archive about

I enabled SSL for my S3-hosted static blog

How I used CloudFlare's (free) Universal SSL to enable HTTPS for my S3-hosted static-HTML blog, and a few extra notes.

My blog (blog.vrypan.net) is a static HTML blog hosted on AWS S3. Last weekend I decided to enable traffic over HTTPS using CloudFlare’s Universal SSL.

A few words about CloudFlare’s Universal SSL:

  1. It’s free. (good)
  2. The endpoint is not your server, but CloudFlare. (not so good)

Of course, free is good. And when it comes to a static website open to anyone, like my blog, there’s little value in encrypting communication between the browser and the server. On the other hand, increasing the number of encrypted traffic that goes around is a good thing in principle. And if it’s free, why not?

So I created a CloudFlare account and signed up for the free plan. Then, I enabled Universal SSL for vrypan.net.

In order to do this, I had to replicate all my DNS records from Amazon’s Route53 (that’s what I used for DNS hosting) to CloudFlare. Route53 does not allow you to export the zone file, and if you have a complicated one, it’s a drag to manually edit each record. I installed cli53 and used it to export my DNS entries as a zone file which I then uploaded to CloudFlare.

cli53 export vrypan.net >vrypan.net.zone

Once I went through the process, I was able to access https://blog.vrypan.net/. However, it took some hours for the system to enable an SSL Certificate for my domain, and until then, my browser complained that the SSL Certificate is not valid, or something like this. (If you do the same, keep in mind that you have to leave some time for the DNS changes to propagate too.)

Some hours later, I got an email from CloudFlare that SSL was enabled for vrypan.net, I checked and https://blog.vrypan.net/ worked as expected.

Next, I wanted to automatically forward all http traffic to https. So, I added a "page rule", that forwards http://blog.vrypan.net/* to https://blog.vrypan.net/$1. So now, if you followed a link to http://blog.vrypan.net/2014/10/02/my-daughters-first-secret/ you would be redirected to https://blog.vrypan.net/2014/10/02/my-daughters-first-secret/

The last thing I did was to regenerate my blog (remember, it's a static blog) and replace http://blog.vrypan.net/ with https://blog.vrypan.net/ as my blog prefix. This made sure that internal links, share buttons, etc, link to the https pages, not http (and spare visitors an HTTP redirect).

Tip. If you want to purge one or more files or pages from CloudFlare's cache, here is how to do it.

Alternative. If you don't want to use CloudFlare's Universal SSL, an alternative could be a free SSL certificate from StartCom and AWS CloudFront with custom SSL. Using CloudFront would slightly increase the hosting costs for my blog, and as I mentioned above, encrypting traffic to and from it is of little value to my visitors, so CloudFlare looks like a great solution for now —but it's always good to have alternatives.