DEV Community

Khalid Rasool
Khalid Rasool

Posted on • Edited on

How to Serve HTTPS on Your Root Domain Using AWS S3 and Cloudflare – by Khalid Rasool

#awschallenge #s3 #cloudflarechallenge #http

How to Serve HTTPS on Your Root Domain Using AWS S3 and Cloudflare

If you’re hosting a static website on AWS S3 and using Cloudflare for DNS and SSL, you might have noticed a common issue:

Your website works perfectly at https://www.yourdomain.com but fails or shows SSL errors at https://yourdomain.com (root domain).

Why does this happen? And how do you fix it?

The Root Cause

AWS S3 static website hosting provides HTTP-only endpoints for static sites. You can point a www CNAME to the S3 website endpoint and use Cloudflare’s SSL proxy to get HTTPS working smoothly on the www subdomain.

However, when using the root domain (apex domain) like yourdomain.com, you can’t create a CNAME record due to DNS restrictions, so you typically create an A record pointing to a dummy IP like 192.0.2.1 and enable Cloudflare proxy.

Here’s the catch:

  • The dummy IP doesn’t serve your website content.
  • Cloudflare can serve HTTPS on the root domain but cannot fetch your actual content from S3 via that dummy IP.
  • This results in connection timeouts or SSL handshake errors (Cloudflare Error 522 or 525).

Why You Need www

By using the www subdomain pointing directly to the S3 website endpoint via a CNAME, Cloudflare proxies your content and provides HTTPS.

This setup is simple, stable, and commonly used.

How to Serve HTTPS on Root Domain Without www

To get HTTPS on yourdomain.com itself without www, you need:

  1. An AWS CloudFront distribution configured in front of your S3 bucket.
  2. An SSL certificate issued via AWS Certificate Manager (ACM) for your root domain.
  3. DNS records pointing your root domain to the CloudFront distribution.

CloudFront acts as a secure CDN layer, handling HTTPS connections properly on the root domain and fetching content from S3 behind the scenes.

Summary

Setup HTTPS on Root Domain? Complexity
S3 + Cloudflare + www Yes Easy
S3 + Cloudflare + root domain No -
S3 + CloudFront + root domain Yes Moderate (AWS config)

If you’re okay with www, stick to the simple Cloudflare + S3 CNAME setup.

If you want your root domain with HTTPS, invest some time setting up CloudFront in front of S3 — it’s worth it for a professional, seamless experience.

Hope this helps fellow developers understand why HTTPS on root domains with S3 can be tricky, and how to fix it!

Top comments (0)