HTTP 502 status code (Bad Gateway)
An HTTP 502 status code (Bad Gateway) indicates that CloudFront wasn't able to serve the requested object because it couldn't connect to the origin server.
Topics
- SSL/TLS negotiation failure between CloudFront and a custom origin server
- Origin is not responding with supported ciphers/protocols
- SSL/TLS certificate on the origin is expired, invalid, self-signed, or the certificate chain is in the wrong order
- Origin is not responding on specified ports in origin settings
SSL/TLS negotiation failure between CloudFront and a custom origin server
If you use a custom origin and you configured CloudFront to require HTTPS between CloudFront and your origin, the problem might be mismatched domain names. The SSL/TLS certificate that is installed on your origin includes a domain name in the Common Name field and possibly several more in the Subject Alternative Names field. (CloudFront supports wildcard characters in certificate domain names.) One of the domain names in the certificate must match one or both of the following values:
-
The value that you specified for Origin Domain Name for the applicable origin in your distribution.
-
The value of the
Host
header if you configured CloudFront to forward theHost
header to your origin. For more information about forwarding theHost
header to your origin, see Caching content based on request headers.
If the domain names don't match, the SSL/TLS handshake fails, and CloudFront returns an HTTP status code 502 (Bad Gateway) and sets the X-Cache
header to Error from cloudfront
.
To determine whether domain names in the certificate match the Origin Domain Name in the distribution or the
Host
header, you can use an online SSL checker or OpenSSL. If the domain names don't match, you have two options:
Get a new SSL/TLS certificate that includes the applicable domain names.
If you use AWS Certificate Manager (ACM), see Requesting a public certificate in the AWS Certificate Manager User Guide to request a new certificate.
Change the distribution configuration so CloudFront no longer tries to use SSL to connect with your origin.
Online SSL checker
To find an SSL test tool, search the internet for "online ssl checker." Typically, you specify the name of your domain, and the tool returns a variety of information about your SSL/TLS certificate. Confirm that the certificate contains your domain name in the Common Name or Subject Alternative Names fields.
OpenSSL
To help troubleshoot HTTP 502 errors from CloudFront, you can use OpenSSL to try to make an
SSL/TLS connection to your origin server. If OpenSSL is not able to make a
connection, that can indicate a problem with your origin server's SSL/TLS
configuration. If OpenSSL is able to make a connection, it returns
information about the origin server's certificate, including the
certificate's common name (Subject CN
field) and subject
alternative name (Subject Alternative Name
field).
Use the following OpenSSL command to test the connection to your origin server (replace
origin domain name
with your origin server's
domain name, such as example.com):
openssl s_client -connect
origin domain
name
:443
If the following are true:
-
Your origin server supports multiple domain names with multiple SSL/TLS certificates
-
Your distribution is configured to forward the
Host
header to the origin
Then add the -servername
option to the OpenSSL command, as in the following
example (replace CNAME
with the CNAME that's
configured in your distribution):
openssl s_client -connect
origin domain
name
:443 -servername
CNAME
Origin is not responding with supported ciphers/protocols
CloudFront connects to origin servers using ciphers and protocols. For a list of the ciphers and
protocols that CloudFront supports, see Supported
protocols and ciphers between CloudFront and the origin. If your
origin does not respond with one of these ciphers or protocols in the SSL/TLS
exchange, CloudFront fails to connect. You can validate that your origin supports the
ciphers and protocols by using an online tool such as SSL Labs
SSL/TLS certificate on the origin is expired, invalid, self-signed, or the certificate chain is in the wrong order
If the origin server returns the following, CloudFront drops the TCP connection, returns
HTTP status code 502 (Bad Gateway), and sets the X-Cache
header to
Error from cloudfront
:
-
An expired certificate
-
Invalid certificate
-
Self-signed certificate
-
Certificate chain in the wrong order
Note
If the full chain of certificates, including the intermediate certificate, is not present, CloudFront drops the TCP connection.
For information about installing an SSL/TLS certificate on your custom origin server, see Requiring HTTPS for communication between CloudFront and your custom origin.
Origin is not responding on specified ports in origin settings
When you create an origin on your CloudFront distribution, you can set the ports that CloudFront connects to the origin with for HTTP and HTTPS traffic. By default, these are TCP 80/443. You have the option to modify these ports. If your origin is rejecting traffic on these ports for any reason, or if your backend server isn't responding on the ports, CloudFront will fail to connect.
To troubleshoot these issues, check any firewalls running in your infrastructure and validate that they are not blocking the supported IP ranges. For more information, see AWS IP address ranges in the Amazon Web Services General Reference. Additionally, verify whether your web server is running on the origin.