
S3 static site with SSL and automatic deploys using Travis - andrelaszlo
http://laszlo.nu/2016/11/25/s3-static-site.html
======
throwaway2016a
Why is it using Let's Encrypt when AWS offers it's own certificates that are
free, auto-renew, take seconds to setup in CloudFront, and as far as I know
are just as widely recognized?

~~~
andrelaszlo
Just for fun actually, it will probably turn out to be a PITA :)

~~~
throwaway2016a
I can appreciate that.

------
bobfunk
Have a look at Netlify, [https://www.netlify.com](https://www.netlify.com),
(disclaimer I'm a cofounder).

You can get all of this in 30 seconds on our free plan + instant cache
invalidation, deploy previews (we'll give you a unique preview url for every
pull request), atomic deploys and no issues with deleting files :)

~~~
tf2manu994
Yep, theyre great. One major problem for me is that their build logs are in
pure Black, and don't have any colour output. Also, afaik you can't set up a
multi stage build step, like Travis.

~~~
bobfunk
You can setup multi stage builds like:

    
    
        npm run build && npm run test

------
moodysalem
Most of the time it's fine to just use Github pages though.

I do something like this for my site
[https://oauth2cloud.com](https://oauth2cloud.com) though.

------
fancy_pantser
Note you'll have to manually create and deploy those Let's Encrypt
certificates every 90 days because you didn't automate it (which is what they
want/prefer).

[https://letsencrypt.org/2015/11/09/why-90-days.html](https://letsencrypt.org/2015/11/09/why-90-days.html)

~~~
andrelaszlo
Yes I should add that to the notes (author here). Thanks for pointing it out.
I have been thinking about ways to automate it but haven't come up with
anything I like yet. Any ideas? Might switch to ACM otherwise.

~~~
colinbartlett
If you happen to use DNSimple for DNS, they recently released a Let's Encrypt
integration that verifies via DNS record. They have web hooks and also make
the certs and private keys available via API, so I imagine you could set
something up with Lambda.

But in my experience, Amazon's certs are so easy to setup and use there is no
reason not to.

------
martiuk
Now just to set up the redirect so your visitors can only view in https.

~~~
willglynn
CloudFront makes adding redirects easy -- set "Viewer Protocol Policy:
Redirect HTTP to HTTPS" and it'll return 301s as appropriate. Done.

[http://docs.aws.amazon.com/AmazonCloudFront/latest/Developer...](http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-
https-viewers-to-cloudfront.html)

Now let's say you want to use HSTS so that browsers automatically rewrite HTTP
to HTTPS. HSTS can protect users from agents that manipulate HTTP traffic, and
it is therefore complementary to any redirection strategy.

S3 lets you specify headers with your objects, like Cache-Control and Content-
Type and such, but it doesn't support Strict-Transport-Security. (You can get
S3 to use custom headers, but they must start with x-amz-meta-, which doesn't
help here.) If the S3 origin can't return Strict-Transport-Security, that
leaves CloudFront -- but CloudFront has no specific mechanism for HSTS nor any
general mechanism for adding a response header.

So... it's trivial to set a policy to redirect HTTP to HTTPS, but it's
_impossible_ to get S3->CloudFront to articulate that policy with Strict-
Transport-Security headers. Sigh.

