Fronting your S3 buckets with Cloudlflare is a great way to reduce your AWS bandwidth bills.
Constraints
Cloudflare only allows you to configure SSL globally for a domain. S3 does not support custom certificates, so we need to rely on the default S3 SSL certificate and cannot achieve Full (strict) mode.
Full mode is the best we can achieve.
What you will achieve
Full mode means browsers connect to Cloudflare over HTTPS and Cloudflare connects to your web-servers over HTTPS. The connection between Cloudflare and your servers can use any certificate.
Flexible mode is where client browsers connect to Cloudflare over HTTPS and Cloudflare in turn connects to your web-servers over HTTP.
Wryttr is built on Rails and we use Fargate behind an ALB. Full mode was the least intrusive option for us.
Steps
1. Create a bucket that matches your fully qualified domain name
If you want your resources accessible at https://cdn.yourdomain.com, create a bucket named cdn.yourdomain.com
2. Disable static web hosting for your S3 bucket
3. Add a CNAME entry in Cloudlflare:
Name: cdn Target:
cdn.yourdomain.com.s3.us-east-1.amazonaws.com