Point CNAME to Static website on S3 is not working

I have a static site hosted on AWS S3, the S3 domain is: emotify-website.s3-website-us-east-1.amazonaws.com

I am trying to point this to a subdomain new.goemotify.com. I have added the CNAME record and pointed it to S3 domain but it show 522 error page of Cloudflare.

I have followed this documentation: Configuring an Amazon Web Services static site to use Cloudflare – Cloudflare Help Center

Please guide me if I am missing anything.

You can look up the meaning of a Error 522 here:

I assume you have set up CloudFlare in SSL Mode:

  1. Full
    or
  2. Full (Strickt)

which means CloudFlare wants to connect to the Target on Port 443 (SSL/HTTPS) but your S3 Target is not reachable with HTTPS, see:

https://emotify-website.s3-website-us-east-1.amazonaws.com

HI @M4rt1n thanks a ton. the issue seems to be the same indeed.
I am a little confused on how to set https on S3 target. Can’t find any straightforward method. I know it can be done through Cloudfront and ACM. But I am looking to connect Cloudflare CNAME to S3 target and still server it over https.

I am also open to any other method which can be helpful here. Any further help is appreciated.

CloudFlare alway let you CNAME that. But if S3 is not configurated properly to map the Domain you are CNAME-ing from CloudFlare to S3, it will redirect to the S3 Domain.

So the problem actually is at AWS/S3 and not at at Cloudflare. The configuration at CloudFlare is correct.

Another way to it would be, to use Flexible SSL for your sub-domain or that CNAME record using a Page Rule to configure it like described here:

Which reminds me just like Google Cloud Storage when configuring, I had to add a sub-domain within a CNAME record being :orange: and then creating a Page Rule to have Flexible SSL for that hostname (sub-domain), while having Full SSL for a primary domain.

Not a great option, but worked for me.

But, keep in mind “from user to Cloudflare” would be HTTPS, but “from Cloudflare to S3” over HTTP.

Learn more why Flexible SSL is not a recommend choise from this article:

Also, have you checked this one?:

Here is a way to have it with Full SSL:

Really?

1 Like

Yes.

In case (OP did not mentioned if this is his situation as mine) where you are actually “locked up” due to your “Cloudflare Partner/Provider” where there are no other options available to you to select (by default for free plan, not to mention Paid one with that one per default being disabled).

Otherwise, as already known the possibilites and hopefully if OP’s origin has an SSL cert (which is also not an option and currently cannot connet over HTTPS), regarding the mentioned link to the tutorial about “Why Flexible SSL mode is not the best choice”.

Not really. Flexible should never be an option and suggesting it is bad advice I am afraid.

You never are “locked up”. If your host is not able to provide something simple as SSL, changing host is a logical consequence. Flexible does not suddenly become secure because of your host’s incompetence (and Cloudflare’s eagerness to participate here).

Three steps to fix that, drop the Cloudflare integration, change host, and sign up for a proper account with full control.

1 Like

Hi @M4rt1n you are correct, the configuration on Cloudflare is correct but S3 does not support https as clearly mentioned on this page (AWS docs):

Considering this, I see only two options

  1. Using flexible ssl (Which is definitely not recommended from security POV)
  2. Using service like CloudFront over S3, with SSL (I am trying to avoid using CloudFront)

Is there are any other option that you see? I’m sure many other developers using CloudFlare may have come across this scenario.

Appreciate your help on this!

We have a long discussion about this previously:

1 Like

Yes thanks to @erictung I found a good solution for that problem. Actually I tried both variants:

  1. Use CloudFront as CDN
  2. Use CloudFlare Workers

Workers turned out to be more cost efficient. I forked the Tutorial from Signalnerve on Github and added S3 support (instead of Google Cloud) and request of origin server instead of bucket error. You can find it here: GitHub - nilo-byte/assets-on-workers

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.