🔗Restrict access only to the CDN (cloudfront)

To only allow, handle request from the CDN you could add a custom header/token and check on your backend (nginx/haproxy) if is matching otherwise return a 401

If using AWS cloudfront you edit your origins like this:

The token can be any UUID / has or common secret between the CDN and the backend.

If your backends are using nginx you could verify the token like this:

server {
	listen 80;
	server_name _;

	if ($http_x_cf_token != '4147E877-7C6D-4B4E-96CE-B173B6F0B755') {
		return 401;
	}
	...

In this case the token is an UUID and if the request come with no token they will got a 401.