CloudFront redirect to

Mark Baltzegar's Avatar

Mark Baltzegar

30 May, 2018 02:38 PM


After reading the public support discussion around "Custom SSL Certificate" (13299), we've implemented a CloudFront distribution for

In most cases it works as expected, but when logging in (using SSO), the site is redirected to rather than staying at Is this something you've encountered before? We are forwarding cookies and query strings (see attached image).

The CNAME does not yet point to the CloudFront distribution.

To test it, one can add the following lines to their /etc/hosts file.

# AWS Cloudfront test

Also, here is example output of curl following the redirect.

Marks-Mac-Pro:~ msbaltz$ curl -L --head
HTTP/1.1 301 Moved Permanently
Server: CloudFront
Date: Tue, 29 May 2018 16:48:16 GMT
Content-Type: text/html
Content-Length: 183
Connection: keep-alive
X-Cache: Redirect from cloudfront
Via: 1.1 (CloudFront)
X-Amz-Cf-Id: asR6Z3XkLIo8Yk72OySJ9Bj2BThRVDuVFrMrwzVS9Bh7izrsJqlcgg==

HTTP/2 302
content-type: text/html; charset=utf-8
server: nginx/1.8.1
date: Tue, 29 May 2018 16:48:16 GMT
x-ua-compatible: IE=Edge,chrome=1
cache-control: no-cache
set-cookie: _tender19_session=BAh7CEkiD3Nlc3Npb25faWQGOgZFVEkiJTk2ZjM4YjNmZjFmMGUwMTk3ODEwODZhMzIwYzRjYWQ1BjsAVEkiDHVzZXJfaWQGOwBGaQM8EkBJIg9jcm9zc19zaXRlBjsARlQ%3D--38690830d0a30a91e30f13a0ccac3374dcc60110; path=/; HttpOnly; SameSite=Lax
set-cookie: sso_multipass=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; HttpOnly; SameSite=Lax
x-request-id: b6fda71e9b0340ed7edad47879d9edd0
x-runtime: 0.063093
x-rack-cache: miss
content-security-policy: default-src https: http: 'unsafe-inline' 'unsafe-eval'; connect-src 'self' wss://* *; img-src 'self' http: https: data:; report-uri
strict-transport-security: max-age=31536000; includeSubDomains
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: allowall
x-permitted-cross-domain-policies: none
x-xss-protection: 1; mode=block
x-cache: Miss from cloudfront
via: 1.1 (CloudFront)
x-amz-cf-id: D52cCZ1maEWuJn2DkmaRzdmAKNegc5-PlusJLV3MImadZ5dQ-aqvcA==

HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Tue, 29 May 2018 16:48:17 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-UA-Compatible: IE=Edge,chrome=1
ETag: "bb6263334bafe6e2fb06ec8cbbbc511a"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: anon_token=0b22f3ba5; path=/; expires=Wed, 29-May-2019 16:48:17 GMT; HttpOnly; SameSite=Lax
Set-Cookie: _tender19_session=BAh7B0kiD3Nlc3Npb25faWQGOgZFVEkiJWQxMzNmMDM1OTRmNDhjYThlMjE1YjM4OWE2YjM0Y2NmBjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiRWI0YjFmMDA5NjdjOTBkZjhjNDgyYTYzZWYyMTVlYWVjZWFmOTJiOWQ3ZTlmZTg5ZmQ2ODUzOTRhZTc1MWYzZWUGOwBG--fe6e5d8e298361ff6ea00aa4e710ce61d2c703e5; path=/; HttpOnly; SameSite=Lax
X-Request-Id: a4ab31f08acb61d34144fd20e6d19e5c
X-Runtime: 0.118958
X-Rack-Cache: miss
Content-Security-Policy: default-src https: http: 'unsafe-inline' 'unsafe-eval'; connect-src 'self' wss://* *; img-src 'self' http: https: data:; report-uri
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: allowall
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block

Thank you for your assistance!

