Amazon CloudFront is a secure and programmable content delivery network. Some of the security features of CloudFront include field-level encryption and protection against network and application layer DDoS attacks.

Request Custom SSL Certificate

Part of your Cloudfront distribution setup includes applying a custom SSL certificate. Because this may take anywhere from a few minutes to several hours to complete, we recommend requesting the custom SSL certificate before starting the process of creating a new distribution.

If you don’t already have an AWS account, you can create one here. Once you’ve logged in to your AWS account, search for “certificate manager” using the search box in the menu bar, and click on Certificate Manager under Services.

Click on Certificate Manager under Services in your CloudFront account.
Click on Certificate Manager under Services in your CloudFront account.

In Certificate Manager, click the Request a certificate button.

Click the Request a certificate button in AWS Certificate Manager.
Click the Request a certificate button in AWS Certificate Manager.

On the next page, select Request a public certificate and click the Request a certificate button.

Select Request a public certificate and click the Request a certificate button
Select Request a public certificate and click the Request a certificate button

Add Domain Names

In the Request a certificate form, add your custom domain (your site’s primary domain at Kinsta) to the domain name list (if you’re adding a root domain, be sure to add both the non-www and www domain or add the wildcard domain like *.example.com), and click Next.

Add your custom domain to the SSL certificate request in AWS Certificate Manager.
Add your custom domain to the SSL certificate request in AWS Certificate Manager.

Domain Validation

On the next screen, you’ll choose either email or DNS validation for your SSL certificate. Choose the option that works best for you.

If your domain registration doesn’t have privacy protection that hides your contact information from WHOIS lookups, or if email sent to the proxy email address is forwarded to your real email address, you can use the email validation method to validate your certificate request.

If you’re unable to receive emails at the email address shown in WHOIS lookups, you’ll need to use the DNS validation method.

Email Validation

Select Email validation and click the Next button to initiate the email validation.

Initiate email validation for AWS SSL certificate.
Initiate email validation for AWS SSL certificate.

You’ll receive up to 8 emails for each domain you added to the certificate, and you’ll need to act on at least one email for each domain to complete the validation.

DNS Validation

To use this method, select the DNS validation method and click the Next button.

Acm-dns-validation-selected
Amazon Certificate Manager DNS validation for SSL certificate.

On the Add tags page, feel free to add some optional tags if necessary, and click Review to proceed to the next step.

Review SSL certificate request.
Review SSL certificate request.

On the Review page, click the Confirm and request button to proceed to the validation step.

Confirm SSL certificate request.
Confirm SSL certificate request.

On the next page, click the arrow icon next to your custom domain name to view the CNAME details for validation. You’ll need to create a CNAME record for your custom domain with these details.

CNAME record details for domain validation.
CNAME record details for domain validation.

To add this new CNAME record, log into where you manage your domain’s DNS. For this example, we’ll show you how to add the CNAME record in Kinsta DNS. If you have a different DNS provider (could be your registrar or another DNS host, depending on where you’ve pointed your domain’s nameservers), the steps may be a little different.

  1. Click on Kinsta DNS in the left sidebar navigation in MyKinsta.
  2. Click the Manage link for the domain you want to add a DNS record to.
  3. Click the Add a DNS record button.
  4. Click the CNAME tab and add the Hostname (everything before your custom domain in the Name field from CloudFront) and Points to (Value from CloudFront). Click the Add DNS record button to save your new CNAME record.

Note: Depending on your DNS record’s TTL setting, it may take anywhere from a few minutes to hours for the DNS record to propagate.

Add a CNAME record for AWS SSL validation.
Add a CNAME record for AWS SSL validation.

Go back to the CloudFront validation page and click Continue.

Continue DNS validation.
Continue DNS validation.

Once the CNAME record propagates and has been validated, the SSL certificate status will change from Pending to Issued.

SSL certificate issued in Amazon Certificate Manager.
SSL certificate issued in Amazon Certificate Manager.

Your new SSL certificate is ready to be used with your new CloudFront distribution, and you can begin setting that up now.

Configure and Deploy CloudFront Zone

The next step is to configure and deploy a CloudFront zone. In your AWS account, search for “CloudFront” using the search box in the menu bar, and click on CloudFront under Services.

Select CloudFront under Services in AWS.
Select CloudFront under Services in AWS.

Next, click Create a CloudFront distribution.

Create a CloudFront distribution.
Create a CloudFront distribution.

You can configure the details for a new CloudFront zone on the Create Distribution page. We recommend the configuration below for maximum compatibility with Kinsta’s Cloudflare integration.

Origin

Recommended Origin settings:

  • Origin Domain: Your site’s kinsta.cloud domain (in our example here: myawewsomesite.kinsta.cloud). CloudFront does not accept an IP address as the origin, so you must use your site’s kinsta.cloud domain in this field.
    The following 3 fields appear once you enter your origin domain:
    • Protocol: HTTPS only
    • HTTPS Port: 443
    • Minimum Origin SSL Protocol: TLSv1
  • Origin path: Leave this blank.
  • Name (optional): You can enter a custom name for the origin here, but it isn’t required.
  • Enable Origin Shield: No.
Recommended Origin settings for CloudFront distribution.
Recommended Origin settings for CloudFront distribution.

Default Cache Behavior

While configuring the cache behavior settings, you’ll need to create two CloudFront policies: cache policy and request policy, which we’ve outlined for you below.

Recommended settings for the Default Cache Behavior section:

  • Path Pattern: Default.
  • Compress Objects Automatically: Yes.
  • Viewer Protocol Policy: Redirect HTTP to HTTPS.
  • Allowed HTTP Methods: GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE.
  • Restrict Viewer Access: No.
  • Cache key and origin requests: Cache policy and origin request policy.
    • Cache Policy: Select your new custom cache policy (see steps to create below).
    • Origin request policy: Select your new custom origin request policy (see steps to create below).
Recommended cache behavior settings for CloudFront distribution.
Recommended cache behavior settings for CloudFront distribution.

How To Create a CloudFront Cache Policy

In the Cache policy section, click on Create policy. This will launch the cache policy creation page in a new tab in your browser.

Create a cache policy in CloudFront.
Create a cache policy in CloudFront.

In the Details section, specify a name (e.g. KinstaCachePolicy) for the cache policy.

In the TTL Settings section, use the following settings:

  • Minimum TTL: 0
  • Maximum TTL: 31536000
  • Default TTL: 86400

In the Cache key settings section, use the following settings:

  • Headers: None
  • Query Strings: All
  • Cookies: All

In the Compression support section, check Gzip and Brotli, then press the Create button.

Recommended cache policy settings in CloudFront.
Recommended cache policy settings in CloudFront.

Close this browser tab and return to the tab where you’re creating your new CloudFront distribution.

Click the refresh button next to the Cache policy dropdown and select your new custom cache policy in the dropdown.

Select your custom cache policy.
Select your custom cache policy.

How To Create a CloudFront Origin Request Policy

In the Origin request policy section, click on Create policy. This will launch the Create origin request policy page in a new tab in your browser.

Create an Origin request policy in CloudFront.
Create an Origin request policy in CloudFront.

In the Details section, specify a name (e.g. KinstaOriginPolicy) for the origin request policy.

In the Origin request settings section, select the following:

  • Headers: All viewer headers
  • Query Strings: All
  • Cookies: All

Click the Create button to finalize the request policy.

CloudFront Origin request policy settings.
CloudFront Origin request policy settings.

Close this browser tab and return to the tab where you’re creating your new CloudFront distribution.

Click the refresh button next to the Origin request policy dropdown and select your new custom origin request policy in the dropdown.

Select your custom origin request policy in the Origin request policy dropdown.
Select your custom origin request policy in the Origin request policy dropdown.

Function Associations

We recommend not setting any Function Associations. These let you assign AWS Lambda serverless functions to different triggers within the request lifecycle (e.g. viewer request, viewer response, origin request, etc.).

While it’s possible to use function associations alongside Kinsta CDN, there may be some scenarios where a Lambda function can conflict with Kinsta CDN. If you’d like to use custom Lambda functions on your site, we recommend working with a developer to troubleshoot issues if they come up.

Settings

Recommended configuration for the Settings section:

  • Price Class: Select the CloudFront regions you’d like to use with your site.
  • AWS WAF Web ACL: If you need to create an ACL with custom firewall rules, we recommend working with an AWS expert to avoid conflicts with Kinsta CDN.
  • Alternate Domain Name: Click Add item and specify the custom domain (your site’s primary domain at Kinsta).
  • Custom SSL Certificate: Select the custom SSL certificate you created at the beginning of this tutorial.
    You’ll see a few additional options after selecting the custom SSL certificate:
    • Legacy clients support: Leave this unchecked/disabled.
    • Security Policy: TLSv1.2_2021
  • Supported HTTP Versions: HTTP/2
  • Standard logging: Off
  • IPv6: On
Save distribution settings to create your new CloudFront zone.
Save distribution settings to create your new CloudFront zone.

Click the Create distribution button to finish creating your new CloudFront zone.

Troubleshooting Common CloudFront Issues

502 Errors

If you see 502 errors on your site after creating your CloudFront distribution, double-check the Origin Domain in your Origin Settings. This needs to be your site’s kinsta.cloud domain, not your live domain.

Changes Aren’t Showing up on Your Site

Setting your site up to use CloudFront creates an additional layer of caching that will need to be cleared anytime you need to clear the cache. If you’re having trouble seeing changes on your site or a plugin isn’t behaving as expected after installing or reinstalling, be sure you clear cache at all layers, including:

  1. Plugins (if applicable)
  2. Themes (if applicable)
  3. Site/server cache at Kinsta (from either MyKinsta or the Kinsta MU plugin)
  4. Cache at CloudFront (Do this by invalidating objects. Using /* for the object path to invalidate will clear all cache.)
  5. Browser cache

IP Address Blocked by False Positive

If you have DDoS mitigation or bot detection enabled at CloudFront and you or a site visitor are being incorrectly blocked from viewing your site, this may be due to a false positive. If this happens, you’ll need to work with both AWS support and Kinsta Support to pinpoint where the block is occurring.

HTTP-HTTPS Redirect Loops

If any HTTP to HTTPS redirect loops occur, make sure the Protocol is set to HTTPS Only in your CloudFront Origin settings for your domain.

IP Geolocation Redirects Not Working Properly

Page Cache, which is enabled by default at CloudFront, may interfere with any IP Geolocation redirections you set at Kinsta. If this occurs, you’ll need to disable caching at CloudFront or configure your cache policy to only cache the files that aren’t specific to a location. If you run into issues setting that up, we recommend working with a developer to configure your custom cache policy.

Unable To Log In to the WordPress Dashboard

Login won’t work without POST support. Other functionality on the website may also be affected. Make sure the Allowed HTTP methods under Default cache behavior are set to: GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE.

Advanced Settings and Compatibility

Restrict Viewer Access With Signed URLs and Signed Cookies

Some options, such as Restricting access to files on custom origins, may not work because Cloudflare will always cache static requests.