Skip to content

Instantly share code, notes, and snippets.

@gerrowadat

gerrowadat/static-website-gcloud-migration.md

Last active December 5, 2023 07:57
Show Gist options
  • Save gerrowadat/afc20c43d6f4483a6d8bc893010e74b9 to your computer and use it in GitHub Desktop.
Save gerrowadat/afc20c43d6f4483a6d8bc893010e74b9 to your computer and use it in GitHub Desktop.
Download ZIP
Moving an existing static website to gcloud
Raw
static-website-gcloud-migration.md

Steps for moving an existing static website to gcloud (GCS bucket with an LB in front of it)

Some of this is covered in the gcloud docs here - I add in the part about safely migrating your SSL cert.

This assumes you have an SSL cert chain and private key, similar to those issued by letsencrypt. In my case I'm moving from a VM running nginx and letsencrypt certs.

First, set up the bucket as described in the above docs, or do the auto update from hugo thing I describe in this gist

Make sure access is open: gcloud storage buckets add-iam-policy-binding gs://my-static-assets --member=allUsers --role=roles/storage.objectViewer

Assign specialty pages: gcloud storage buckets update gs://my-static-assets --web-main-page-suffix=index.html --web-error-page=404.html

There's doesn't appear to be a straightforward way of command-lining creating your loadbalancer setup, so follow that part of the gcloud guide using clicky buttons: https://cloud.google.com/storage/docs/hosting-static-website#lb-ssl

  • Make sure to set up the frontent and backend parts, including createing a backend bucket pointing at your content bucket.
  • You can host multiple websites on a single lb! You'll need to set up routing rules, see the 'Routing rules for doing multiple websites' section below.

Once you have your loadbalancer set up, the usual way to get an SSL cert if you're starting from scratch is to point your DNS to the IP your loadbalancer got, and then wait anywhere from 30 minutes to forever for a magical SSL cert to be generated. Obviously for an existing website you don't want to do this.

The basic steps we're taking here are:

  1. Upload the SSL certs we have already so things will work right away.
  2. Re-point our DNS to the gcloud loadbalancer.
  3. Wait anywhere from a couple of minutes to forever for everyone's DNS to catch up.
  4. Request an automagical gcloud SSL cert, and wait for it to actually get generated.
  5. Switch to it, and remove your old ssl cert.

Uploading your ssl certs is pretty easy. Make sure they're not about to expire :-)

Assume you have your local cert and private key in fullchain.pem and privkey.pem

gcloud compute ssl-certificates create mydomain-ssl-letsencrypt --certificate=fullchain.pem --private-key=privkey.pem --global

Then, add it to your loadbalancer frontend config:

gcloud compute target-https-proxies list to find the list of https proxies. You'll see NAME and SSL_CERTIFICATES. Make sure to also include the existing certificates when updating this, as this replaces the list. If this is your first site and cert, this will be blank.

gcloud compute target-https-proxies update blah-target-proxy --global --ssl-certificates=mydomain-ssl-letsencrypt --global-ssl-certificates

Maybe test if this looks OK by adding a hosts file entry locally and seeing if you get the right cert (and the right content!). If you're happy, update your DNS.

Wait! I suggest leaving it a day or so, because what's the rush?

Now that your DNs is updated, it's time to ask gcloud for a managed SSL cert.

gcloud compute ssl-certificates create mydomain-gen --domains=mydomain.com,www.mydomain.com --global

Google claims this should get generated in a few minutes, but I've seen it take hours. You can check back with:

gcloud compute ssl-certificates list

It should list the Certificate as 'ACTIVE' under the 'MANAGED_STATUS' heading. If it's not there yet, wait longer.

Once it's active, you should add it to your https proxy the same way you did your self-managed one. You should consider removing the self-managed one at the same time.

gcloud compute target-https-proxies update blah-target-proxy --global --ssl-certificates=mydomain-gen --global-ssl-certificates

gcloud compute ssl-certificates delete mydomain-ssl-letsencrypt

You're done! And with no pesky downtime.

Routing rules for doing multiple websites.

You can set up multiple buckets for different websites without having to have multiple LBs and IPs. If you do so, you'll need to set up 'routing rules' so that the lb knows what buckets service what domains and URLs. This is a separate configuration from SSL stuff/SNI.

There's a way of doing this with gcloud computer url-maps but it involves a serious amount of fuckology. The most straightforward way is clicky buttons (or I guess terraform will do it if you're a YAML savant).

First, add your new backend bucket, in the same way you did for your first one. Don't worry, traffic will default to the first one.

Now head to your loadbalancer config, click on 'Edit' on your https loadbalancer, then go to 'Routing Rules'. You want a 'Simple Host and Path Rule', and then enter your domain in 'Host' and '/*' in path (that might not be necessary, but it hasn't boken anything so shrug). Then assign what bucket you want to serve that domain in your rules. You can also set up some tests here if you feel like clicking around.

Once this is done, test and move on to uploading your SSL certs as above -- thankfully, you don't need to do too much fiddling with multiple certs on the one loadbalancer, it uses SNI to figure it out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment