- \n
- A Lightsail Linux instance running Apache<\/li>\n\n\n\n
- The main site is mostly PHP pages plus CSS\/JS\/images<\/li>\n\n\n\n
- The blog lives at
antpace.com\/blog<\/code> (WordPress)<\/li>\n\n\n\n- DNS already in Route 53<\/li>\n\n\n\n
- HTTPS already working on the instance using Certbot<\/li>\n<\/ul>\n\n\n\n
The mental model<\/h3>\n\n\n\n
CloudFront is the front door. Lightsail becomes the origin behind it.<\/p>\n\n\n\n
That means two separate HTTPS concerns:<\/p>\n\n\n\n
- \n
- Visitors hitting
antpace.com<\/code> need a certificate attached to CloudFront (ACM)<\/li>\n\n\n\n- CloudFront talking to the origin also needs HTTPS on an origin hostname<\/li>\n<\/ul>\n\n\n\n
Setting up the origin hostname<\/h3>\n\n\n\n
CloudFront won\u2019t accept an IP address as an origin. It needs a domain name. So the first move was creating:<\/p>\n\n\n\n
- \n
backdoor.antpace.com<\/code> \u2192 Lightsail static IP (Route 53 A record)<\/li>\n<\/ul>\n\n\n\nThen I made sure the origin worked over HTTPS using the same mechanism I already had on the instance.<\/p>\n\n\n\n
To confirm what I was actually using:<\/p>\n\n\n\n
sudo certbot certificates\nsudo sed -n '1,200p' \/etc\/letsencrypt\/renewal\/antpace.com.conf\n<\/code><\/pre>\n\n\n\nThat confirmed Certbot and showed the exact webroot path being used for renewals.<\/p>\n\n\n\n
- \n
- Route 53 record for
backdoor.antpace.com<\/code><\/li>\n\n\n\ncertbot certificates<\/code> output<\/li>\n<\/ul>\n\n\n\nGetting the CloudFront certificate (ACM)<\/h3>\n\n\n\n
CloudFront requires an ACM certificate in
us-east-1<\/code>, even if your origin is in a different region.<\/p>\n\n\n\nSo I requested a cert in ACM for:<\/p>\n\n\n\n
- \n
antpace.com<\/code><\/li>\n\n\n\nwww.antpace.com<\/code><\/li>\n<\/ul>\n\n\n\nThen validated it through Route 53.<\/p>\n\n\n\n
- \n
- ACM certificate request page showing the domains and DNS validation records<\/li>\n<\/ul>\n\n\n\n
Creating the distribution and choosing policies<\/h3>\n\n\n\n
This is where the setup becomes worth it, but it\u2019s also where you need to treat the main site and WordPress differently.<\/p>\n\n\n\n
My main site is basically \u201cstatic-ish\u201d content, but
\/blog<\/code> is WordPress. So I split behaviors and used different policies.<\/p>\n\n\n\nDefault behavior (
*<\/code>) for the main site<\/h4>\n\n\n\n- \n
- Viewer protocol policy: Redirect HTTP to HTTPS<\/li>\n\n\n\n
- Allowed methods: GET, HEAD<\/li>\n\n\n\n
- Cache policy:
CachingOptimized<\/code> (managed)<\/li>\n<\/ul>\n\n\n\nI verified caching was working with:<\/p>\n\n\n\n
curl -I https:\/\/antpace.com | egrep -i 'x-cache|age|via'\ncurl -I https:\/\/antpace.com | egrep -i 'x-cache|age|via'\n<\/code><\/pre>\n\n\n\nFirst request was a Miss, second request was a Hit with an
age<\/code> header.<\/p>\n\n\n\n- \n
- CloudFront distribution details page<\/li>\n\n\n\n
- Behaviors tab showing Default (*)<\/li>\n<\/ul>\n\n\n\n
Blog behaviors for WordPress (
\/blog\/*<\/code>)<\/h4>\n\n\n\nI kept WordPress safe by disabling caching on the blog paths and forwarding what WordPress needs.<\/p>\n\n\n\n
Behaviors I added:<\/p>\n\n\n\n
- \n
\/blog\/wp-admin\/*<\/code><\/li>\n\n\n\n\/blog\/wp-login.php<\/code><\/li>\n\n\n\n\/blog\/*<\/code><\/li>\n<\/ul>\n\n\n\nI know the above is redundant, but in the future I may allow some cacheing on the blog post pages, but always keep the other two routes disabled.<\/p>\n\n\n\n
For all three:<\/p>\n\n\n\n
- \n
- Viewer protocol policy: Redirect HTTP to HTTPS<\/li>\n\n\n\n
- Allowed methods: All<\/li>\n\n\n\n
- Cache policy:
CachingDisabled<\/code><\/li>\n\n\n\n- Origin request policy:
AllViewer<\/code><\/li>\n<\/ul>\n\n\n\nThis is the \u201cdon\u2019t get fancy yet\u201d setup. It keeps logins\/admin sane and avoids CloudFront caching anything dynamic.<\/p>\n\n\n\n
Behaviors list showing the
\/blog\/*<\/code> paths and policies<\/p>\n\n\n\nBot defense at the edge<\/h3>\n\n\n\n
One of the underrated reasons to do this is that CloudFront gives you an edge layer for basic bot defense. Even on the free plan, you can enable rate limiting\/monitoring so random traffic is handled earlier, instead of everything slamming your Apache box directly.<\/p>\n\n\n\n
I turned on the recommended rate limiting settings (it starts in monitor mode), then I can tighten it later if I need to.<\/p>\n\n\n\n
- \n
- Security \/ rate limiting settings screen<\/li>\n<\/ul>\n\n\n\n
The redirect loop issue (and why it happened)<\/h3>\n\n\n\n
After switching DNS, browsers started throwing \u201ctoo many redirects.\u201d<\/p>\n\n\n\n
The fastest way to see what was happening:<\/p>\n\n\n\n
curl -IL https:\/\/www.antpace.com | head -n 40\n<\/code><\/pre>\n\n\n\nIt was an endless chain of 301s. The cause was not CloudFront. It was my origin.<\/p>\n\n\n\n
I had unconditional Apache redirects living in two configs:<\/p>\n\n\n\n
- \n
\/opt\/bitnami\/apache\/conf\/bitnami\/bitnami.conf<\/code><\/li>\n\n\n\n\/opt\/bitnami\/apache\/conf\/bitnami\/bitnami-ssl.conf<\/code><\/li>\n<\/ul>\n\n\n\nAnd the line was:<\/p>\n\n\n\n
Redirect permanent \/ https:\/\/www.antpace.com\/\n<\/code><\/pre>\n\n\n\nThat redirect is too blunt once CloudFront is in front. CloudFront can cache the redirect and then you\u2019ve got a fast global redirect loop.<\/p>\n\n\n\n
This command found it immediately:<\/p>\n\n\n\n
sudo grep -R --line-number -E \"RewriteEngine|RewriteCond|RewriteRule|Redirect\" \\\n\/opt\/bitnami\/apache\/conf\/bitnami \/opt\/bitnami\/apache\/conf\/vhosts 2>\/dev\/null\n<\/code><\/pre>\n\n\n\nFix was removing those redirects from both files.<\/p>\n\n\n\n
- \n
- grep output showing the redirect line in both files<\/li>\n\n\n\n
- browser redirect error page<\/li>\n<\/ul>\n\n\n\n
Canonical redirect at the edge (CloudFront Function)<\/h3>\n\n\n\n
I still wanted apex \u2192 www, but I didn\u2019t want Apache doing it anymore.<\/p>\n\n\n\n
So I created a CloudFront Function and attached it to the Default behavior on Viewer request:<\/p>\n\n\n\n
function handler(event) {\n var request = event.request;\n var host = request.headers.host.value;\n\n if (host === 'antpace.com') {\n var qs = request.querystring;\n var loc = 'https:\/\/www.antpace.com' + request.uri + (qs && qs.length ? ('?' + qs) : '');\n return {\n statusCode: 301,\n statusDescription: 'Moved Permanently',\n headers: {\n location: { value: loc }\n }\n };\n }\n\n return request;\n}\n<\/code><\/pre>\n\n\n\nThis makes the redirect logic obvious and centralized, and it keeps the origin hostname out of the equation.<\/p>\n\n\n\n
- \n
- CloudFront Function code + association on the behavior<\/li>\n<\/ul>\n\n\n\n
Invalidate CloudFront cache on deploy (GitHub Actions)<\/h3>\n\n\n\n
My deploy process is GitHub Actions. It SSHes into Lightsail and runs my deploy script. With caching enabled, I wanted updates to show up immediately after a push.<\/p>\n\n\n\n
So I added a CloudFront invalidation step after deploy:<\/p>\n\n\n\n
- name: Configure AWS credentials (OIDC)\n uses: aws-actions\/configure-aws-credentials@v4\n with:\n role-to-assume: ${{ secrets.AWS_ROLE_ARN }}\n aws-region: us-east-1\n\n- name: Invalidate CloudFront\n run: |\n aws cloudfront create-invalidation \\\n --distribution-id \"${{ secrets.CLOUDFRONT_DISTRIBUTION_ID }}\" \\\n --paths \"\/*\"\n<\/code><\/pre>\n\n\n\nThat\u2019s the simple version. I can narrow it later, but
