How to cache cloudfront response sometime with a specific header and sometime without taking account the headers?

Question

I'm using Apigateway with a Cloudfront distribution. I've setup a custom Authorizer. The distribution is configured to forward the whitelisted header Authorization .

As an example, i've got 2 urls:

• http://domain.tld/me (the logged in user informations)
• http://domain.tld/products (the products collection)

The goal is to cache /products but not based on Authorization header. On the other side, I would like /me to be cached with Authorization header (because I don't want user B get cached information from user A ). The both urls are protected with the authorizer.

How can i do that ?

Answer 1

If you need to authenticate a request based on the Authorization header before allowing them to see /products yet you don't want the object to be cached based on the Authorization header, then you can't use CloudFront with an API Gateway custom authorizer, because there is no way for CloudFront to pass a header through without caching on it -- such a configuration doesn't make sense, because CloudFront wouldn't know whether the request should be authorized at all.

One workaround is to use a Lambda@Edge Viewer Request trigger instead of a custom authorizer, to allow/disallow access to CloudFront on the /products path based on Authorization . If a Viewer Request trigger returns control to CloudFront (rather that emitting its own internally-generated response) then the cache is checked and the response served from the cache (hit) or fetched from the origin (miss). The header doesn't need to be whitelisted in order to be accessible to a viewer request trigger.

If the backend requires a generic authentication token for a path that doesn't vary based on user, then CloudFront can inject that using Custom Origin Headers.