Ghost behind AWS CloudFront



Ghost uses X-Forwarded-Proto header to determine what type of HTTP protocol client uses (http/https).
Amazon CloudFront can not pass this header but it can send to Ghost following header: cloudfront-forwarded-proto. This is a limitation of CloudFront.
Is there a way to set up Ghost to read this header (cloudfront-forwarded-proto) instead of standard X-Forwarded-Proto?

We use Ghost in production mode. When we specify blog’s URL with http:// scheme the blog works. If we use https:// scheme - many redirects happen, because Ghost can’t see cloudfront-forwarded-proto provided by AWS CloudFront.

Thanks a lot!


Within your CloudFront distribution’s Origin settings you have the option of adding “Origin Custom Headers”. You should be able to add the X-Forwarded-Proto header there with a fixed value of https.


I’ve tried to do like you said - but it does not work. No X-Forwarded-Proto headers presented in Ghost logs after this changes. Only cloudfront-forwarded-proto header is presented.

Is there any other solution on Ghost’s level?

Thanks for your reply, @Kevin.


Is there any other solution on Ghost’s level?


Hi, Here is my setting.

proxy_set_header X-Forwarded-Proto $http_cloudfront_forwarded_proto;

And you have to add CloudFront-Forwarded-Proto to header`s whitelist.

1 Like

No, this needs to be sorted out at your CDN/proxy level. Adding the “Origin Custom Headers” setting has definitely worked for others, I don’t know why it’s not working in your case, maybe you need to add it to a headers whitelist somewhere?

1 Like

Thanks, @t09tanaka!
This helped me to solve this problem using additional NginX service.
Anyway, I asked AWS support why they don’t support this header (X-Forwarded-Proto). They said that CloudFront sends this header when I declare it as a custom one on the “Behaviors” tab. But Ghost (on EC2) doesn’t saw this header, and Ghost’s logs don’t show this header. It means that there are some infrastructural problems on the AWS side.
To be continued…

closed #8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.