Skip to content

[Rules] Cloud Connector: clarify SSL to AWS S3 #18066

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Nov 8, 2024
Merged

[Rules] Cloud Connector: clarify SSL to AWS S3 #18066

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bc06d71
[Rules] Cloud Connector: clarify SSL to AWS S3
nikitacano Nov 8, 2024
ea14259
Apply suggestions from PCX review
pedrosousa Nov 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/content/docs/rules/cloud-connector/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ Cloud Connector rules are evaluated last in the request evaluation workflow. Whe
Cloud Connector will perform the following configurations automatically, depending on the cloud provider:

- Modify the `Host` header.
- Adjust SSL/TLS for bucket-related traffic (AWS S3 only).
- Adjust SSL/TLS for bucket-related traffic ([Amazon S3 website endpoints](/rules/cloud-connector/providers/#ssl-connections-for-aws-s3-endpoints) only).

## Availability

Expand Down
9 changes: 8 additions & 1 deletion src/content/docs/rules/cloud-connector/providers.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,15 +22,22 @@ Support for Cloudflare R2 will be added soon.
The hostname of your S3 bucket URL must have one of the following formats (where `*` is a wildcard character):

- `*s3.amazonaws.com`
- `*s3-website.<REGION>.amazonaws.com`
- `*s3.<REGION>.amazonaws.com`
- `*s3-website.<REGION>.amazonaws.com`
- `*s3-website-<REGION>.amazonaws.com`

Cloud Connector supports both subdomain and URI path-style URLs:

- **Subdomain-style URLs**: Set the hostname to `<BUCKET_NAME>.s3.amazonaws.com`. In this case, your files are accessible directly under the root of the bucket. For example, `https://example.com/index.html` will map to `https://<BUCKET_NAME>.s3.amazonaws.com/index.html`.
- **URI path-style URLs**: Set the hostname to `s3.amazonaws.com`. Here, your bucket name must be part of the URI path in your requests. For example, if your bucket name is `<BUCKET_NAME>`, files will be available on paths like `https://example.com/<BUCKET_NAME>/index.html`, and your Cloud Connector rule should filter traffic based on the URI path starting with `/<BUCKET_NAME>`.

### SSL connections to AWS S3 endpoints

The SSL setting applied to requests between Cloud Connector and AWS S3 depends on the type of S3 endpoint you use:

- **HTTPS-supported endpoints**: For hostnames like `*s3.<REGION>.amazonaws.com` and `*s3.amazonaws.com`, Cloudflare will connect to AWS S3 over HTTPS if you set your zone's SSL/TLS mode to **Full** or **Full (Strict)**.
- **Non-HTTPS endpoints**: For website-style hostnames such as `*s3-website.<REGION>.amazonaws.com` or `*s3-website-<REGION>.amazonaws.com`, which do not support HTTPS, Cloudflare will default to **Flexible SSL**.

### Get the bucket URL

1. Go to the [Amazon S3 console](https://console.aws.amazon.com/s3/) and select **Buckets** in the navigation pane.
Expand Down
Loading