Mark Baltzegar
[email blocked]
(812) 361-3815

  1. 1 Posted by Mark Baltzegar on 31 May, 2018 02:09 PM

    Mark Baltzegar's Avatar

    Notice in the second hop that the tender cookie has been set. This feels like the redirect is occurring on the Tender end and is a consequence of the SSO.

    Please acknowledge.

  2. Support Staff 2 Posted by Courtenay on 31 May, 2018 10:10 PM

    Courtenay's Avatar

    do you have a redirect string encoded in the SSO?

  3. 3 Posted by Mark Baltzegar on 01 Jun, 2018 04:05 PM

    Mark Baltzegar's Avatar

    Hi Courtenay,

    Thank you for investigating this.

    I have confirmed that we are *not* including the "to" field as outlined here:

    Here are two examples of the information encoded in the SSO:

    {"email":"[email blocked]","expires":"Fri, 01 Jun 2018 11:54:37 -0400","name":"Marc Guyer","product":"Unit Test Product (UNIT_TEST)"}

     {"email":"[email blocked]","expires":"Tue, 22 May 2018 18:38:56 -0400","name":"Mark Baltzegar"}

    I have also confirmed that the issue only occurs when the sso query string is present.

  4. Support Staff 4 Posted by Courtenay on 01 Jun, 2018 05:45 PM

    Courtenay's Avatar

    I've made some changes, try now! :)

  5. 5 Posted by Mark Baltzegar on 01 Jun, 2018 06:25 PM

    Mark Baltzegar's Avatar

    Hi Courtenay,

    I saw a new alert message that the Multipass token was expired. However, I'm still having the issue.

    While logged in (with a fresh browser), clicking the "View Knowledge Base" button here still exhibits the issue:

  6. Support Staff 6 Posted by Courtenay on 01 Jun, 2018 09:36 PM

    Courtenay's Avatar

    the issue before was that tender wasn’t set to allow your site to use custom/arbitrary ssl; which is just a flag i set on your site. this should have fixed the issue. do you know what hostname cloudflare is sending? and when it redirects, is it the same url as before? i added an extra url parameter for some redirects that has extra debugging info in it.

  7. Support Staff 7 Posted by Courtenay on 02 Jun, 2018 05:30 AM

    Courtenay's Avatar

    I was able to look at some logs and reproduce - it looks like cloudfront isn't sending the right host header, compared to what we normally expect and receive.

    Tender is receiving as the hostname, which will always retain and override for the request. What you want to do is send as the hostname. I know there are a few possible headers and ways to do this.. i THINK the way to do it is outlined here - - by adding 'host' to the forwarded headers whitelist

  8. 8 Posted by Mark Baltzegar on 04 Jun, 2018 03:40 PM

    Mark Baltzegar's Avatar

    It looks like the CloudFront interface has changed since that article. I tried adding a custom host, but was unsuccessful. I've attached a screenshot of the message from AWS and the relevant section from their documentation.

    Is there another custom header that Tender could read from for this purpose?

    Thanks again for your help!


  9. Support Staff 9 Posted by Courtenay on 04 Jun, 2018 06:28 PM

    Courtenay's Avatar

    I THINK this is the solution, but I'm setting up my own cloudfront distribution right now to try and figure it out: "whitelist headers" in the cache section

    if this doesn't work, you might also try X-Forwarded-Host header

  10. 10 Posted by Mark Baltzegar on 04 Jun, 2018 06:41 PM

    Mark Baltzegar's Avatar

    Awesome! Whitelisting the cache headers appears to have worked. We'll continue to test on our end.

    Thank you!!


  11. Support Staff 11 Posted by Courtenay on 04 Jun, 2018 06:48 PM

    Courtenay's Avatar

    OK great, I'll stop smashing my head on this awful aws UI :) Let me know if there's anything else I can help with.

  12. Courtenay closed this discussion on 04 Jun, 2018 06:48 PM.

Discussions are closed to public comments.
If you need help with Tender please start a new discussion.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac