Delivering files with Amazon S3 & CloudFront to Cloudflare

Hi So, I host my WooCommerce site on SiteGround.
my site is a multivendor shop where people can sign up and sell their sound effects.
now by nature of such site it requires a scalable storage solution that can deliver this downloadable files to the customers upon purchase. while ensuring that the download link is only valid for the relevant user and no one else can access those files.

So I came across a plugin called S3 Offload Media. Which allows me to upload files to an S3 Bucket and securely deliver them as stated above with expiring private links through a CloudFront distribution, after configuring everything it worked just fine and I deliver all the private downloads through a subdomain of my site called media.

Now here is where the questions start. As a seller I’m interested in maximum security for my users & vendors, therefore its important for me to get the best solutions, the problem is that I’m not even sure what questions to ask in that case.

Cloudflare is a great tool and I wouldn’t like to lose its benefits, what can I do from the Cloudflare side to ensure I let the S3 & CloudFront do their thing? Can i furtherly mask it with Cloudflare to add an extra layer of security? how could this work?
Does Cloudflare have a similar service that I can use instead of CloudFront to deliever those private downloads securly?

Do just enabling Cloudflare on my site like normaly would work?
Could I enable Cloudflare for my entire site except the Subdomain that is made specially to deliever the downloadable files?

What needs to be done in my case?

Thank you for your time.

I think you’ve just said the solution. I also use Cloudfront for serving some downloads to my users, and what I do is to protect with Cloudflare all of the subdomains, except the one that is used by Cloudfront.

1 Like

The only thing you need to be mindful of is the ToS, which normally prohibit downloading content that is not “web” content. This is only when those are a disproportionate amount compared to normal traffic (don’t do a WeTransfer service basically nor YouTube).

You can also use Cloudflare’s S3 alternative, which is R2. It’s in beta and it doesn’t have direct public access, but with a very simple Cloudflare Worker that would work and it would bypass the ToS issue while also costing you most likely less (no egress costs).

Alternatively you can just leave the specific subdomain not proxied, but you lose some of the benefits.

3 Likes

Ah nice idea, thank you!
How do I exclude Cloudflare only from the Downloads subdomain tho?

Great idea, R2 is very promising, sadly theres no R2 offload media plugin available at the moment, and I dont know how to code something that will offload my necessary website media files to R2.

R2 is S3 compatible, so as long as the plug-in allows you to specify the endpoint/URL like many do, it should work just like S3.

2 Likes

Go to Cloudflare’s DNS settings, find the CNAME record for your subdomain and unproxy it (:orange::grey:).

2 Likes

Thank you!

1 Like

Yo, I’ve recently read a post saying hackers can find my server origin IP and basically go there directly and bypass the entire Cloudflare system.

I’ve unproxied the Cname.
I’ve read the following blog posts from ClusteredNetworks about securing the connection between My origin server and Cloudflare, and ensuring all communication to the server must go through Cloudflare so no one can find my IP address and simply launch an attack on my server (I’m hosting on SiteGround)
By unproxying that Cname record to the media delivery subdomain do I expose my server?
Do I create any security holes here? what do I need to do to check for security holes here and close them?

Also I’ve understood people can find the IP address of my Origin server and simply launch an attack on the server completely bypassing Cloudflare protection.

So I’m looking for ways to fix that and to ensure all communication goes through Cloudflare and you can’t reach the site without it

I came across an article by a guy named ron from “ClusteredNetworks” and he gives you a .htaccess code with a bunch of require IP rules which I than need to put all Cloudflare IPs at, than my site wont accept communication that isn’t coming from this IPs, how ever it didnt work for some reason and I couldnt access my admin area or the site anymore even tho I allowed my own IP addresses.

I also see and I’m trying to understand the purpose of “Cloudflare Tunnel”
I also see an option in “Origin Server” under “SSL/TLS” section on Cloudflare dashboard, where I can create a SSL certificate to encrypt the data between the Server & Cloudflare, how ever I already have a free LetsEncrypt SSL installed & provided by my SiteGround, so do I need to create this new certificate and install it on my site? does it replace my original certificate by doing so?

Is this the way to properly ensure all traffic to my site goes through Cloudflare first and no one can launch an attack on my server without going through Cloudflare?
Also how does this connect to the previous question with my Offloaded media to the S3 bucket, I’d also need to whitelist the IP address of the CloudFront distribution or?

I’m sorry I have a huge mess in my head and I’m trying my best to explain it properly, the goal is to ensrure maximum security for my users. thank you for your time its great help.

You do expose the IP, but it’s CloudFront. It shouldn’t be terribly insecure especially if you use HTTPS only. The issue is cost of delivery, they could rack your bills up a lot with little effort.

I’d very much consider the R2 option.

1 Like

Thank you, R2 does seem like a great option, how ever I dont seem to find any plugin that allows me to offload specific media files to R2.
and I dont know how to custom code this, so I have to count on S3.

As I said above, check if the plug-in you use allows custom S3 endpoints. Then you will be able to make it work easily. It’s just a copy-paste more.

1 Like

Sorry but what are custom end points and how can they help me?

R2 supports the S3 API, so if you can tell the plug-in to point to a custom endpoint (=server) it will be for all intents and purposes S3 for the plug-in itself.

1 Like

Oh nice, I’ll check with the plugin developer.
How would I than approach to delievering this files through Cloudflare, so I dont have to use CloudFront?
This files would be Downloadable purchasable products so, when a user purchase they will need to be delievered. but they must be secured and expired quickly so users can’t share the download link

How you handle that is up to you. I presume you have a way to do that with CloudFront… it should work easily, I’d assume with Cloudflare, too. Workers are usable, too.

I would also say that if you have short download links, I would dismiss most of the concerns for the bill, assuming you actually make them unusable.

Ah I’m so weak on the technical side, I don’t know what are workers or how to use them, it seems like I need coding knowledge.

Yeah, I feel like you should get started on a course or hire a developer :slight_smile:

1 Like

Thank you very much for your time, you were great help I wish you a great day.

1 Like