HTTPPort:!RefECSPort# The ports are the same because we'll only ever be accessing the ECS cluster over one protocol, as set in OriginProtocolPolicy below
HTTPSPort:!RefECSPort# The ports are the same because we'll only ever be accessing the ECS cluster over one protocol, as set in OriginProtocolPolicy below
OriginProtocolPolicy:!If[IsLoadBalancerHTTPS,https-only,http-only]# this only affects the origin, not CloudFront / the user's request
OriginKeepaliveTimeout:'60'
OriginReadTimeout:'60'
OriginSSLProtocols:
-TLSv1
-TLSv1.1
-TLSv1.2
-SSLv3
Enabled:true
HttpVersion:'http2'
Aliases:
-Fn::If:
- IncludeCustomDomain
- !Ref DomainName
- !Ref AWS::NoValue
DefaultCacheBehavior:
AllowedMethods:
-GET
-HEAD
-OPTIONS
-PUT
-POST
-PATCH
-DELETE
Compress:true
TargetOriginId:!Ref'ECSALB'
DefaultTTL:5
MaxTTL:30
ForwardedValues:
QueryString:true
Cookies:
Forward:all
Headers:
-Authorization
-Data-Partition-Id
-Content-Type
-Kind
-Limit
-Cursor
ViewerProtocolPolicy:redirect-to-https# CloudFront requests will always be HTTPS, regardless of the origin or the request
- sni-only# sni-only is free; 'vip' is the only other option, which allows viewers without Server Name Indication (SNI) support by using dedicated IP addresses, but it costs $600/mo per SSL certificate
-Ref:AWS::NoValue
MinimumProtocolVersion:
Fn::If:
- IncludeCustomDomain
- TLSv1
- Ref:AWS::NoValue# this is not used when using the default CloudFront certificate (which is always TLSv1)