Show HN: How to Make an AWS S3 Static Website with SSL (opens in new tab)

(josephecombs.com)

96 pointsgreatamerican8y ago38 comments

38 comments

36 comments · 13 top-level

Mononokay8y ago· 8 in thread

What's the benefit of hosting a static website on AWS instead of Github or Gitlab Pages?

charlieegan38y ago

No HTTPS for custom domains https://github.com/isaacs/github/issues/156#issuecomment-366... is the main one.

tambre8y ago

According to the latest comments and issues linked in that very issue, GitHub Pages has started slowly enabling HTTPS support for sites that have custom domains.

IshKebab8y ago

Firebase Static Hosting can do that and it's very easy, fast (Google's CDN) and free for up to 10 GB/month transfer.

drivebyops8y ago

You can use cloudflare to get SSL with a custom domain for your GitHub pages

https://gist.github.com/cvan/8630f847f579f90e0c014dc5199c337...

beefhash8y ago

GitHub Pages is one of the highest causes for seeing TLS alerts for me.

tambre8y ago

IPv6 support, it would seem.

GitLab Pages offers no IPv6 support. GitHub doesn't support IPv6 for custom domains officially, but you can easily work around that by adding 2a04:4e42::403 as the AAAA record.

greatamericanOP8y ago

less dependence on GitHub, IMO - I'm open to arguments in their favor though, for sure

oooomm8y ago

You just depend on Amazon instead

1 more reply

3stripe8y ago· 6 in thread

Another way to host a Jekyll website for pennies (and with HTTPS) is https://www.netlify.com/

javajosh8y ago

Go to https://www.netlify.com/features/#dev-tools and check out the dependencies in the image there. I bet an exec said "hey we need a cool looking screenshot of code" and the dev whipped up the most useless package.json they could think of and screen-shotted it. Well, I hope that's the case.

paulgb8y ago

I think that's a jokey reference to the left-pad debacle.

gk18y ago

The “executives” at Netlify are engineers themselves, so I doubt that’s the story.

davewasthere8y ago

I also love Netlify, but I am interested in this result from google search console:

https://i.imgur.com/ji1z6oz.png

I switched from gh-pages/cloudflare to netlify, and it looks as though page crawl performance has worsened significantly...

pfg8y ago

Based on what my own tests have shown, it seems that Netlify serves content from EC2 instances in the AWS region that's closest to the visitor (presumably using NS1's Geo Routing). That definitely results in better performance compared to a site served from a single data center or S3 bucket, but it can't quite keep up with CDNs with hundreds of PoPs like Cloudflare or Fastly (which is what GitHub pages runs on). For me, the convenience of Netlify won out over the still relatively minor performance impact.

(IIRC Netlify also has an option you can enable to serve some assets via CloudFront, so that should speed things up for subresources.)

tambre8y ago

Well, Netlify has no IPv6 support, so it's as good as useless.

subway8y ago· 3 in thread

This works, but it leaves all traffic between the CloudFront edge node and S3 unencrypted. In theory, that shouldn't be an issue, by why risk it?

A better way is to completely leave the "website" bits of S3 off, and leave that all up to CloudFront. You can create an Origin Access Identity, then grant that OAI access to read your S3 bucket (all automated in the wizard when you create a CF dist and specify an S3 origin). You then specify a default object in your CF dist, and bam, CF is using the S3 REST API over SSL to secure that CF-S3 hop.

fishdaemon8y ago

Another important aspect of using AOI is that you don't need to make the s3 bucket public. This matters even if the website is fully public. It has to do with a simple governance rule. No public s3 buckets should be allowed.

That if monitored and enforced would stop many data breaches. With some public bucketd enforcement will be difficult

justinsaccount8y ago

Default object only works at the root of the site. Making it work everywhere is quite a bit more complicated

https://aws.amazon.com/blogs/compute/implementing-default-di...

greatamericanOP8y ago

Very interesting. I'll check this out.

edem8y ago· 2 in thread

Where can I read about the costs / month?

pfortuny8y ago

I’ve got the same setup at pfortuny.net/reflexiones plus amazon workmail and it costs me around 6$/month. Very low traffic, though. Anyway, the cost is 5$ for the mail, so the blog is negligible.

