Using CloudFront

Amazon CloudFront is a web service for content delivery. It integrates with other Amazon Web Services to give developers and businesses an easy way to distribute content to end users with low latency, high data transfer speeds, and no commitments.


For background information, please refer to the AWS Cloudfront developer guide. You can use your own origin, an EC2 instance or S3 bucket is not needed for HTTP ABR streaming (but can be used also).

The tutorial for 'creating a download distribution' is straightforward and can be done from the AWS console, as described here.

Basically there are three steps:

  • Create a (download) distribution

  • Enter the origin name

  • Set cache behaviour

When this has been done, a similar entry as the following will appear in your Cloudfront Management Console:


All that is needed to use this is to replace the origin referencing URLs with the cloudfront referencing URLs.


The following URL references the stream on the origin:

With Cloudfront as (CDN) cache in front:

Please note that 'DOMAINNAME' in above example is defined by AWS Cloudfront when creating a distribution.


For more advanced topics, please reference the AWS Cloudfront documentation for topics not listed here.

It is possible to for instance do the following:

Also, please check the pricing plans carefully - so there are no surprises afterwards.

Using Cloudfront with content in S3

In case the (VOD) content is placed in S3 care must be taken when Cloudfront is used as CDN - when authentication is required on S3 requests.

Schematically the setup looks like the following:

viewers --> cloudfront --> ec2 --> s3

Typically, this is the setup described in Cloud Storage Proxy using subrequests and signing requests using Using S3 with Authentication.

Cloudfront adds queryparameters and/or headers to requests and some of these do not play nice with S3 as they will break S3 authenticated access, because:

  • Signature= is reserved by S3 itself for v2 signatures

  • X-Amz-Cf-Id interacts with the S3 v4 (header) signatures

The following sections outline how to address these limitations in a CF/S3 setup.


The following Apache snippet uses a rewrite rule to drop the Signature= parameter from any upstream propagation:

RewriteEngine on
RewriteCond %{THE_REQUEST} \?Signature=(.*)\sHTTP [NC]
RewriteRule ^ %{REQUEST_URI} [P,QSD]