Enforce HTTPS to your site by Cloudflare06 May 2016 • Leave Comments
- DNS switch
- SSL settings
- Cache all the things
- Last but trivial
- GitHub CDN vs Cloudflare CDN
By default, GitHub takes HTTPS protocol to user/project pages i.e. username.github.io. However, for a custiomized domain, HTTPS is unsupported. This post tells us to enforce HTTPS to GitHub page through free Cloudflare services. Mainly, we just need to tune a few settings on Clouflare and your domain registrar.
To be honest, Cloudflare's free CDN caching may slow down instead of accelerating your sites.
Cloudflare offers us free DNS and CDN services whilist concentrating on customer security. Those who would like to enforce HTTPS to his sites could take advantage of those services. For instance, Cloudflare will protect your site email address from web crawler.
The detailed free services are listed below. To achieve HTTPS, only the first three is a must.
- Free automatic HTTPS for your domain - no need to buy a certificate;
- Page Rules - custom settings and redirects for URL patterns;
- HTTP Strict Transport Security (HSTS) - protection from MITM attacks;
- DNSSEC - protection from DNS poisoning attacks;
- HTTP/2 - optimised connections for browsers that support it;
- CNAME flattening - so you can use a DNS CNAME at the domain apex;
- "Always online" protection - Your cached website will stay up even if the host goes down;
- Firewall - intelligent protection against DDOS attacks.
- Require Modern TLS on Crypto tab.
We should register a Cloudflare account and then add site. Follow the add site procedure, we will finish the HTTPS enforcement. Before we go into details, we should clarify a few points:
- First, write down your custom GitHub page domain/sub-domain, i.e. example.com or blog.example.com. But top domain is recommended even you are using a sub-domain.
- Find your domain registrar management interface, i.e. www.freenom.com.
- In the domain management interface, find the setting of DNS servers and DNS records.
We will basically do two things:
- Cloudflare imports DNS records and switch DNS servers to Cloudflare's.You may delete imported DNS records from freenom, namecheap etc.
- Turn on a few security settings on Cloudflare. That' all!
After filling in your site url following add site procedure, Cloudflare will analyze and import the site's DNS records (from your previous platforms).
We can add, delete a new DNS records. Even, we can toggle Cloudflare per a record.
- Then continue, Cloudflare will give us two new Cloudflare DNS servers.
Go to our domain registrar management interface, and replace all original DNS servers with the new ones.
To make use of Cloudflare service, all other platforms' DNS servers must be deleted. Only Cloudflare ones are permitted.
- Up to now, Cloudflare takes over DNS servers and DNS records management.
Cache and Security
Cloudflare as a man in the middle (MITM)
By default, Cloudflare accelerate and protect (i.e. cache files) sites (an orange cloud symbol at the end of DNS record).
You may want to disable that functionality for specific sub-domains like irc.example.com. For example, local ISP blocks Cloudflare CDN servers. On the other hand you lose the free services mentioned above.
Alternatively, it hides web site's original location (i.e. IP). Refer to post V2ray for details. You can check by
dig your domain and find IP changed to that of Cloudflare's CDN servers.
ATTENTION: Cloudflare decrypts all traffic from browser and negotiate new TLS with destination server. It is common that a CDN platform just uses HTTP. Hence, we cache static web pages or public multimedia. For confidential communication like password login, please avoid CDN.
Unfortunately GitHub doesn't yet support SSL for custom domains which would ordinarily rule out using HTTP/2. Whilst the HTTP/2 specification (RFC 7540) allows for HTTP/2 over plain-text HTTP/2, all popular browsers require HTTP/2 to run on top of Transport Layer Security; meaning HTTP/2 only being able to run over HTTPS is the de facto standard.
- In the Crypto tab of your CloudFlare site you should ensure your SSL mode is set to Full but not Full (strict).
We can now add a Page Rule to enforce HTTPS, as you add other Page Rules make sure this is the primary Page Rule:
http://*example.com/* Always Use HTTPS
Page rule happens before DNS record resolving.
We can also create a Page Rule to ensure that apex is redirected to www securely when using HTTPS:
example.com/* Forwarding URL (Status Code: 301 - Permanent Redirect) https://www.example.com/$1
This rule should sit before the previous one since it's more specific.
Back to the Crypto tab, enable and set HTTP Strict Transport Security (HSTS) service. HSTS (RFC 6797) is a header which allows a website to specify and enforce security policy in client web browsers.
The recommended settings are:
Status: On Max-Age: 6 months (recommended) Include subdomains: On Preload: On No-sniff: On
Though we should wait for a while (hours maybe) to acccess GitHub pages over HTTPS, we can test security settings by
curl -I example.com:
HTTP/1.1 301 Moved Permanently Date: Mon, 12 Sep 2016 11:14:57 GMT Connection: keep-alive Set-Cookie: __cfduid=afj4n38eahdglvmneuptoq84h; expires=Tue, 12-Sep-17 11:14:57 GMT; path=/; domain=.exmaple.com; HttpOnly Location: https://example.com/ X-Content-Type-Options: nosniff Server: cloudflare-nginx CF-RAY: 3fien1q9ehpen-HKG
Attention: if you decide to disable SSL for whatever causes, please disable HSTS before HTTPS.
Cache all the things
CloudFlare has a “Cache Everything” option in Page Rules. For static sites, it allows your HTML to be cached and served directly from CloudFlare's CDN. This will significantly accelerate your site access time.
Add a last rule as:
https://*example.com/* Cache Level: Cache Everything
When deploying your site you can use the Purge Cache option in the Cache tab on CloudFlare to remove the cached version of the static pages.
If DNS is the phone book of the Internet, DNSSEC is the protocol that ensures that a number in the phone book actually belongs to the contact listed. DNSSEC uses cryptographic signatures to verify that the DNS records returned for a domain are untampered.
If your domain registrar support DNSSEC, please turn on DNSSEC on Cloudflare DNS tab.
Last but trivial
As shown above, to turn on HTTPS, we just tune a few settings, leaving the GitHub page sources untouched.
But we should at least change the url variable in _config.yml to its HTTPS version.
GitHub CDN vs Cloudflare CDN
Without Cloudflare, GitHub supports CDN as well and default GitHub page acces time is trivial. However, Cloudflare offers extra HTTPS service.