
HTTPS for GitHub Pages - mastahyeti
https://github.com/blog/2186-https-for-github-pages
======
pfista
Does anyone know if github is planning to support https for custom domains?

~~~
bobfunk
Check out [https://www.netlify.com](https://www.netlify.com) (disclaimer, I'm
a co-founder).

It's like GitHub pages on steroids and includes free Let's Encrypt based SSL
for custom domains, can run builds from your GitHub repo with any static site
generator, supports rewrite/redirect rules/proxying/form processing/password
protection and much more...

~~~
jayrox
I agree with the others. You can host a dynamic site on digitalocean for half
the cost.

~~~
MichaelGG
DO isn't in the same market as this, at least going off their websites. DO
means doing all the work yourself. Netlify handles everything.

I don't think the pricing is too high. If anything, the high end is too low.
It's not like they're aiming at personal sites, are they? And for a company,
$39 is nothing -- plans should probably start there. (Seriously, who wants to
service a customer for $7 a month?)

FWIW I've never seen or heard of Netlify before in my life.

~~~
mryan
You raise an interesting point. The prices seem too high for some commenters.
They are presumably capable of doing this themselves on a DO box so they do
not think it is valuable enough to justify that price.

However, one of the features of their highest price ($39/month) plan is that
you can use 100 custom domains. If you have 100 domains hosted on Route 53 you
will be paying over $50/month for domains, at which point $39/month for the
service which actually hosts your static site is entirely negligible. I am
curious how many people fall in to that bucket though - it seems more likely
that people will run multiple sites with few custom domains, rather than a
single site with 100 custom domains.

I am planning to offer some of Netlify's services in a product I am currently
building. I'm still working on the pricing model but it is likely to be based
on builds per month and bandwidth/storage, rather than the actual number of
sites. My cost driver is not 'how many domain names are configured in my HTTP-
routing layer', but rather 'how much pressure is each site putting on my build
and web servers'.

~~~
narrowrail
Netlify never misses an opportunity to self-promote in these SSG related
threads, but AWS S3/Cloudfront/route53 is so cheap and simple for the audience
that would even understand the point of Netlify, it's difficult to understand
their target market. Netlify is priced like Squarespace, Wix, Weebly, etc.
which are quite a bit simpler.

~~~
MichaelGG
The fact that I can click on their homepage and drag-n-drop a site folder and
have it just work is pretty damn slick. $39 is nothing if you don't have to
deal with stuff. The absolute cheapest guys I work with are at least $50/hr.
So if it saves an hour here and there it's worth it. And more likely, you'll
spend 3-4 figures in time if there's any sort of hiccup in your AWS setup.

I don't think people are thinking how nice it is to have someone take care of
stuff for you, totally. If there's any sort of issue, one email, and you're
done. And people aren't thinking how tiny $39 is.

Again, I've never heard of Netlify before, but the product sounds great. HN is
just messed up on pricing because they're looking at AWS costs instead of
customer value.

I think HN also devalues their own time: I've been running webservers since
the 90s, so I know it's "easy" to do, yet it's one more thing to have to think
about. Although I suppose some might enjoy it.

------
franciscop
So now github "sorta sorta" [1] supports https:

\- You CAN force HTTPS for your *.github.io site.

\- You CAN use an [https://yourname.github.io](https://yourname.github.io)
URL.

\- You CANNOT use a custom domain name with a fully secured HTTPS connection.

[1] [https://konklone.com/post/github-pages-now-sorta-supports-
ht...](https://konklone.com/post/github-pages-now-sorta-supports-https-so-use-
it)

------
tvanantwerp
Doesn't appear to work with custom domains.

~~~
travjones
Cloudflare's free plan includes one-click SSL for custom domains. That's what
I use for my github pages sites.

~~~
kevincox
Although it doesn't validate the backend certificate.

~~~
Artemis2
If that's what you are talking about, you can select "Full (strict)" in the
SSL options to enforce origin certificate validation.

[https://support.cloudflare.com/hc/en-
us/articles/200170416-W...](https://support.cloudflare.com/hc/en-
us/articles/200170416-What-do-the-SSL-options-mean-)

~~~
kevincox
But this doesn't work because the backend certificate is invalid (it covers
*.github.io rather then example.com).

~~~
homero
But you'd give cf that cname I think

~~~
kevincox
Last time I tested this cloudflare validated using the domain name, not the
cname.

