Migrating an SSL site to CloudFlare
jessebuchanan.ca has run on AWS CloudFront for the past year. Today I renewed the certificate, and while I waited for the manual approval, I wondered whether I could get CloudFlare running in "5 minutes" as advertised.
I signed up for an account, and entered the
It grabbed all of my DNS records and loaded it into their wizard.
For a while, I was a bit stumped. What do I do? It seems horribly overengineered and fraught with peril to do a CloudFlare -> CloudFront -> AWS S3 setup.
I thought about it for a bit and decided to only replace the CloudFront piece, e.g. CloudFlare -> AWS S3.
This is not the most secure solution, since (AFAICT) S3 does not support HTTPS. So the connection between CloudFront and the S3 bucket is "flexible" (read: not encrypted). Fine, that doesn't bother me in this case.
NOTE: According to this ServerFault answer, it is possible to get HTTPS access to an S3 bucket by simply disabling "website hosting". But this complicates matters, as the root no longer serves up
index.html, you'd have to add a Page Rule on CloudFlare for the root. Seems like this use case makes more sense for asset CDNs where there's no concept of a "default page".
I want Cloudflare to act as a proxy to my site, so I found it a little strange that I had to use a CNAME to my S3 bucket.
I added a
jessebuchanan.ca.s3-website-us-east-1.amazonaws.com. (Nifty fact: CloudFlare supports "virtual" CNAME at the apex/root. It will perform resolution and return an A record. This is not standard DNS behaviour (read: proprietary, also known as an ANAME on DNSMadeSimple).
It's a little counterintuitive at this point.
I clicked the "cloud icon", turning it from "grey cloud" to "orange cloud". This activates the proxying of traffic, which lets Page Rules work their magic.
Page Rules is where everything comes together. You get 3 on the free tier. We only need 2.
www.jessebuchanan.ca/*, I enabled Forwarding (301), and set it to forward to
http://jessebuchanan.ca/*, I enabled Always use HTTPS.
Aside: Originally I had set a rule for
jessebuchanan.ca/* that set SSL to "Flexible", but that's not the same thing as "Always use HTTPS". I could still access the http:// site.
HTTP root redirects to HTTPS
$ curl --head http://jessebuchanan.ca HTTP/1.1 301 Moved Permanently Date: Tue, 05 May 2015 22:31:53 GMT Connection: keep-alive Set-Cookie: __cfduid=d211c5cc2f224f23648cad7cf30e2a5391430865113; expires=Wed, 04-May-16 22:31:53 GMT; path=/; domain=.jessebuchanan.ca; HttpOnly Location: https://jessebuchanan.ca/ Server: cloudflare-nginx CF-RAY: 1e1fe5eff6ee1870-EWR
HTTP URL redirects to HTTPS URL
$ curl --head http://jessebuchanan.ca/foo/bar/baz/qux HTTP/1.1 301 Moved Permanently Date: Tue, 05 May 2015 22:40:32 GMT Connection: keep-alive Set-Cookie: __cfduid=d5ffa859e11694f1b42843a4e99e3c0801430865632; expires=Wed, 04-May-16 22:40:32 GMT; path=/; domain=.jessebuchanan.ca; HttpOnly Location: https://jessebuchanan.ca/foo/bar/baz/qux Server: cloudflare-nginx CF-RAY: 1e1ff29c6e670773-EWR
HTTP WWW URL redirects
$ curl --head http://www.jessebuchanan.ca/foo/bar/baz/qux HTTP/1.1 301 Moved Permanently x-amz-id-2: fCvJFyKuXcaqIj17zmB78L0MwRX1cmz11nKxCcER49lA5V+av85IDI6H40CF1Jo/ x-amz-request-id: FCC674DD29E3B61E Date: Tue, 05 May 2015 22:41:20 GMT Location: http://jessebuchanan.ca/foo/bar/baz/qux Content-Length: 0 Server: AmazonS3 # okay, so it redirects to HTTP, which does... $ curl --head http://jessebuchanan.ca/foo/bar/baz/qux HTTP/1.1 301 Moved Permanently Date: Tue, 05 May 2015 22:41:36 GMT Connection: keep-alive Set-Cookie: __cfduid=d400d4fe827388a76f853448b4431924f1430865696; expires=Wed, 04-May-16 22:41:36 GMT; path=/; domain=.jessebuchanan.ca; HttpOnly Location: https://jessebuchanan.ca/foo/bar/baz/qux Server: cloudflare-nginx CF-RAY: 1e1ff42955e801ee-EWR
HTTPS WWW URL redirects
$ curl --head https://www.jessebuchanan.ca/foo/bar/baz/qux HTTP/1.1 301 Moved Permanently Server: cloudflare-nginx Date: Tue, 05 May 2015 22:43:50 GMT Connection: keep-alive Set-Cookie: __cfduid=d2734b3a926a627b7664e753ddf6cc1301430865829; expires=Wed, 04-May-16 22:43:49 GMT; path=/; domain=.jessebuchanan.ca; HttpOnly Location: https://jessebuchanan.ca/foo/bar/baz/qux CF-RAY: 1e1ff76d793a0efd-EWR