Infrastructure - GitHub Pages now supports HTTPS
Closed this issue · 1 comments
Already using Cloudflare to encrypt user <=> Cloudflare connection, but Github Pages now offers an encrypted connection from GP origin.
https://blog.github.com/2018-05-01-github-pages-custom-domains-https/
- Update A records - remove old two and enter new four (docs)
- Cloudflare > Crypto > Set SSL - Select Full SSL (not strict)
- Remove existing custom domain in Github repo settings - be sure to click "Save" (docs)
- Re-add custom domain in settings to trigger the HTTPS setup process on Github's end
- Ensure CNAME automatically updated
- Check Enforce HTTPS (when available)
- In
profilesrepo, check Enforce HTTPS
Note: Had to turn off HTTP proxy at CloudFlare to trigger SSL cert provisioning at Github (otherwise never gets past initial "domain not properly configured" stage)
Github Pages IP Addresses (for A records)
185.199.108.153
185.199.109.153
185.199.110.153
185.199.111.153
Tests
- Ensure naked redirect works (grantmakers.io => www.grantmakers.io)
- Ensure HTTPS is forced (http://www.grantmakers.io => https://www.grantmakers.io
- Ensure no issues with profiles repo (https://www.grantmakers.io/profiles)
Note: It appears Github is unable to update the certificate when the Cloudflare HTTP/DNS proxy setting is ON (e.g. shows the orange "proxied" icon in the DNS dashboard). The fix was to switch back to DNS Only, then go to the repo settings on Github. The Enforce HTTPS option was indeed available. Checking this resulted in the green message to correctly state Your site is published at https://www.customdomain.com.
Then went back to Cloudflare settings and switched the proxy back on.
The connection is now secure b/w visitors <=> Cloudflare, and now Cloudflare <=> GH Pages when Cloudflare needs to hit the origin servers.
Clarification: Using a Cloudflare Page Rule to force https on the visitor <=> Cloudflare side, and SSL is set to Full (not Full Strict)