------
ddbennett
For those on Bitbucket, <username>.bitbucket.io is the HTTPS equivalent of
<username>.bitbucket.org.

~~~
jgowans
ICYI, you can also get free, self-renewing, wildcard SSL certs for custom
domains on Bitbucket by using the Aerobatic add-on for Bitbucket.
[[https://www.aerobatic.com](https://www.aerobatic.com)]

disclaimer: co-founder of Aerobatic

~~~
JBiserkov
Great service! For those wondering what are the limitations of the otherwise
_very_ generous free plan:

2 sites, 1 domain, 5 deployments in a 24 hour period

something something Amazon US East

------
theandrewbailey
I just noticed it this morning when trying to put up a demo file for a
project. I was confused by the docs saying 'don't do anything sensitive
because no HTTPS', but clearly seeing the [https://](https://) URLs.

------
fibo
Thank you GitHub for this gift, static web sites and now forced https

~~~
bnb
Forced? You can enable and disable it in every repo's settings.

~~~
kramerc
Not for "GitHub Pages sites created after June 15, 2016 and using a github.io
domain."[1]

[1] [https://help.github.com/articles/securing-your-github-
pages-...](https://help.github.com/articles/securing-your-github-pages-site-
with-https/)

------
Wonnk13
What's the best way to get HTTPS for custom domains? Letsencrypt or
Cloudflare? I don't think those are encrypted end to end, no?

~~~
donut2d
Let's Encrypt is a certificate authority and provides certificates and so it
would be end-to-end. However, CloudFlare is not end-to-end unless the server
already supports HTTPS.

~~~
nothrabannosir
_> CloudFlare is not end-to-end unless the server already supports HTTPS._

That's literally what this article is about.

~~~
BHSPitMonkey
HTTPS isn't supported if you're using GH Pages with a custom domain.

------
bluetidepro
Nice work GitHub! That's huge! I think that means you could now use GitHub
pages for Slack services that required HTTPS? If so, that's really awesome!

------
r3bl
About damn time!

I "cheated" the system by having a script that will redirect you to the HTTPS
version if you click on anything from the HTTP protocol, which kind of
accomplishes forcing the HTTPS encryption, but not really.

Then I've decided to switch to my own domain and just use CloudFlare (+
whitelisting Tor).

Now I'm kind of thinking about switching to GitLab Pages since they pretty
much kick the hell out of GitHub Pages in every single way when you compare
their features (like, you can use _any_ static site generator and you can roll
your own Lets Encrypt SSL certificate on them).

~~~
sbruchmann
I’m not familiar with GitLab Pages but you can already use _any_ static site
generator with GitHub Pages as well.

~~~
r3bl
Huh, turns out you're right. Not sure if that was the case when I started
moving to GitHub (~15 months ago) or not, but looks like it's a thing now.

But still, you can do other things like selecting a different code highlighter
(which GitHub deprecated recently).

~~~
mawburn
It's always been the case. Github Pages has always been just a static file
host.

------
jsingleton
I've been running the HTTPS Everywhere add-on and hadn't realised that this
wasn't already a thing. As the post says, they have supported HTTPS for a
while and this is just adding a redirection option so you don't need to resort
to JS hacks. It doesn't say if they are using 301 redirects or HSTS headers,
I'm guessing the former.

------
Jeaye
You can enable HTTPS for custom domains using this approach:
[https://blog.jeaye.com/2016/03/01/github-pages-
https/](https://blog.jeaye.com/2016/03/01/github-pages-https/)

Just be sure to delete your CNAME file, based on a recent Github behavior
change.

------
aorth
From the announcement (because I was confused):

You have been able to request Pages sites over HTTPS for some time, but we
refrained from officially supporting it because the traffic from our CDN to
our servers wasn't encrypted until now.

------
jsprogrammer
Sweet. Was just lamenting its absence.

------
calebm
If I understand it correctly, the same HTTPS certificate is used for all
GitHub pages websites. So hypothetically, I could do a MITM attack and
redirect a user from an HTTPS protected GitHub pages site to my malicious
GitHub Pages site right? (although the url would be different... but could be
similar)

~~~
pfg
You don't have access to their private key. The fact that it is the same
certificate is irrelevant. Anything you can do now, you could also do if
they'd use separate certificates per subdomain.

~~~
calebm
Ya, I guess it's not a big deal.

