Configure S3 + Cloudflare + SSL

March 31, 2022
Fronting your S3 buckets with Cloudlflare is a great way to reduce your AWS bandwidth bills. 

Constraints

Cloudflare only allows you to configure SSL globally for a domain. S3 does not support custom certificates, so we need to rely on the default S3 SSL certificate and cannot achieve Full (strict) mode.
Full mode is the best we can achieve. 
What you will achieve
Full mode means browsers connect to Cloudflare over HTTPS and Cloudflare connects to your web-servers over HTTPS. The connection between Cloudflare and your servers can use any certificate.
Flexible mode is where client browsers connect to Cloudflare over HTTPS and Cloudflare in turn connects to your web-servers over HTTP. 
Wryttr is built on Rails and we use Fargate behind an ALB. Full mode was the least intrusive option for us.

Steps

1. Create a bucket that matches your fully qualified domain name

If you want your resources accessible at https://cdn.yourdomain.com, create a bucket named cdn.yourdomain.com

2. Disable static web hosting for your S3 bucket

3. Add a CNAME entry in Cloudlflare:

Name: cdn Target: cdn.yourdomain.com.s3.us-east-1.amazonaws.com
Note: Replace us-east-1 with your region.

Join the conversation

Sign in to post comments

Principal Engineer @ Amazon Ads | Ex Bloomberg. Opinions are my own and not the views of my employer