https://tech.ldas.jp/en/tags/terraform/Recent content in Terraform on Digital Archive Systems Tech BlogHugoenThu, 16 Apr 2026 22:30:00 +0900https://tech.ldas.jp/en/posts/cloudfront-waf-add-to-existing-origin/Thu, 16 Apr 2026 22:30:00 +0900https://tech.ldas.jp/en/posts/cloudfront-waf-add-to-existing-origin/<p>I migrated a set of production web services from a configuration where <strong>DNS pointed directly at the origin</strong> (Docker + Traefik on a VPS) to one where <strong>CloudFront + AWS WAF sit in front of the origin</strong>. This article summarises the patterns I used and the pitfalls I did not expect, in a general form.</p> <p>The goal is to help anyone migrating a similar setup avoid the same mistakes.</p> <h2 id="before">Before</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">Browser ──► DNS ──► Origin IP (reverse proxy: Traefik on VPS) </span></span><span class="line"><span class="cl"> ├── service-a (equivalent to cultural.jp) </span></span><span class="line"><span class="cl"> ├── service-b (equivalent to api.cultural.jp) </span></span><span class="line"><span class="cl"> └── service-c (equivalent to webcatplus.jp) </span></span></code></pre></div><ul> <li>Each service is a Docker container.</li> <li>Traefik routes by the Host header and terminates TLS with Let&rsquo;s Encrypt (HTTP-01).</li> <li>The CrowdSec bouncer plugin handles attack detection.</li> </ul> <h2 id="after">After</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">Browser ──► DNS ──► CloudFront ──► origin domain ──► Traefik </span></span><span class="line"><span class="cl"> │ (origin.example.com) </span></span><span class="line"><span class="cl"> └── WAF (OWASP / known bad inputs / IP reputation / rate limit) </span></span></code></pre></div><p>Three key points:</p>