Cloudfront Origin Pull Configuration

Amazon cloudfront is one of the largest CDN (content delivery network) used world wide. Although it does has its pros and cons, but that’s beyond the scope of this article.

This post enlists important confguration points to have optimum settings for amazon cloudfront.

Enable HTTP & HTTPS both

These settings allow amazon cloudfront to get data from the right origin server. By default it’s set to HTTP only. So we need to change that, unless you’re sure why you don’t want to change it.

  1. Goto cloudfront distribution
  2. Click Origins and Origin Groups
  3. Select your origin & click edit
  4. For Origin Protocol Policy, select Match viewer

These settings are important for a case for example: You’ve origin server setup with https, however the origin protocol policy is set at http only, then the server will return a 301 error. This will then load the file from the server itself and not from cloudfront.

Deliver GZIP compressed objects from cloudfront

As a content delivery network, cloudfront would serve better if it serves the static files like your stylesheets and other minified files in gzip form.

This is not enabled by default. For this to be enabled, you have to follow these steps:

  1. Goto cloudfront distribution
  2. Click Behaviors
  3. Select your origin & click edit
  4. For Compress Objects Automatically select Yes


Whenever you edit the cloudfront settings, save them and then wait till back at the Cloudfront Distributions screen for the Status of the distribution to change from In Progress to Deployed.

Safari error – SSL error has occured

If you’re getting this ssl error on safari on macOS (or other):

Failed to load resource: An SSL error has occurred and a secure connection to the server cannot be made.

If this error is not occurring on all browsers, and you’re sure that it’s not due to your server SSL settings, then try fixing it by these amazon cloudfront settings:

  1. Goto cloudfront distribution
  2. Click Edit
  3. For Supported HTTP Versions select HTTP/1.1, HTTP/1.0 (not the one with HTTP/2)
  4. Uncheck ipv6 (don’t use ipv6)
  5. Save

AWS Access Key Id needs a subscription for the service

If you see the error in w3 total cache cdn settings:

Error: Unable to create distribution for origin The AWS Access Key Id needs a subscription for the service

Or when you try to create a cloudfront distribution inside cloudfront section, you see:

com.amazonaws.AmazonServiceException: The AWS Access Key Id needs a subscription for the service (Service: AmazonCloudFront; Status Code: 403; Error Code: OptInRequired; Request ID: xxxxxxxxxxxxx)

This means that either your phone number or billing method is not verified. First verify them for your amazon webservices account (AWS), then you will be able to create amazon cloudfront distribution.

You can complete the account signup and verification process by going to this link:

Leave a Reply

Your email address will not be published. Required fields are marked *