Inaccurate Design

Enabling HTTPS because it's a Good Idea

Tuesday, 2 September 2014

Last night I finally enabled HTTPS on this site. Because why not? SSL is good (not foolproof, but good) and cheap. The hardest part was setting up Amazon CloudFront, since I host on S3, which doesn’t support HTTPS natively.

Things learnt:

  • You’ll probably need to convert all the certificates you get from your SSL provider to PEM format to work with CloudFront, depending on what format they’re supplied in. To upload them to Amazon IAM, you’ll need to use the AWS command-line tool. See the Amazon docs for more information.

  • Updating DNS records takes time. If you’re impatient like me, this will end in frustration with you smashing F5 until your domain resolves to your new CloudFront distribution.

  • Updating S3 bucket policies is almost instantaneous. Almost. Sometimes.

  • I still didn’t figure out a way to restrict access to the S3 bucket directly, but still allow CloudFront. All my attempts to restrict access blocked access through CloudFront also. This isn’t a big deal for me at the moment, but depending on your site it could be (you can still access it through the S3 domain name, which is non-HTTPS).

  • Make sure you have a way to invalidate files once you’re using CloudFront (I’m using jekyll-s3, which can do it automatically). Turn off all browser caching so you can make sure everything is working properly. Even so, I found it would take 10-15 mins to invalidate a file so make sure you’re aware of this when you plan updates (eg. a new post). Even though the new page will be accessible straight away, your index page and other content pages might still need to wait to be updated.

  • I had to update the font import statements in my CSS files, as they were causing mixed-mode warnings. Your options here are either a) remove any non-HTTPS content totally, or b) update the content to be HTTPS.