Awhile ago I moved this blog to an AWS EC2 instance and, to try and reduce load on the instance, put the blog behind Amazon CloudFront, since CloudFront makes a decent front-side cache and has a free tier.
All seemed well until one day I went to update an old blog post, and upon saving the post was met with this response:
Updating failed. The response is not a valid JSON response.
Uhhh… what?
So I did some digging, and I immediately saw HTTP 403 (Forbidden) errors in my web browser’s console from an endpoint called autosaves. I then checked my webserver logs, but saw no sign of the URL there, nor any errors. Turns out that CloudFront was blocking the request, but why?
Even stranger was when I tried doing a simple post to the autosaves endpoint, I had no issues. But if I went into the Network tab in Chrome, click Copy as cURL command on the offending request in question, and ran that on the command line, I was able to reproduce the issue. So CloudFront was only blocking some requests… but why?
It turns out that, by default, the web ACLs that CloudFront installs on new distributions will prevent you from making a POST or PUT request where the body is larger than 8 K. Reasonable for most websites, but sadly not WordPress.
I’ll show you how to fix that.
The Fix
From the CloudFront dashboard, click on your Distribution, click on the “Security” tab, click on the arrow next to “Manange protections”, and finally click on “Manage Rules”:
Yeah, FOUR things to click on there. But we are nowhere near done yet. 💀
Now, there’s a sidebar on the right called “Manage rules”. Click on the middle rule labelled AWS-AWSManagedRulesCommonRuleSet. Nope, we can’t yet edit the rule, we are instead told we need to go over to the WAF console, and are given a link to click on. So click on that link:
Now that you’re in the web ACLs for your CloudFront Distribution, click. “Manage rules”:
We’re almost there. Now that you’re managing rules, click AWS-AWSManagedRulesCommonRuleSet but for real this time:
You finally made it. You will have a list of individual rules in this ruleset. You will want to scroll down until you find the rule labelled SizeRestrictions_BODY and change the dropdown to Count. Then scroll to the bottom of the page and click “Save”.
That’s it, you’re done!
I wrote this blog post, because I spent around 2 hours today troubleshooting this particular issue. And if I can save anyone else from having to go through what I did, great!