createRequestOriginGroup with originOverrides.hostHeader always causes 502 "invalid value for origin rewrite" regardless of value

[Ryan-Freya]

---

Environment:

• CloudFront Functions JavaScript Runtime: cloudfront-js-2.0
• Feature used: createRequestOriginGroup() with originOverrides.hostHeader
• Origin setup: Primary = S3, Secondary = ALB (HTTP only, custom port, no TLS)

---

Background / Intent:

I have a CloudFront distribution with a default behavior (*) using an Origin Group:

• Primary origin: S3 bucket
• Secondary origin (failover): ALB → EC2 backend

The problem is with the Origin Request Policy:

• If I set it to All Viewers: S3 receives the CloudFront domain (e.g. dxxxxxxxx.cloudfront.net) as the Host header, which causes S3 to return 403, triggering failover to ALB on every request. Primary origin is effectively broken.
• If I set it to All Viewers Except Host: S3 works correctly. But now ALB receives its own domain (e.g. my-alb.us-east-2.elb.amazonaws.com) as the Host header instead of the CloudFront domain. My backend application requires the CloudFront domain as the Host header for routing logic.

So I tried using originOverrides.hostHeader in createRequestOriginGroup() to override the Host header sent to the ALB origin specifically, while keeping All Viewers Except Host as the Origin Request Policy so that S3 continues to work.

---

Problem:

Any use of originOverrides.hostHeader causes a 502 error immediately. This happens with any value I set for hostHeader — including the CloudFront domain, the ALB domain, or a completely unrelated domain like www.example.com.

Full 502 error:

502 ERROR
The request could not be satisfied.
The CloudFront function returned an invalid value for origin rewrite. 
We can't connect to the server for this app or website at this time. 
There might be too much traffic or a configuration error. Try again later, 
or contact the app or website owner.
If you provide content to customers through CloudFront, you can find steps 
to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
Generated by cloudfront (CloudFront)
Request ID: SpJcenq_Fo26gNnGxXn534p-3u6zAgiE_tGOuroJJN7sIvTTNSTnzw==

---

Minimal reproduction:

import cf from 'cloudfront';

async function handler(event) {
    cf.createRequestOriginGroup({
        "originIds": [
            { "originId": "my-s3-origin" },
            {
                "originId": "my-alb-origin",
                "originOverrides": {
                    "hostHeader": "dxxxxxxxx.cloudfront.net"  // my CloudFront domain — but any value causes the same 502
                }
            }
        ],
        "failoverCriteria": {
            "statusCodes": [403, 404, 500, 502, 503]
        }
    });

    return event.request;
}

I've tried multiple values for hostHeader: my CloudFront domain, the ALB domain, and unrelated domains like www.example.com. All of them cause the same 502.

---

What I've confirmed:

1. Removing originOverrides entirely → no 502, works fine
2. Any hostHeader value → always 502
3. ALB origin protocol is HTTP only — no TLS/certificate involved, so SSL mismatch is not the cause
4. Both originId values exactly match the Origin names in the distribution
5. Runtime is cloudfront-js-2.0
6. createRequestOriginGroup() without originOverrides works fine

It appears that simply having originOverrides with hostHeader is enough to trigger the 502, regardless of the value.

---

Question:

Is originOverrides.hostHeader in createRequestOriginGroup() currently supported and working? If not, what is the recommended workaround to make the ALB backend receive a specific Host header (e.g. the CloudFront domain) while keeping All Viewers Except Host as the Origin Request Policy so that the S3 primary origin continues to function correctly?

Thanks in advance for any help or insight!