WordPress + CloudFront

It took a bit of wrangling, but I was able to get up and running with Amazon’s CloudFront today. It’s pretty sweet.

Why Bother?

My first goal was to enable TLS for this site. Let’s Encrypt is a great way to go, but there’s some setup involved, and there are costs despite them offering it for free.

CloudFront also supports HTTP/2, and is super fast and very configurable.

Requests Map

I’ve long loved not having www tacked on to the front of my URL. I get it’s the standard, it just still feels a bit goofy. With this CDN world, though, there’s not much way around it.

As it stands now, http://rlaskey.org serves WordPress. Requests for rlaskey.org, though, get sent along to https://www.rlaskey.org: www is now a CNAME for CloudFront, which is set up to get everything from http://origin.rlaskey.org. Requests for origin.rlaskey.org do not redirect.


To test all of this out, curl -I <URL> is your best friend. It is worth experimenting a lot to make sure everything is going to the right place before flipping any switches. Look for a Location header, which will tell you if you have redirects firing. Otherwise, requests can get cached by the browser fairly easily, so it’s a mess to figure out what’s actually active or not.

No Plugins: Just Config

I don’t particularly want to be editing my site through a CDN, so I connect to my instance directly, via a self-signed SSL certificate. With that, though, there are some tricks. Here’s where I landed, by editing my wp-config.php:

if (isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] === '443') {
    define('WP_HOME', 'https://rlaskey.org/words');
    define('WP_SITEURL', WP_HOME);
} else {
    $_SERVER['HTTPS'] = 'on';
    define('WP_HOME', 'https://www.rlaskey.org/words');
    define('WP_SITEURL', WP_HOME);


The magic here is that regardless of your general home and site URL settings, when you’re in the admin interface over HTTPS, WordPress will always override those two settings.


The silly part in the above snippet is where I set $_SERVER['HTTPS'] to be on exactly when it’s off. That sadly was not a typo. Why do we need it? Well, try it out, before hooking up your CDN: despite having an https URL for the home and site URL, links will point to an http version instead when you’re in your origin, which is what the CDN will ingest. The net result is that your CSS and everything else will point to http versions of the world, which nobody wants. Tell WordPress that you’re on TLS, though, and the links will line up.

Tweak CloudFront Settings

With the above setup, and some patience, you can walk through the setup of CloudFront as their docs instruct. You can make your own SSL certificate in their Certificate Manager. You’ll need to also then specify your domain in the Alternate Domain Names section, lest you’ll get some weird failures.

Under Behaviors, you’ll need to allow POST, and make sure you enable forwarding of Query Strings. Infinite Scroll and Search will break otherwise, respectively.

At least until you are comfortable, bring the Max and Default TTLs way, way down. WordPress won’t send the cache control headers for PHP requests, meaning it will get the default, which starts off at 24 hours. You can invalidate everything, but that part is not free after a point.

Finally, your DNS will need to change, such that www or whatever you pick then heads to the CloudFront Domain Name.

Home Free

CloudFront can take a little while as you tweak everything. Saving the settings doesn’t mean it’ll instantly be there, so check General: Distribution Status. If you don’t see “Deployed”, keep waiting. DNS also is slower than dirt, generally, so any updates may take longer than you expect.

This path is also a complete one, in that PHP + everything else is going to be handled by the CDN. I personally like that, though it might not be for everyone. Unless you set headers for your PHP requests, your site updates will get delayed by up to whatever you have as the default TTL.

Feedback, PLS

Hopefully this all helps some people, though with that said I do understand that even all of this is far from complete. If anyone has questions, please do write in a comment; I’m happy to dig in a little deeper, or to write more about any particular aspect.

Leave a Reply