Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Cloudflare migration

Migrating an SSL site to CloudFlare

Overview

jessebuchanan.ca has run on AWS CloudFront for the past year. Today I renewed the certificate, and while I waited for the manual approval, I wondered whether I could get CloudFlare running in "5 minutes" as advertised.

Signing up

I signed up for an account, and entered the jessebuchanan.ca domain.

It grabbed all of my DNS records and loaded it into their wizard.

For a while, I was a bit stumped. What do I do? It seems horribly overengineered and fraught with peril to do a CloudFlare -> CloudFront -> AWS S3 setup.

I thought about it for a bit and decided to only replace the CloudFront piece, e.g. CloudFlare -> AWS S3.

This is not the most secure solution, since (AFAICT) S3 does not support HTTPS. So the connection between CloudFront and the S3 bucket is "flexible" (read: not encrypted). Fine, that doesn't bother me in this case.

NOTE: According to this ServerFault answer, it is possible to get HTTPS access to an S3 bucket by simply disabling "website hosting". But this complicates matters, as the root no longer serves up index.html, you'd have to add a Page Rule on CloudFlare for the root. Seems like this use case makes more sense for asset CDNs where there's no concept of a "default page".

DNS

I want Cloudflare to act as a proxy to my site, so I found it a little strange that I had to use a CNAME to my S3 bucket.

I added a CNAME for @ and www to jessebuchanan.ca.s3-website-us-east-1.amazonaws.com. (Nifty fact: CloudFlare supports "virtual" CNAME at the apex/root. It will perform resolution and return an A record. This is not standard DNS behaviour (read: proprietary, also known as an ANAME on DNSMadeSimple).

It's a little counterintuitive at this point.

I clicked the "cloud icon", turning it from "grey cloud" to "orange cloud". This activates the proxying of traffic, which lets Page Rules work their magic.

Page Rules

Page Rules is where everything comes together. You get 3 on the free tier. We only need 2.

For www.jessebuchanan.ca/*, I enabled Forwarding (301), and set it to forward to https://jessebuchanan.ca/$1

For http://jessebuchanan.ca/*, I enabled Always use HTTPS.

Aside: Originally I had set a rule for jessebuchanan.ca/* that set SSL to "Flexible", but that's not the same thing as "Always use HTTPS". I could still access the http:// site.

Testing

HTTP root redirects to HTTPS

$ curl --head http://jessebuchanan.ca

HTTP/1.1 301 Moved Permanently
Date: Tue, 05 May 2015 22:31:53 GMT
Connection: keep-alive
Set-Cookie: __cfduid=d211c5cc2f224f23648cad7cf30e2a5391430865113; expires=Wed, 04-May-16 22:31:53 GMT; path=/; domain=.jessebuchanan.ca; HttpOnly
Location: https://jessebuchanan.ca/
Server: cloudflare-nginx
CF-RAY: 1e1fe5eff6ee1870-EWR

HTTP URL redirects to HTTPS URL

$ curl --head http://jessebuchanan.ca/foo/bar/baz/qux

HTTP/1.1 301 Moved Permanently
Date: Tue, 05 May 2015 22:40:32 GMT
Connection: keep-alive
Set-Cookie: __cfduid=d5ffa859e11694f1b42843a4e99e3c0801430865632; expires=Wed, 04-May-16 22:40:32 GMT; path=/; domain=.jessebuchanan.ca; HttpOnly
Location: https://jessebuchanan.ca/foo/bar/baz/qux
Server: cloudflare-nginx
CF-RAY: 1e1ff29c6e670773-EWR

HTTP WWW URL redirects

$ curl --head http://www.jessebuchanan.ca/foo/bar/baz/qux

HTTP/1.1 301 Moved Permanently
x-amz-id-2: fCvJFyKuXcaqIj17zmB78L0MwRX1cmz11nKxCcER49lA5V+av85IDI6H40CF1Jo/
x-amz-request-id: FCC674DD29E3B61E
Date: Tue, 05 May 2015 22:41:20 GMT
Location: http://jessebuchanan.ca/foo/bar/baz/qux
Content-Length: 0
Server: AmazonS3

# okay, so it redirects to HTTP, which does...

$ curl --head http://jessebuchanan.ca/foo/bar/baz/qux

HTTP/1.1 301 Moved Permanently
Date: Tue, 05 May 2015 22:41:36 GMT
Connection: keep-alive
Set-Cookie: __cfduid=d400d4fe827388a76f853448b4431924f1430865696; expires=Wed, 04-May-16 22:41:36 GMT; path=/; domain=.jessebuchanan.ca; HttpOnly
Location: https://jessebuchanan.ca/foo/bar/baz/qux
Server: cloudflare-nginx
CF-RAY: 1e1ff42955e801ee-EWR


HTTPS WWW URL redirects

$ curl --head https://www.jessebuchanan.ca/foo/bar/baz/qux

HTTP/1.1 301 Moved Permanently
Server: cloudflare-nginx
Date: Tue, 05 May 2015 22:43:50 GMT
Connection: keep-alive
Set-Cookie: __cfduid=d2734b3a926a627b7664e753ddf6cc1301430865829; expires=Wed, 04-May-16 22:43:49 GMT; path=/; domain=.jessebuchanan.ca; HttpOnly
Location: https://jessebuchanan.ca/foo/bar/baz/qux
CF-RAY: 1e1ff76d793a0efd-EWR
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment