Serving Static Sites with GitHub Pages and Cloudflare

Previously, bobuhiro11.net and blog.bobuhiro11.net were served from a server I managed myself. However, since both are static sites, I don’t necessarily need to manage the infrastructure myself, so to make things easier, I decided to serve them using GitHub Pages from now on. After investigating, I found that GitHub Pages allows custom domains but cannot serve via HTTPS. Therefore, I placed a CDN capable of SSL termination in front of GitHub Pages. There are several CDNs that can handle SSL termination, but this time I chose Cloudflare, which can be used for free. Cloudflare also has DNS functionality, so I migrated bobuhiro11.net registered with Onamae.com and its subdomains to Cloudflare. In summary, the setup is as follows:

• Onamae.com: Domain registry
• Cloudflare: DNS and CDN (SSL termination)
• GitHub Pages: Static site build and HTTP delivery

GitHub Configuration

• Created two private repositories and pushed Jekyll code
• Even if the repository visibility is private, the gh-pages branch content is automatically published
• Placed a CNAME file containing the domain name at the repository root
• Confirmed in the GitHub Pages section of the Settings tab
• Jekyll code is automatically built

Cloudflare Configuration

Normally you can’t map a CNAME record to a zone apex, but Cloudflare allows this exceptionally through CNAME Flattening. Since it’s easier to manage than A records, I assigned CNAME to the zone apex as well. Created an account casually and entered the settings. SSL cannot be used between Cloudflare and GitHub Pages, so I set the SSL setting in the Crypto tab to Flexible. Also, to force HTTPS connections to browsers, I configured HSTS (HTTP Strict Transport Security).

• DNS tab
  • Type:CNAME, Name:blog, Value:bobuhiro11.github.io, TTL: Automatic, Status: DNS and HTTP proxy(CDN)
  • Type:CNAME, Name:bobuhiro11.net, Value:bobuhiro11.github.io, TTL: Automatic, Status: DNS and HTTP proxy(CDN)
  • Type:MX, Name:bobuhiro11.net, Value:xxxx, TTL: Automatic
  • Type:TXT, Name:bobuhiro11.net, Value:xxxx, TTL: Automatic
  • Two NS records are assigned, so note them down (for use in Onamae.com settings)
• Crypto tab
  • SSL: Flexible
  • Always use HTTPS: On
  • HSTS: Status: On, Max-Age: 6 months ,Include subdomains: On ,Preload: On ,No-sniff: On
  • Automatic HTTPS Rewrites: On

Onamae.com Configuration

• Change DNS server to *.ns.cloudflare.com noted from Cloudflare
• Delete DNS records of the DNS server *.dnsv.jp managed by Onamae.com

Verify Configuration

After waiting a while, verify that settings are correctly applied

• Confirmed all A+ results from ssllabs
  • www.ssllabs.com/ssltest/analyze.html?d=bobuhiro11.net
  • www.ssllabs.com/ssltest/analyze.html?d=blog.bobuhiro11.net
• Confirmed correct name resolution with dig
  • DNS is *.cloudflare.com
  • Confirmed A records are not my server or GitHub Pages IP addresses
  • Also checked mx and txt records

$ (dig bobuhiro11.net A @8.8.4.4; dig blog.bobuhiro11.net A @8.8.4.4; dig bobuhiro11.net NS @8.8.4.4; dig bobuhiro11.net SOA @8.8.4.4;) | grep IN | grep -v "^;"
bobuhiro11.net.         299     IN      A       104.27.171.197
bobuhiro11.net.         299     IN      A       104.27.170.197
blog.bobuhiro11.net.    299     IN      A       104.27.171.197
blog.bobuhiro11.net.    299     IN      A       104.27.170.197
bobuhiro11.net.         86399   IN      NS      mark.ns.cloudflare.com.
bobuhiro11.net.         86399   IN      NS      sima.ns.cloudflare.com.
bobuhiro11.net.         3599    IN      SOA     mark.ns.cloudflare.com. dns.cloudflare.com. 2025896629 10000 2400 604800 3600