Amazon’s pricing is easy for this simple setup.

prayerslayer8y ago

I run the same setup. Probably don't get any traffic because I don't write blog posts anymore. My monthly costs are around $ 0.70.

greatamericanOP8y ago· 2 in thread

OP here - thanks for all the votes! If you liked this post, check out my latest post here: https://www.josephecombs.com./2018/03/09/how-I-use-a-compute...

dang8y ago

Some of the votes were fraudulent. That's not ok on HN and not a good way to promote good work.

https://news.ycombinator.com/newsfaq.html

greatamericanOP8y ago

can you tell me what votes were fraudulent? And what can I do to prevent it in the future? God bless @dang

1 more reply

greatamericanOP8y ago· 1 in thread

This is my bill estimate for March - kinda high!

https://imgur.com/a/kDmdE

grepthisab8y ago

Looks like the majority of your bill -- $4.00/$4.39 -- is in hosted zones. It's $0.50/hosted zone, and you only need one for a single static site. So looks like with reasonable traffic, this jekyll setup is about $0.89/mo for hosting, that's not bad!

navaati8y ago· 1 in thread

My question with this kind of setup is: what if a malicious person (or just an unexpected success on HN) gets me a gazillion request, do I end up with a $10k liability ?

I'd rather have the site go down than me go broke, so is it really a good idea ?

StreamBright8y ago

This is ehy you can create budget limits in AWS. DDOS to your site is not legitimate traffic and AWS will provide you protection against it. Cloudfront is limited by default too. I cant remember the actual req/s but there is a limit. You can also limit access to certain countries where your legitimate users are.

mike5038y ago

Highly recommend using CloudFlare instead of Cloudfront.

a) it's totally free, which means once it's cached at CF, no charges from AWS for bandwidth, also no charges for Route 53 since CF handles the DNS too.

b) it can be used to terminate SSL in front of the S3 bucket (with or without the S3 bucket properly using SSL, depending on if you're using path-based or host-based bucket access)

c) cache invalidations are stupid fast

d) any CDN changes are done nearly instant, vs. "however long" Cloudfront takes

$.02

trevyn8y ago

https://zeit.co/now is pretty fantastic for this.

logronoide8y ago

My favorite combination for a static website is AWS S3 for content and Cloudflare for caching and SSL termination. I think Cloudflare offers more capabilities as CDN.

praveenweb8y ago

How do you compare hosting static websites on Hasura (free SSL out of the box) or Heroku vs AWS S3?

I think cloudflare gives more options as a CDN than cloudfront.

forty8y ago

Probably nitpicking, but why not having www as an alias record as well?

IloveHN848y ago

Does It work with the free tier?

j / k navigate · click thread line to collapse

38 comments

36 comments · 13 top-level

Mononokay8y ago· 8 in thread

What's the benefit of hosting a static website on AWS instead of Github or Gitlab Pages?

charlieegan38y ago

No HTTPS for custom domains https://github.com/isaacs/github/issues/156#issuecomment-366... is the main one.

tambre8y ago

According to the latest comments and issues linked in that very issue, GitHub Pages has started slowly enabling HTTPS support for sites that have custom domains.

IshKebab8y ago

Firebase Static Hosting can do that and it's very easy, fast (Google's CDN) and free for up to 10 GB/month transfer.

drivebyops8y ago

You can use cloudflare to get SSL with a custom domain for your GitHub pages

https://gist.github.com/cvan/8630f847f579f90e0c014dc5199c337...

beefhash8y ago

GitHub Pages is one of the highest causes for seeing TLS alerts for me.

tambre8y ago

IPv6 support, it would seem.

GitLab Pages offers no IPv6 support. GitHub doesn't support IPv6 for custom domains officially, but you can easily work around that by adding 2a04:4e42::403 as the AAAA record.

greatamericanOP8y ago

less dependence on GitHub, IMO - I'm open to arguments in their favor though, for sure

oooomm8y ago

You just depend on Amazon instead

1 more reply

3stripe8y ago· 6 in thread

Another way to host a Jekyll website for pennies (and with HTTPS) is https://www.netlify.com/

javajosh8y ago

paulgb8y ago

I think that's a jokey reference to the left-pad debacle.

gk18y ago

The “executives” at Netlify are engineers themselves, so I doubt that’s the story.

davewasthere8y ago

I also love Netlify, but I am interested in this result from google search console:

https://i.imgur.com/ji1z6oz.png

I switched from gh-pages/cloudflare to netlify, and it looks as though page crawl performance has worsened significantly...

pfg8y ago

(IIRC Netlify also has an option you can enable to serve some assets via CloudFront, so that should speed things up for subresources.)

tambre8y ago

Well, Netlify has no IPv6 support, so it's as good as useless.

subway8y ago· 3 in thread

This works, but it leaves all traffic between the CloudFront edge node and S3 unencrypted. In theory, that shouldn't be an issue, by why risk it?

fishdaemon8y ago

That if monitored and enforced would stop many data breaches. With some public bucketd enforcement will be difficult

justinsaccount8y ago

Default object only works at the root of the site. Making it work everywhere is quite a bit more complicated

https://aws.amazon.com/blogs/compute/implementing-default-di...

greatamericanOP8y ago

Very interesting. I'll check this out.

edem8y ago· 2 in thread

Where can I read about the costs / month?

pfortuny8y ago

I’ve got the same setup at pfortuny.net/reflexiones plus amazon workmail and it costs me around 6$/month. Very low traffic, though. Anyway, the cost is 5$ for the mail, so the blog is negligible.

Amazon’s pricing is easy for this simple setup.

prayerslayer8y ago

I run the same setup. Probably don't get any traffic because I don't write blog posts anymore. My monthly costs are around $ 0.70.

greatamericanOP8y ago· 2 in thread

OP here - thanks for all the votes! If you liked this post, check out my latest post here: https://www.josephecombs.com./2018/03/09/how-I-use-a-compute...

dang8y ago

Some of the votes were fraudulent. That's not ok on HN and not a good way to promote good work.

https://news.ycombinator.com/newsfaq.html

greatamericanOP8y ago

can you tell me what votes were fraudulent? And what can I do to prevent it in the future? God bless @dang

1 more reply

greatamericanOP8y ago· 1 in thread

This is my bill estimate for March - kinda high!

https://imgur.com/a/kDmdE

grepthisab8y ago

navaati8y ago· 1 in thread

My question with this kind of setup is: what if a malicious person (or just an unexpected success on HN) gets me a gazillion request, do I end up with a $10k liability ?

I'd rather have the site go down than me go broke, so is it really a good idea ?

StreamBright8y ago

mike5038y ago

Highly recommend using CloudFlare instead of Cloudfront.

a) it's totally free, which means once it's cached at CF, no charges from AWS for bandwidth, also no charges for Route 53 since CF handles the DNS too.

b) it can be used to terminate SSL in front of the S3 bucket (with or without the S3 bucket properly using SSL, depending on if you're using path-based or host-based bucket access)

c) cache invalidations are stupid fast

d) any CDN changes are done nearly instant, vs. "however long" Cloudfront takes

$.02

trevyn8y ago

https://zeit.co/now is pretty fantastic for this.

logronoide8y ago

My favorite combination for a static website is AWS S3 for content and Cloudflare for caching and SSL termination. I think Cloudflare offers more capabilities as CDN.

praveenweb8y ago

How do you compare hosting static websites on Hasura (free SSL out of the box) or Heroku vs AWS S3?

I think cloudflare gives more options as a CDN than cloudfront.

forty8y ago

Probably nitpicking, but why not having www as an alias record as well?

IloveHN848y ago

Does It work with the free tier?

j / k navigate · click thread line to collapse