So, I’ll try to make it short, although I’ve just lost a lot of hours on this 
When using HTTPS behind a reverse proxy or load balancer, one must configure the “X-Forwarded-Proto” header, otherwise Drone will fail with redirect url mismatch errors (as Brad answered in a similar topic here).
However, Amazon Cloudfront does not forward the X-Forwarded-Proto header, nor does it allow setting it (it’s not clear in the documentation, but I’ve tried setting it as a Custom Origin Header and used netcat on the origin to confirm it is being ignored). Instead, it uses its own custom CloudFront-Forwarded-Proto header.
[ edit: removed considerations on load balancers, since further testing confirmed that server-agent communication does not play ice with load balancers… ]
The solution I’ve found so far is to run a Nginx reverse proxy in front of the server just to manually update the correct header to https. Which I’d say is sub-optimal.
So, what about adding an extra “case” on httplutil.go for CloudFront-Forwarded-Proto? Or maybe some generic “*-Forwarded-Proto”? Of course there’s always the change I’ve missed something so if someone else is running a Drone Cluster on AWS using a combination of Cloudfront and ECS I’d be glad to hear some input
In any case I’d be happy to submit a PR.