Retrofitting CloudFront + WAF onto an Existing Reverse-Proxy Origin: Practical Patterns
I migrated a set of production web services from a configuration where DNS pointed directly at the origin (Docker + Traefik on a VPS) to one where CloudFront + AWS WAF sit in front of the origin. This article summarises the patterns I used and the pitfalls I did not expect, in a general form. The goal is to help anyone migrating a similar setup avoid the same mistakes. Before Browser ──► DNS ──► Origin IP (reverse proxy: Traefik on VPS) ├── service-a (equivalent to cultural.jp) ├── service-b (equivalent to api.cultural.jp) └── service-c (equivalent to webcatplus.jp) Each service is a Docker container. Traefik routes by the Host header and terminates TLS with Let’s Encrypt (HTTP-01). The CrowdSec bouncer plugin handles attack detection. After Browser ──► DNS ──► CloudFront ──► origin domain ──► Traefik │ (origin.example.com) └── WAF (OWASP / known bad inputs / IP reputation / rate limit) Three key points: ...