\/*<\/code> makes \u201cdeploy means live\u201d true.<\/p>\n\n\n\n- \n
- GitHub Actions run showing the invalidation step<\/li>\n\n\n\n
- CloudFront invalidations tab<\/li>\n<\/ul>\n\n\n\n
What I got out of this<\/h3>\n\n\n\n
- \n
- Faster global delivery of the main site via edge caching<\/li>\n\n\n\n
- Less load on Lightsail<\/li>\n\n\n\n
- WordPress stays safe because
\/blog\/*<\/code> is not cached and forwards the right stuff<\/li>\n\n\n\n- Better options for bot defense at the edge<\/li>\n\n\n\n
- Canonical redirects handled at CloudFront instead of server config files<\/li>\n\n\n\n
- Automated deploy invalidation so changes show up right away<\/li>\n<\/ul>\n\n\n\n
If you\u2019re doing this on a mixed site (static-ish pages plus WordPress), the split behaviors are the whole thing. Treating everything the same is how you end up caching logins or debugging redirects at 2am.<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.antpace.com\/blog\/wp-content\/uploads\/2026\/02\/Screen-Shot-2026-02-14-at-11.52.14-AM-1024x465.png\")
<\/figure>\n\n\n\n
When I went to save this post in WordPress, it kept failing with the classic editor error: \u201cUpdating failed. The response is not a valid JSON response.\u201d At first it looked like a WordPress problem, but the actual response coming back was a CloudFront-generated 403 \u201cRequest blocked\u201d HTML page, which meant the request never made it to WordPress at all. The weird part was it only happened with certain content. Normal edits saved fine, but as soon as I pasted in code-heavy sections (Apache config blocks, rewrite rules, YAML, JS), CloudFront\u2019s built-in WAF protections flagged the request body as suspicious and blocked it. The fix was simple once we knew what was happening: I enabled WAF \u201cmonitor mode\u201d on the CloudFront distribution so it would log potential blocks instead of enforcing them, and after the change finished deploying across CloudFront, saves started working again. I kept rate limiting on for bot defense, but left the common-threat protection in monitor mode until I eventually switch to a full WAF Web ACL where I can add exceptions for WordPress editor endpoints.<\/p>\n\n\n\nOne extra thing I did on the WordPress side was add a tiny mu-plugin as a guardrail. I like mu-plugins for infrastructure-style fixes because they always load and they cannot be accidentally disabled in the admin UI. I did not put anything \u201cin wp-admin\u201d because the block editor issue is really about REST requests and editor endpoints, and WordPress updates can overwrite admin code anyway. Also, I don’t track that file in version control.The mu-plugin lives in
wp-content\/mu-plugins\/<\/code> and keeps the behavior consistent no matter what theme or normal plugins are doing.<\/p>\n","protected":false},"excerpt":{"rendered":"I put CloudFront in front of my Lightsail site for a few reasons: faster load times globally, less load on my instance, and better options for defending against bot traffic at the edge. I also wanted a setup where Lightsail is just the origin and CloudFront is the public front door, which makes future changes … <\/p>\n
- CloudFront Function code + association on the behavior<\/li>\n<\/ul>\n\n\n\n
- Origin request policy:
- Route 53 record for
- CloudFront talking to the origin also needs HTTPS on an origin hostname<\/li>\n<\/ul>\n\n\n\n