HTTP/1.1 301 Moved Permanently
Content-Length: 0
Connection: keep-alive
Date: Sun, 31 Jul 2016 10:38:54 GMT
Server: AmazonS3
Age: 3767
X-Cache: Hit from cloudfront
Via: 1.1 (CloudFront)
X-Amz-Cf-Id: bbhgTrFYqkjlwY22NcVIF0j8WpFQAHF-dA8jQXhYlEBtMnBwwK0peg==

Final considerations

Common Errors

Certificate errors

The certificate doesn't show up in the list:

The domain shows a certificate error:

Resolution errors

The redirecting domain doesn't resolve:

Redirect errors

The redirecting domain doesn't redirect:

sitepoint softwares simonecarletti

« Amazon S3/CloudFront redirect www to non-www and HTTP to HTTPS - Tinker like a boss – aliases »