Skip to content

fix(router): remove originAccessControlConfig for HTTP origins to prevent 502#6743

Open
turisanapo wants to merge 1 commit intoanomalyco:devfrom
turisanapo:fix/router-http-origin-502
Open

fix(router): remove originAccessControlConfig for HTTP origins to prevent 502#6743
turisanapo wants to merge 1 commit intoanomalyco:devfrom
turisanapo:fix/router-http-origin-502

Conversation

@turisanapo
Copy link
Copy Markdown

@turisanapo turisanapo commented Apr 15, 2026
edited
Loading

Problem

router.route("/", "http://<alb-dns>") returns 502 "Failed to contact the origin" because CloudFront tries HTTPS:443 instead of HTTP:80.

Root cause

In setUrlOrigin, when override.protocol === "http", only customOriginConfig is deleted — the expectation being that cf.updateRequestOrigin inherits the placeholder origin's http-only config.

However:

  1. The remaining originAccessControlConfig: { enabled: false } prevents this inheritance
  2. Even deleting both properties still fails — cf.updateRequestOrigin does not reliably inherit customOriginConfig from the placeholder origin when the domainName changes dynamically

Fix

Explicitly set customOriginConfig to HTTP port 80 for HTTP origins, and remove the unused originAccessControlConfig:

  if (override.protocol === "http") {
-   delete origin.customOriginConfig;
+   origin.customOriginConfig = { port: 80, protocol: "http", sslProtocols: ["TLSv1.2"] };
+   delete origin.originAccessControlConfig;
  }

The override.originAccessControlConfig check below still allows OAC-enabled origins (protection: "oac") to re-add it explicitly, so existing behavior is preserved.

Validation

Tested by deploying a CloudFront Function that calls cf.updateRequestOrigin with explicit HTTP customOriginConfig — confirmed 200 responses through CloudFront to an HTTP-only ALB. Verified the cf module is completely frozen in CloudFront Functions runtime (writable: false, configurable: false), so runtime workarounds via injection are not possible.

Fixes #6742

@turisanapo
Copy link
Copy Markdown
Author

turisanapo commented Apr 15, 2026

This fix is insufficient — we validated that just deleting both customOriginConfig and originAccessControlConfig still results in 502. CloudFront doesn't reliably inherit customOriginConfig from the placeholder origin when the domain changes dynamically via cf.updateRequestOrigin.

The correct fix is to replace customOriginConfig with explicit HTTP settings:

  if (override.protocol === "http") {
-   delete origin.customOriginConfig;
+   origin.customOriginConfig = { port: 80, protocol: "http", sslProtocols: ["TLSv1.2"] };
+   delete origin.originAccessControlConfig;
  }

See the updated analysis in #6742.

@turisanapo
fix(router): set explicit HTTP customOriginConfig for HTTP origins to…
bd9e155 
… prevent 502

When `override.protocol === "http"`, the CloudFront Function's `setUrlOrigin`
previously deleted `customOriginConfig` expecting `cf.updateRequestOrigin` to
inherit the placeholder origin's http-only settings. However, the remaining
`originAccessControlConfig: { enabled: false }` prevents this inheritance,
and simply deleting both properties also fails — CloudFront does not reliably
inherit `customOriginConfig` when dynamically switching origins.

The fix explicitly sets `customOriginConfig` to HTTP port 80 and removes the
unused `originAccessControlConfig`. The `override.originAccessControlConfig`
check below still allows OAC-enabled origins to re-add it when needed.

Fixes anomalyco#6742

Made-with: Cursor
@turisanapo turisanapo force-pushed the fix/router-http-origin-502 branch from 64eec9f to bd9e155 Compare April 15, 2026 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Router: router.route() with http:// URL origin returns 502 (Failed to contact the origin)

1 participant

@turisanapo