
Show HN: How to Make an AWS S3 Static Website with SSL - greatamerican
https://www.josephecombs.com/2018/03/05/how-to-make-an-AWS-S3-static-website-with-ssl
======
subway
This works, but it leaves all traffic between the CloudFront edge node and S3
unencrypted. In theory, that shouldn't be an issue, by why risk it?

A better way is to completely leave the "website" bits of S3 off, and leave
that all up to CloudFront. You can create an Origin Access Identity, then
grant that OAI access to read your S3 bucket (all automated in the wizard when
you create a CF dist and specify an S3 origin). You then specify a default
object in your CF dist, and bam, CF is using the S3 REST API over SSL to
secure that CF-S3 hop.

~~~
fishdaemon
Another important aspect of using AOI is that you don't need to make the s3
bucket public. This matters even if the website is fully public. It has to do
with a simple governance rule. No public s3 buckets should be allowed.

That if monitored and enforced would stop many data breaches. With some public
bucketd enforcement will be difficult

------
3stripe
Another way to host a Jekyll website for pennies (and with HTTPS) is
[https://www.netlify.com/](https://www.netlify.com/)

~~~
javajosh
Go to [https://www.netlify.com/features/#dev-
tools](https://www.netlify.com/features/#dev-tools) and check out the
dependencies in the image there. I bet an exec said "hey we need a cool
looking screenshot of code" and the dev whipped up the most useless
package.json they could think of and screen-shotted it. Well, I _hope_ that's
the case.

~~~
paulgb
I think that's a jokey reference to the left-pad debacle.

------
greatamerican
This is my bill estimate for March - kinda high!

[https://imgur.com/a/kDmdE](https://imgur.com/a/kDmdE)

~~~
grepthisab
Looks like the majority of your bill -- $4.00/$4.39 -- is in hosted zones.
It's $0.50/hosted zone, and you only need one for a single static site. So
looks like with reasonable traffic, this jekyll setup is about $0.89/mo for
hosting, that's not bad!

------
mike503
Highly recommend using CloudFlare instead of Cloudfront.

a) it's totally free, which means once it's cached at CF, no charges from AWS
for bandwidth, also no charges for Route 53 since CF handles the DNS too.

b) it can be used to terminate SSL in front of the S3 bucket (with or without
the S3 bucket properly using SSL, depending on if you're using path-based or
host-based bucket access)

c) cache invalidations are stupid fast

d) any CDN changes are done nearly instant, vs. "however long" Cloudfront
takes

$.02

------
Mononokay
What's the benefit of hosting a static website on AWS instead of Github or
Gitlab Pages?

~~~
charlieegan3
No HTTPS for custom domains
[https://github.com/isaacs/github/issues/156#issuecomment-366...](https://github.com/isaacs/github/issues/156#issuecomment-366542067)
is the main one.

~~~
tambre
According to the latest comments and issues linked in that very issue, GitHub
Pages has started slowly enabling HTTPS support for sites that have custom
domains.

------
trevyn
[https://zeit.co/now](https://zeit.co/now) is pretty fantastic for this.

------
navaati
My question with this kind of setup is: what if a malicious person (or just an
unexpected success on HN) gets me a gazillion request, do I end up with a $10k
liability ?

I'd rather have the site go down than me go broke, so is it really a good idea
?

~~~
StreamBright
This is ehy you can create budget limits in AWS. DDOS to your site is not
legitimate traffic and AWS will provide you protection against it. Cloudfront
is limited by default too. I cant remember the actual req/s but there is a
limit. You can also limit access to certain countries where your legitimate
users are.

------
logronoide
My favorite combination for a static website is AWS S3 for content and
Cloudflare for caching and SSL termination. I think Cloudflare offers more
capabilities as CDN.

------
praveenweb
How do you compare hosting static websites on Hasura (free SSL out of the box)
or Heroku vs AWS S3?

I think cloudflare gives more options as a CDN than cloudfront.

------
edem
Where can I read about the costs / month?

~~~
pfortuny
I’ve got the same setup at pfortuny.net/reflexiones plus amazon workmail and
it costs me around 6$/month. Very low traffic, though. Anyway, the cost is 5$
for the mail, so the blog is negligible.

Amazon’s pricing is easy for this simple setup.

------
forty
Probably nitpicking, but why not having www as an alias record as well?

------
IloveHN84
Does It work with the free tier?

------
greatamerican
OP here - thanks for all the votes! If you liked this post, check out my
latest post here: [https://www.josephecombs.com./2018/03/09/how-I-use-a-
compute...](https://www.josephecombs.com./2018/03/09/how-I-use-a-computer-
part-1)

~~~
dang
Some of the votes were fraudulent. That's not ok on HN and not a good way to
promote good work.

[https://news.ycombinator.com/newsfaq.html](https://news.ycombinator.com/newsfaq.html)

~~~
greatamerican
can you tell me what votes were fraudulent? And what can I do to prevent it in
the future? God bless @dang

~~~
irl_zebra
Ugh, just admit it if you did it, or say nothing. This post I'm responding to
comes across badly. I'm sure no unaffiliated-with-you vote fraud bots were
swarming to upvote your particular random article, so common sense says
there's about a 99.9% chance if there was HN vote fraud, it was the person who
stands to gain from the fraud doing it.

I doubt dang is going to walk you through how they detected it either. No need
to make people's fraud easier in the future.

Just take your licks and move on.

