After a CloudFront distribution is deleted, Full(Strict) SSL encryption at CloudFlare is no longer working

0

After a failed attempt in setting up a cloudfront distribution, I ended up disabling and deleting it. But afterwards, the SSL encryption mode set at CloudFlare is no longer working at Full (Strict) - it has been more 12 hours since the distribution created was deleted. I have to change it to Flexible now in order to access the S3 bucket using the CNAME domain.

FYI, during setting up the cloudfront distribution, I tried a couple of things including using the imported certificate from CloudFlare, and using an ACM issued certificate, which was deleted at the end given the long pending validation status.

It is likely something was messed up during the cloudfront set up. But I thought its deletion would clean up and put everything back to where it started. Apparently it is not the case. Please advise. Thank you.

3 Answers
0

Hello.

I'm sorry if my understanding is wrong.
Does this mean that you have set up the following configuration?

CloudFlare -> S3
CloudFlare -> CloudFront -> S3

I have to change it to Flexible now in order to access the S3 bucket using the CNAME domain.

CloudFlare Flexible mode is a setting where communication between the origin server and CloudFlare is performed using HTTP.
In other words, if you directly specify S3 with static website hosting enabled as the CloudFlare origin, it is correct to be able to access it normally.
https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/flexible/

On the other hand, if the SSL mode is Full, the communication between CloudFlare and S3 is performed using HTTPS, so I think access fails.
https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full/

https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteHosting.html

Amazon S3 website endpoints do not support HTTPS or access points. If you want to use HTTPS, you can use Amazon CloudFront to serve a static website hosted on Amazon S3. For more information, see How do I use CloudFront to serve HTTPS requests for my Amazon S3 bucket? To use HTTPS with a custom domain, see Configuring a static website using a custom domain registered with Route 53.

profile picture
EXPERT
answered 3 months ago
0

Thank you for the response, Riku.

My configuration is S3 -> CloudFlare -> Client. It was working fine before I experimented with a CloudFront layer between S3 and CloudFlare.

It is true S3 website endpoint doesn't support HTTPS. But I was using CloudFlare proxy with its SSL certificate. So from the client end, I was able to view S3 shown as HTTPS. But after the failed CloudFront distribution (it was running with a green status, but my site did not show up; the SSL certificate I requested via ACM never came through, so I had to cancel it) was disabled and deleted last night, my set up with CloudFlare has stopped working since - it appears to me that the universal SSL certificate issued by CloudFlare somehow is not being recognized now.

answered 3 months ago
0

My apologies if you have seen this. https://www.cloudflare.com/developer-platform/solutions/s3-compatible-object-storage/

You may want to cross post on CloudFlare forums. Yes S3 doesn't support https but I believe S3 supports SSL. From a best practice standpoint, all data on the internet should be encrypted by SSL or HTTPS.

I would question the CloudFlare experts how to connect securely to an S3 website. Cloudfront seems excessive for this but I don't have all your facts and I wouldn't want to mislead you.

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions