Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Github Pages: Let's Encrypt!

Please petition Github to support HTTPS on github pages: https://github.com/contact

Here's what I wrote:

Obviously, a lot of people want HTTPS for github pages:

Until recently, that would be difficult to implement but, as it turns out, the implementation is pretty much complete:

I'm a freelancer, so I've got time and I'd love to help out in any way I can (I'd even come work for you at a substandard rate) if we could get this implemented by Let's Encrypt launch day.

You can also send a message to support@github.com

You're a freelancer that has spare time?

... I don't think you're doing it right.

+1 to https support for custom domains on github pages!

πŸ‘

This is a lot more complex than you seem to think. Obtaining a certificate is easy. Storing and handling hundreds of thousands or millions of them securely is decidedly not. Determining how that interacts with the CDN that fronts traffic to Pages, and dealing with securely distributing certificates is also far from trivial. And that's just a couple of factors that immediately come to mind.

Your best bet is to use a service like Cloudflare to front-end your free GitHub Pages site if you really require SSL.

+1 There must be a better way than spamming Github's inbox for contact & support?

@coolaj86 you can use @cloudflare with a custom domain in front of @github pages. It works. I do this for https://github.com/leighmcculloch/5tweets.com which you can see SSL'd at https://5tweets.com.

peckrob commented Nov 27, 2015

@lucas This is technically correct, but Server Name Identification has solved that problem for some time now, and is supported in the very large majority of browsers. Basically, anything IE7 and newer, although it is not supported by some spiders.

https://en.wikipedia.org/wiki/Server_Name_Indication

RHavar commented Nov 27, 2015

So this won't happen, if you understand how https works you'll understand.

@lucas: Thanks for the condescending and outdated explanation. For the last 10 years we've had: https://en.wikipedia.org/wiki/Server_Name_Indication

And supported by everything except IE8 on Windows XP: http://caniuse.com/#feat=sni

dheera commented Nov 27, 2015

@leighmcculloch @imbriaco Putting Cloudfare HTTPS in front of a HTTP URL isn't technically secure. The link between Cloudflare and Github will be unencrypted.

RHavar commented Nov 27, 2015

@dheera That's not quite right, you can (trivially) tell cloudflare to only fetch the data from github over https itself. The real security concern is that you probably would prefer if cloudflare wasn't in the middle.

dheera commented Nov 27, 2015

@RHavar Oh, I didn't realize GitHub already supported HTTPS on its .github.io URLs. In that case, yes. And yes, CloudFlare is a security concern of itself.

dtinth commented Nov 27, 2015

Well, @cloudflare does support Full SSL (Strict) mode, which means the connections between your users and CloudFlare, and between CloudFlare and GitHub pages, are all encrypted.

And it comes down to trust. I trust both CloudFlare and GitHub, so I’m comfortable with that setup already.

@dtinth: I have the exact same configuration and I am pretty happy with it.

lucas commented Nov 27, 2015

Thanks @peckrob, I wasn't familiar with SNI! That should make it much more feasible than I thought :)

Happy Thanksgiving guys

HTTPS on GitHub Pages is something I'd personally _love_ to see happen, and I've been keeping an eye on tech that will make this more viable than it might have been in the past - such as Let's Encrypt for certificate issuance and the ssl_certificate_by_lua feature of ngx_lua so we can dynamically serve up the right certificate based on the SNI hostname in the TLS handshake.

That said, there's still a bunch of really complex problems that mean this is still hard. We'd need to store a significant amount of highly sensitive key material as securely as possible while still allowing our Pages Frontends to look them up dynamically on every request. Currently we terminate TLS at our load balancer tier - we'd need to push that back into the Pages Frontend tier so that our router can do it dynamically. GitHub Pages is also currently fronted by a CDN which further complicates this problem.

I cannot promise anything or give any timeframe right now, but HTTPS on Pages is something that we've been thinking hard about for a while. We know how important HTTPS is - it's just one of those problems that's quite complex and requires a lot of time and great care to solve.

I thought github.io used cloudflare as it stands... even then, if there is a peering connection directly https from cloudflare to github is probably is less of a concern.

"A freelancer with spare time" - I always wanted to be one! πŸ˜…

as1ndu commented Nov 27, 2015

it already supports it!!! πŸ˜„ check out my blog https://as1ndu.github.io

wnda commented Nov 27, 2015

DigitalOcean is not that expensive.

sneak commented Nov 27, 2015

if you CNAME your domain on cloudflare to GitHub pages using a username.github.io domain, it sends the Host header of the custom domain and github doesn't serve it. the TLS on the username.github.io pages resultantly only works when you are using the *.github.io URL, not if you have cloudflare fronting different TLS.

the only way rn to make it work is to create a CNAME file and have GitHub serve unencrypted to cloudflare, which I don't find to be a problem as it's a static site.

@sneak, technically you could use a Page Rule to re-write the header (requires Enterprise plan, however): https://support.cloudflare.com/hc/en-us/articles/206652947-Using-Page-Rules-to-Re-Write-Host-Headers.

NetRat commented Dec 7, 2015

+1

merikan commented Dec 21, 2015

+1

quicoto commented Jan 7, 2016

+1

+1

manzato commented Jan 26, 2016

+1

reederz commented Jan 29, 2016

πŸ‘

+1

enjikaka commented Feb 1, 2016

πŸ‘

+1

willin commented Feb 5, 2016

+1

eligrey commented Feb 5, 2016

πŸ‘

cben commented Feb 9, 2016

@charliesome If HTTPS on custom domains is hard, perhaps start by officially supporting HTTPS on *.github.io?
That uses just one wildcart cert, avoiding most of the complexity, and it fact that already works;
IIUC the only missing piece is that it's currently insecure between GitHub and your CDN?

suvozit commented Feb 10, 2016

🍺

zixia commented Feb 20, 2016

πŸ‘

dpjanes commented Feb 21, 2016

+1

πŸ‘

+1

πŸ‘

πŸ‘

dalbelap commented Mar 3, 2016

πŸ‘

πŸ‘

nubela commented Mar 7, 2016

Full disclosure: I work at Kloudsec.

Kloudsec auto-provisions and auto-renews LetsEncrypt certs for Github Pages with custom domains. See Kloudsec for Github Pages.

Kloudsec is a minimal CDN (open) platform. As an open platform, we implemented LetsEncrypt CA to auto-provision/auto-renew SSL certs. Just enable the One-click Encryption plugin.

To use, you only need to update your custom domain DNS records to point to our CDN's IP address. (Unlike Cloudflare, you can keep your nameservers)


Simply, Kloudsec for Github Pages solve the 2 biggest issues with custom domains on GIthub pages:

  1. No CDN support for apex domains
  2. No HTTPS for custom domains

You also get all the other plugins for free:

  • Page Optimizer (Pagespeed optimisations)
  • Service Doctor (Performance Analytics)

We have a public Telegram chat group for Kloudsec if you need help

DerfOh commented Mar 8, 2016

πŸ‘

mozey commented Mar 8, 2016

+1

stefek99 commented Mar 8, 2016

Internet is a small place.

Literally Today I've received an email from @nubela

Anyways, I found that Github Page at stefek99/htmlshell has a custom domain, and I was wondering if I can help you get it to HTTPS with a LetsEncrypt cert? (for free, of course!)

I work at Kloudsec (a free and minimal CDN for programmers) and I just built this tool to provision LetsEncrypt certs for github pages.

I wasn't sold on on CDN offering as GitHub pages are already using CDN but now... Searching for let's encrypt github pages leads me here and I see the Kloudsec again :)

Yep, internet is a small place.

DerfOh commented Mar 9, 2016

@stefek99 Same here but I plus one'd the page too, I'm thinking there is some sort of bot watching this page or something...

vukor commented Mar 10, 2016

+1

Well, I got the email too from Kloudsec and found this link. It does work really well. Got https://metaskills.net all setup in a few minutes. Two easy DNS records and it worked like a champ. I did get SSL warnings for the first half hour or so, but smoothed out eventually.

πŸ‘

holys commented Mar 12, 2016

@nubela thank you !

πŸ‘

hacdias commented Mar 16, 2016

+1

itzo commented Mar 19, 2016

+1

PG2000 commented Mar 20, 2016

+1

+1
PLEASE.

luxifer commented Mar 29, 2016

πŸ‘

πŸ‘

begriffs commented Apr 3, 2016

πŸ‘

azizur commented Apr 3, 2016

πŸ‘

azizur commented Apr 3, 2016

Everyone who has put a πŸ‘ on here should visit isaacs/github#156 and cast your vote on that issue.

πŸ‘

πŸ‘

shea256 commented Apr 18, 2016

πŸ‘

We need this! GitLab Pages supports it: https://gitlab.com/gitlab-org/gitlab-ee/issues/134

Now that GitLab has it, I guess it's time to say goodbye to GitHub pages. They even have free private repos.

πŸ‘

tinchou commented Apr 26, 2016

You can use CloudFlare, they provide free DNS and free SSL. This guy has a good tutorial.

https://github.com/samuelcolvin/nginx-pages

Very cheap, open source alternative to github pages.

gitlab supports pages with ssl certificate out of private repos

πŸ‘ 🐱

πŸ‘

willin commented Jun 2, 2016

+1

+1

nhatbui commented Jun 4, 2016

+1000

Yes, please!

πŸ‘

πŸ‘ would be awesome

sebasjm commented Jun 21, 2016

πŸ‘

+1
neocitiesbackend

rajsite commented Jun 23, 2016

πŸ‘ ✨ ✨

πŸ‘

vuolter commented Jun 26, 2016

😍

tcasey commented Jun 27, 2016

+1

πŸ‘

πŸ‘

πŸ‘

πŸ‘

For those reading about Kloudsec - it's shutting down on Aug 2016 :(

hemache commented Jul 11, 2016

πŸ‘

πŸ‘

+1

πŸ‘

+1, i also wait Let's Encrypt @letsencrypt for IDN support

tdurand commented Jul 20, 2016

πŸ‘

mayanez commented Jul 24, 2016

+1

+1

Ybrin commented Jul 31, 2016

+1

bash commented Aug 3, 2016

+1

+1

leog commented Aug 15, 2016

+1

+1

h0tbird commented Aug 27, 2016

+1

+1

+1

+1

Github Pages now support HTTPS out of the box: https://github.com/blog/2186-https-for-github-pages

@brettwise this is about custom domains

nhantdn commented Sep 14, 2016

πŸ‘

leksak commented Sep 14, 2016

+1

+1

+1

aud commented Sep 16, 2016

+1

+1

πŸ‘

dwavid commented Sep 24, 2016

+1

πŸ‘

πŸ‘

πŸ‘

koppor commented Oct 8, 2016

Here the information on kloudsec's shutdown: https://www.reddit.com/r/webdev/comments/4s3kmf/got_an_email_saying_that_kloudsec_will_be/

As I feel unsecure about CloudFlare, I'm currently thinking to buy a 3$/month box at scaleway, use let's encrypt and nginx as proxy (http://serverfault.com/q/583374/107832 seems to be a good start for the configuration). Should be enough for low-traffic sites.

πŸ‘

ngunner commented Oct 21, 2016

+1

πŸ‘

+1 for https on custom domains

morugu commented Nov 9, 2016

+1

+1

+1

πŸ‘ HTTPS / SSL for a custom domain on GitHub Pages is really needed!

hobson commented Nov 20, 2016

+1

eppfel commented Nov 28, 2016

πŸ‘

+1

πŸ‘

+1

Github needs an API for managing certificates used with Github Pages!

πŸ‘

lockie commented Dec 16, 2016

πŸ‘

tim-hub commented Dec 21, 2016

Github support

dstroot commented Dec 25, 2016

πŸ‘

tjespe commented Jan 1, 2017

+1

proweb commented Jan 3, 2017

+1

rflmyk commented Jan 4, 2017

+1

Natim commented Jan 6, 2017

In the meantime I did use https://netlify.com/ to do so.

+1 @github, why not?

As stated earlier in the thread, there's overhead involved with handling certs for millions of sites.

For all the folks saying +1 to this, I wonder if you are paying users or using the free services as most of us are?

If you are using the service for free, would you be willing to pay guthub, say $1/month, to have your custom domain use HTTPS? Or even $5/yr to have custom domain on HTTPS?

I ask because I wonder if github did offer the service but charged for it, how many people would complain that they had to pay?

For the record, I use the services freely, I would appreciate having HTTPS on my custom domain, and yes, I would pay to have it.

@managedkaos β€”Β Yes I pay for Github. Yes I would pay additional for SSL. Selling my clients on $1 a month (or $20 a year for that matter) would be painless.

Proper HTTPS for GitHub pages is something worth paying for.

@managedkaos > I'm convinced that a growing number of users want private repositories for their GitHub pages with TLS for their custom domains and therefore adding that to the 'Personal plan' for US$ 7 per month could make sense. However as others already have mentioned, there are alternatives where either functionality is meanwhile provided cost-free.

I really enjoyed using GitHub (since 2011). It was super useful to me and I probably wouldn't mind paying. Students could make use of such functionality cost-free with the 'Student Developer Pack' because that already includes a one year SSL certificate.

+1

I would be willing to pay! I'm a free user right now, but I would pay upfront for the year and have it automatically renew.

smaury commented Feb 6, 2017

+1

+1 :)

mattes commented Feb 12, 2017

Not willing to pay for HTTPS in 2017. But def a +1.

If Squarespace can. Github can too!

At Squarespace, we believe we are responsible for providing a platform on which customers and their visitors can be assured a secure browsing experience.

https://engineering.squarespace.com/blog/2016/implementing-ssl-tls-for-all-squarespace-sites Let's encrypt all the way.

nelyj commented Feb 12, 2017

+1

gtzilla commented Feb 14, 2017

I dunno if github reads this post and laughs or actually considers it when working on their product roadmap, but I would agree with all +1s and also say I would happily pay $5-12 a year to have SSL with a custom CNAME for a given domain.

vittau commented Feb 14, 2017

+1!

+1

+1!
:)

+1

+1 :)

+1. I am currently using CloudFlare to provide my GitHub Pages site over HTTPS on a custom domain - at least it looks secure as far as the user's browser is concerned. It would be great if GitHub Pages itself would support HTTPS on custom domains though.

aykut78 commented Feb 24, 2017

+1 :)

+1

jans23 commented Feb 27, 2017

+1

xqus commented Mar 1, 2017

+1

+1

+1

exeleon commented Mar 8, 2017

+1

+1

+1

Areso commented Mar 12, 2017

C'mon, GitHub, do it already!

πŸ‘ +1

enreeco commented Mar 17, 2017

++

dev4223 commented Mar 22, 2017

+1

+1

πŸ‘

tarpey commented Mar 27, 2017

+1

Please, please, please! πŸ‘

jvke commented Mar 28, 2017

πŸ‘

mutley commented Mar 29, 2017

+1

morgan commented Mar 30, 2017

πŸ‘

FYI: Offered to implement it for them, they just replied with:

Hello Samuel,

We are very interested in adding HTTPS for custom pages, right now we are mostly waiting on our CDN provider to finish their end before we can move forward.

Regards,
Daniel
@danayel
GitHub Support

bithavoc commented Apr 2, 2017

πŸ‘

+1

gatezh commented Apr 3, 2017

+1

inka commented Apr 3, 2017

+1

+1

+1

entipe commented Apr 14, 2017

+1

+1

kwaxi commented Apr 17, 2017

+1

gsidhu commented Apr 18, 2017

+1

FooSoft commented Apr 23, 2017

+1

+1

Sasoon commented May 1, 2017

+1

ligi commented May 5, 2017

+1

May we get an update? Thanks in advance!

+1

πŸ‘

πŸ‘

ckerr commented May 11, 2017

+1

πŸ‘

clarketm commented Jun 1, 2017

+1

maximko commented Jun 2, 2017

+1

kerim commented Jun 7, 2017

+1

πŸ‘

linuxsec commented Jun 9, 2017

really need this

+1

dhowe commented Jun 23, 2017

+1

und3rc commented Jun 27, 2017

+1

uglow commented Jun 29, 2017

+1

lukas-h commented Jul 2, 2017

+1

niryariv commented Jul 3, 2017

+1

πŸ‘

+1

+1

ayghor commented Jul 21, 2017

+1

+99999999999999999999999999999999999999

akyag commented Jul 28, 2017

+1

linuxtm commented Aug 3, 2017

+1

berglh commented Aug 6, 2017

πŸ‘

ArtursO commented Aug 6, 2017

+1

+1

nmhnmh commented Aug 21, 2017

+1, It would be great if github pages could provide easy-to-use custom domain ssl like google firebase hosting. This really involves a lot, first they need to verify the domain ownership, then they need to issue the certificate(firebase hosting issues certificate on their own) or get it from partners(maybe let's encrypt), then they need to securely rotate/store/backup/serve these certificates for so many custom domains.

thecb4 commented Aug 21, 2017

GitLab does it. Surprised that Github still doesn't.

https://about.gitlab.com/2016/04/07/gitlab-pages-setup/

+1

+1

edap commented Aug 24, 2017

+1

kion-dgl commented Sep 3, 2017

+1

liuyigh commented Sep 4, 2017

+1

πŸ‘

dkugappi commented Sep 13, 2017

Ok this threat goes back to Nov 2015... they still haven't done this. So I'm pretty sure they aren't planning on it, no matter how much users want it. but +1. Obviously.

+1

crivotz commented Sep 20, 2017

+1

Omosofe commented Sep 22, 2017

I'd pay for such a feature if Github was to charge.
Anyways, here's my +1

stifoon commented Sep 22, 2017

+1

+1

πŸ‘

@thecb4 πŸ‘, I think I'm going to move my site there - then I can have SSL!!!

afocke commented Oct 14, 2017

+1

dc402 commented Oct 21, 2017

+1

+1

+1

+1

ploth commented Oct 31, 2017

+1

robruma commented Nov 3, 2017

+1

dhowe commented Nov 5, 2017

+1

+1

abagayev commented Nov 9, 2017

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment