All of our traffic goes through CloudFront, and static content is fetched by CloudFront from one of several S3 buckets.
With uploads being sent to S3, Discourse embeds the content with a generic bucket URL despite our having
s3 cdn url set. Once submitted, posts appear to use the correct URL set in
s3 cdn url, although this may also be because we have
DISCOURSE_CDN_URL set as well (both are set to the same URL).
The post preview window references the standard S3 URL seen in the unbaked post, though. This is a problem because we use a private ACL on files uploaded to our Discourse uploads bucket, as content on this bucket should never be accessed outside of CloudFront. The result is a broken image in the preview window.