Amazon CloudFront
Developer Guide (API Version 2016-09-29)

HTTP 502 Status Code (Bad Gateway)

An HTTP 502 status code (Bad Gateway) indicates that CloudFront wasn't able to serve the requested object because it couldn't connect to the origin server.


If you're a customer trying to access a website or application, and you've gotten this error, there's probably just unusually high traffic to the site. Please wait a little while, and then try accessing the site (or running the application) again. If you still get an error, please contact the website or application distributor directly for support.

Why is this error coming from CloudFront? CloudFront helps websites speed up delivery of content, like images or web pages, to customers by storing copies in servers located around the world. But when there's a lot of internet traffic to a website and the site can't keep up, an error is returned when anyone tries to access the site. When CloudFront can't access content that you've requested from a website, it passes on the error from the site or application that you're trying to use.

SSL/TLS Negotiation Failure Between CloudFront and a Custom Origin Server

If you use a custom origin and you configured CloudFront to require HTTPS between CloudFront and your origin, the problem might be mismatched domain names. The SSL/TLS certificate that is installed on your origin includes a domain name in the Common Name field and possibly several more in the Subject Alternative Names field. (CloudFront supports wildcard characters in certificate domain names.) One of the domain names in the certificate must match one or both of the following values:

  • The value that you specified for Origin Domain Name for the applicable origin in your distribution.

  • The value of the Host header if you configured CloudFront to forward the Host header to your origin. For more information about forwarding the Host header to your origin, see Caching Content Based on Request Headers.

If the domain names don't match, the SSL/TLS handshake fails, and CloudFront returns an HTTP status code 502 (Bad Gateway) and sets the X-Cache header to Error from cloudfront.

To determine whether domain names in the certificate match the Origin Domain Name in the distribution or the Host header, you can use an online SSL checker or OpenSSL. If the domain names don't match, you have two options:

  • Get a new SSL/TLS certificate that includes the applicable domain names.

    If you use AWS Certificate Manager (ACM), see Request a Certificate in the AWS Certificate Manager User Guide to request a new certificate.

  • Change the distribution configuration so CloudFront no longer tries to use SSL to connect with your origin.

Online SSL Checker

To find an SSL test tool, search the internet for "online ssl checker." Typically, you specify the name of your domain, and the tool returns a variety of information about your SSL/TLS certificate. Confirm that the certificate contains your domain name in the Common Names or Subject Alternative Names fields.


To determine whether CloudFront is able to establish a connection with your origin, you can use OpenSSL to try to make an SSL/TLS connection to your origin and to verify that the certificate on your origin is correctly configured. If OpenSSL is able to make a connection, it returns information about the certificate on the origin server.

The command that you use depends on whether you use a client that supports SNI (Server Name Indication).

Client supports SNI

openssl s_client -connect domainname:443 -servername domainname

Client doesn't support SNI

openssl s_client –connect domainname:443

Replace domainname with the applicable value:

  • If you aren't forwarding the Host header to the origin – Replace domainname with your origin's domain name.

  • If you are forwarding the Host header to the origin – Replace domainname with the CNAME that you're using with your CloudFront distribution.

Origin Is Not Responding with Supported Ciphers/Protocols

CloudFront connects to origin servers using ciphers and protocols. For a list of the ciphers and protocols that CloudFront supports, see Supported Ciphers and Protocols. If your origin does not respond with one of these ciphers or protocols in the SSL/TLS exchange, CloudFront fails to connect. You can validate that your origin supports the ciphers and protocols by using SSL Labs:

  • SSL Labs

    Type the domain name of your origin in the Hostname field, and then choose Submit. Review the Common names and Alternative names fields from the test to see if they match your origin's domain name.

    After the test is finished, find the Protocols and Cipher Suites sections in the test results to see which ciphers or protocols are supported by your origin. Compare them with the list of Supported Ciphers and Protocols.


If you're using Elastic Load Balancing, see SSL Security Policies for Elastic Load Balancing in the Elastic Load Balancing User Guide to learn how to set the ciphers and protocols. Using the Predefined Security Policy ELBSecurityPolicy-2016-08 gives CloudFrontaccess to your elastic load balancer. If you want to restrict it further using a custom policy, you must allow the ciphers that CloudFront supports.

SSL/TLS Certificate on the Origin Is Expired, Invalid, Self-signed, or the Certificate Chain Is in the Wrong Order

If the origin server returns the following, CloudFront drops the TCP connection, returns HTTP status code 502 (Bad Gateway), and sets the X-Cache header to Error from cloudfront:

  • An expired certificate

  • Invalid certificate

  • Self-signed certificate

  • Certificate chain in the wrong order


If the full chain of certificates, including the intermediate certificate, is not present, CloudFront drops the TCP connection.

For information about installing an SSL/TLS certificate on your custom origin server, see Requiring HTTPS for Communication Between CloudFront and Your Custom Origin.

Origin Is Not Responding on Specified Ports in Origin Settings

When you create an origin on your CloudFront distribution, you can set the ports that CloudFront connects to the origin with for HTTP and HTTPS traffic. By default, these are TCP 80/443. You have the option to modify these ports. If your origin is rejecting traffic on these ports for any reason, or if your backend server isn't responding on the ports, CloudFront will fail to connect.

To troubleshoot these issues, check any firewalls running in your infrastructure and validate that they are not blocking the supported IP ranges. For more information, see AWS IP Address Ranges in the Amazon Web Services General Reference. Additionally, verify whether your web server is running on the origin.

CloudFront Was Not Able to Resolve Your Origin Domain Due to DNS Issues

When CloudFront receives a request for an object that is expired or is not stored in its cache, it makes a request to the origin to get the updated object. To make a successful request to the origin, CloudFront performs a DNS resolution on the origin domain name. However, when the DNS service that hosts your domain is experiencing issues, CloudFront cannot resolve the domain name to get the IP address, resulting in a 502 error. To fix this issue, contact your DNS provider, or, if you are using Amazon Route 53, see Amazon Route 53 DNS.

To further troubleshoot this issue, ensure that the authoritative name servers of your origin's root domain or zone apex (such as are functioning correctly. Your authoritative name servers then receive the request and return the IP address that is associated with the domain, and are the same as the DNS servers that you used to set up your CloudFront distribution. Use the following commands to find the name servers for your apex origin:

dig OriginAPEXDomainName NS +short nslookup –query=NS OriginAPEXDomainName

When you have the names of your name servers, use the following commands to query the domain name of your origin against them to make sure that each responds with an answer:

dig OriginDomainName @NameServerFromAbove nslookup OriginDomainName NameServerFromAbove

Lambda Function Associated with Your Distribution Includes Execution Errors

When a Lambda@Edge function has execution errors, CloudFront may return an HTTP 502 error.

To troubleshoot this issue, examine the access logs to look for errors returned by your Lambda function. Make sure you look at the log files in the region where the function executed. For more information, see CloudWatch Metrics and CloudWatch Logs for Lambda Functions.