bug: CloudFront "originProtocolPolicy" and "httpPort" are not being honored with ECS origins #12299
Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
I have localstack up and running and everything works fine, except when CloudFront attempts to hit ECS.
2025-02-22T17:50:58.935 INFO --- [et.reactor-9] localstack.request.http : GET /api/hello => 400
2025-02-22T17:51:00.833 INFO --- [et.reactor-6] l.p.c.s.c.provider : Forwarding CloudFront invocation: GET https://testing-alb-d727b91.elb.localhost.localstack.cloud/api/hello, Host header testing-alb-d727b91.elb.localhost.localstack.cloud
2025-02-22T17:51:00.876 INFO --- [t.reactor-12] localstack.request.http : GET /api/hello => 400
2025-02-22T17:51:00.918 DEBUG --- [et.reactor-6] l.p.c.s.c.provider : Response status code 400 for https://testing-alb-d727b91.elb.localhost.localstack.cloud/api/hello
^
!
Note how it is forcing https despite having http-only policy, and ignoring the httpPort (I am using Pulumi):
...
origins: [{
domainName: albDnsName,
originId: cloudfrontOriginId,
customOriginConfig: {
httpPort: 4566,
httpsPort: 4566,
originProtocolPolicy: "http-only",
originSslProtocols: ["TLSv1.2"],
},
customHeaders: [{
name: "Host",
value: albDnsName,
}],
},{
...
This is what localstack responds getting the Distribution:
...
{
"Id": "testing-alb-origin",
"DomainName": "testing-alb-d727b91.elb.localhost.localstack.cloud",
"OriginPath": "",
"CustomHeaders": {
"Quantity": 1,
"Items": [
{
"HeaderName": "Host",
"HeaderValue": "testing-alb-d727b91.elb.localhost.localstack.cloud"
}
]
},
"CustomOriginConfig": {
"HTTPPort": 4566, <-------- This is not being honored
"HTTPSPort": 4566,
"OriginProtocolPolicy": "http-only", <-------- This is not being honored
"OriginSslProtocols": {
"Quantity": 1,
"Items": [
"TLSv1.2"
]
},
"OriginReadTimeout": 30,
"OriginKeepaliveTimeout": 5
},
"ConnectionAttempts": 3,
"ConnectionTimeout": 10,
"OriginAccessControlId": ""
}
...
Note: I can force the port into the url, with albDnsName.apply(n => n + ':4566'), but I have no workaround for the protocol
Expected Behavior
The ECS origin should be called using the CustomOriginConfig settings. HttpPort and OriginProtocolPolicy should be honored
How are you starting LocalStack?
With the localstack script
Steps To Reproduce
How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)
localstack start
Client commands (e.g., AWS SDK code snippet, or sequence of "awslocal" commands)
curl https://6197f5d7.cloudfront.localhost.localstack.cloud/api/hello
Environment
- OS: MacOS 15.3.1 (24D70)
- LocalStack:
LocalStack version: CLI 4.1.1
LocalStack Docker image sha:
LocalStack build date:
LocalStack build git hash:Anything else?
I am using Pulumi to deploy in localstack. All other deployed components are working good so far:
- ALB is able to answer the api endpoints when called directly
- RDS Database is up an running
- A Static website served from S3 through the very same Cloudfront distribution is working as expected