jessebuchanan.ca has run on AWS CloudFront for the past year. Today I renewed the certificate, and while I waited for the manual approval, I wondered whether I could get CloudFlare running in "5 minutes" as advertised.
I signed up for an account, and entered the jessebuchanan.ca
domain.
It grabbed all of my DNS records and loaded it into their wizard.
For a while, I was a bit stumped. What do I do? It seems horribly overengineered and fraught with peril to do a CloudFlare -> CloudFront -> AWS S3 setup.
I thought about it for a bit and decided to only replace the CloudFront piece, e.g. CloudFlare -> AWS S3.
This is not the most secure solution, since (AFAICT) S3 does not support HTTPS. So the connection between CloudFront and the S3 bucket is "flexible" (read: not encrypted). Fine, that doesn't bother me in this case.
NOTE: According to this ServerFault answer, it is possible to get HTTPS access to an S3 bucket by simply disabling "website hosting". But this complicates matters, as the root no longer serves up index.html
, you'd have to add a Page Rule on CloudFlare for the root. Seems like this use case makes more sense for asset CDNs where there's no concept of a "default page".
I want Cloudflare to act as a proxy to my site, so I found it a little strange that I had to use a CNAME to my S3 bucket.
I added a CNAME
for @
and www
to jessebuchanan.ca.s3-website-us-east-1.amazonaws.com
. (Nifty fact: CloudFlare supports "virtual" CNAME at the apex/root. It will perform resolution and return an A record. This is not standard DNS behaviour (read: proprietary, also known as an ANAME on DNSMadeSimple).
It's a little counterintuitive at this point.
I clicked the "cloud icon", turning it from "grey cloud" to "orange cloud". This activates the proxying of traffic, which lets Page Rules work their magic.
Page Rules is where everything comes together. You get 3 on the free tier. We only need 2.
For www.jessebuchanan.ca/*
, I enabled Forwarding (301), and set it to forward to https://jessebuchanan.ca/$1
For http://jessebuchanan.ca/*
, I enabled Always use HTTPS.
Aside: Originally I had set a rule for jessebuchanan.ca/*
that set SSL to "Flexible", but that's not the same thing as "Always use HTTPS". I could still access the http:// site.
$ curl --head http://jessebuchanan.ca
HTTP/1.1 301 Moved Permanently
Date: Tue, 05 May 2015 22:31:53 GMT
Connection: keep-alive
Set-Cookie: __cfduid=d211c5cc2f224f23648cad7cf30e2a5391430865113; expires=Wed, 04-May-16 22:31:53 GMT; path=/; domain=.jessebuchanan.ca; HttpOnly
Location: https://jessebuchanan.ca/
Server: cloudflare-nginx
CF-RAY: 1e1fe5eff6ee1870-EWR
$ curl --head http://jessebuchanan.ca/foo/bar/baz/qux
HTTP/1.1 301 Moved Permanently
Date: Tue, 05 May 2015 22:40:32 GMT
Connection: keep-alive
Set-Cookie: __cfduid=d5ffa859e11694f1b42843a4e99e3c0801430865632; expires=Wed, 04-May-16 22:40:32 GMT; path=/; domain=.jessebuchanan.ca; HttpOnly
Location: https://jessebuchanan.ca/foo/bar/baz/qux
Server: cloudflare-nginx
CF-RAY: 1e1ff29c6e670773-EWR
$ curl --head http://www.jessebuchanan.ca/foo/bar/baz/qux
HTTP/1.1 301 Moved Permanently
x-amz-id-2: fCvJFyKuXcaqIj17zmB78L0MwRX1cmz11nKxCcER49lA5V+av85IDI6H40CF1Jo/
x-amz-request-id: FCC674DD29E3B61E
Date: Tue, 05 May 2015 22:41:20 GMT
Location: http://jessebuchanan.ca/foo/bar/baz/qux
Content-Length: 0
Server: AmazonS3
# okay, so it redirects to HTTP, which does...
$ curl --head http://jessebuchanan.ca/foo/bar/baz/qux
HTTP/1.1 301 Moved Permanently
Date: Tue, 05 May 2015 22:41:36 GMT
Connection: keep-alive
Set-Cookie: __cfduid=d400d4fe827388a76f853448b4431924f1430865696; expires=Wed, 04-May-16 22:41:36 GMT; path=/; domain=.jessebuchanan.ca; HttpOnly
Location: https://jessebuchanan.ca/foo/bar/baz/qux
Server: cloudflare-nginx
CF-RAY: 1e1ff42955e801ee-EWR
$ curl --head https://www.jessebuchanan.ca/foo/bar/baz/qux
HTTP/1.1 301 Moved Permanently
Server: cloudflare-nginx
Date: Tue, 05 May 2015 22:43:50 GMT
Connection: keep-alive
Set-Cookie: __cfduid=d2734b3a926a627b7664e753ddf6cc1301430865829; expires=Wed, 04-May-16 22:43:49 GMT; path=/; domain=.jessebuchanan.ca; HttpOnly
Location: https://jessebuchanan.ca/foo/bar/baz/qux
CF-RAY: 1e1ff76d793a0efd-EWR