Introduction

AWS CloudFront returns 502 Bad Gateway when the edge location cannot get a valid response from the configured origin. The failure may come from TLS mismatch, DNS or network reachability, host header problems, or an origin server that closes the connection or returns an invalid response. The key is to determine whether CloudFront is failing before the request reaches the application or because the application responds in a way CloudFront cannot use.

Symptoms

  • Viewers receive 502 Bad Gateway from CloudFront while the origin may still appear reachable directly.
  • The problem affects one distribution behavior, one path, or one origin more than others.
  • Requests start failing after changing the origin domain name, certificate, or cache behavior.
  • CloudFront access logs show 502 while origin logs show little or no matching traffic.
  • Direct requests to the load balancer, S3 website endpoint, or custom origin behave differently from the CloudFront URL.

Common Causes

  • The origin certificate does not match the hostname CloudFront uses for TLS validation.
  • CloudFront is connecting with the wrong host header for the backend server or load balancer.
  • The origin only supports TLS versions or ciphers that do not match the CloudFront origin policy.
  • The origin returns malformed headers, invalid chunked responses, or closes the connection unexpectedly.
  • Firewall, security group, or origin allowlist rules do not allow CloudFront to reach the backend.
  • The configured origin domain points to the wrong endpoint or a stale DNS target.

Step-by-Step Fix

  1. Confirm whether the 502 is generated by CloudFront and note the exact path, host, and time of failure from viewer requests or access logs.
  2. Check the configured origin domain name, protocol policy, and host header behavior in the distribution. Make sure CloudFront is targeting the intended backend endpoint.
  3. Validate the origin certificate and TLS configuration. The certificate presented by the origin must match the hostname CloudFront uses when connecting.
  4. Test the origin directly with curl using HTTPS and, if needed, the same Host header CloudFront forwards. This helps expose host-based routing or certificate mismatches quickly.
  5. Review origin logs and load balancer logs to see whether requests from CloudFront arrive at all. If they do not, focus on DNS, network path, firewall rules, or origin availability.
  6. If requests do reach the origin, inspect response headers and upstream behavior for malformed responses, connection resets, oversized headers, or application crashes.
  7. Verify that the origin supports the expected TLS version and does not require a client behavior CloudFront will not provide.
  8. If the origin is behind an ALB, Nginx, Apache, or another proxy, confirm the backend virtual host and listener configuration accept the hostname and path coming from CloudFront.
  9. After correcting the TLS, host header, or origin response issue, invalidate the affected paths if needed and re-test through the CloudFront distribution.
  10. Finish by comparing CloudFront results and origin logs again so you can confirm the viewer request now reaches the backend and returns a valid response end to end.