

SSL + CNAME + static files hosting on GAE: almost free - julien
http://blog.superfeedr.com/asset-hosting-ssl-domain/

======
bsimpson
StartSSL is free?! Has anyone used them before? Are their certs widely
accepted/trusted?

~~~
pfg
Yes, their domain-verified certs are free. I've been using them for a while
now and haven't had any problems.

See this post for browser support:
[https://forum.startcom.org/viewtopic.php?f=15&t=1802](https://forum.startcom.org/viewtopic.php?f=15&t=1802)

~~~
bsimpson
Very nice, thanks.

According to that page, Windows XP+, Mac OS 10.5+, iOS 2+, and Android 2.2+
are supported.

I'll have to try them.

~~~
mmastrac
Note that these free certificates are considered non-commercial-use only.

"The "StartCom Certificate Policy & Practice Statements" document §3.1.2.1 is
explicit that the Class 1 (free) certificates are for non-commercial uses
only.[3] The previous version of the CPS did not include this restriction.[4]"

You can, however, pay $60 for a personal validation (and potentially an extra
$60 for company validation) to use the certs commercially. Actually, this
validation lets you generate _any number_ of SSL certificates for sites you
own, for two years. This also includes _wildcard_ certs, which you pay through
the nose for from everyone else.

These guys are so much cheaper than the rest of the SSL vendors it's not
funny. I've got my wildcard StartSSL certificate up on codano.com, and I've
generated a few more for internal use. The validation literally took about two
hours from start to finish, and most of that was just waiting for an email
response/validation phone call and me scanning my passport and business
documentation.

Can't recommend them enough.

~~~
bsimpson
Is a wildcard cert for subdomains, e.g. <https://*.example.com>? And it's $60
altogether for any domain I control?

Good info. Thanks!

~~~
mmastrac
Yep. And you can put multiple DNS entries on a single cert - check out my
certificate on codano.com: it has "codano.com, "* .codano.com,
"angrywizard.com" and "* .angrywizard.com", all on the same cert. The cert was
free after paying $120 for personal/corporate verification.

Note that they _will_ confirm that you are the owner of domains you try to
request certs for.

------
lancefisher
This seems too good to be true. I have a need to store dozens of GBs of
photos, and I can put them on GAE for free?

According to GAE's quotas page [1], free hosting of code and static files is
only for the first 1GB. After that it is $0.13 per GB per month.

[1] <https://developers.google.com/appengine/docs/quotas#Code>

~~~
Benferhat
You'd want to store them in the blobstore (5GB free storage) [0]. Note that
you are not allowed to create multiple GAE apps to stack free quotas (n apps =
n * 5GB free blobstore storage) [1].

[0]
[https://developers.google.com/appengine/docs/quotas#Blobstor...](https://developers.google.com/appengine/docs/quotas#Blobstore)

[1] _"4.3 Restrictions. Customer will not, and will not allow third parties
under its control to: "_ ... _"(e) create multiple Applications or Accounts to
simulate or act as a single Application or Account (respectively) or otherwise
access the Service in a manner intended to avoid incurring Fees;"_
<https://developers.google.com/appengine/terms> _scroll down to 4.3(e)_

------
jschlesser
Try s3 + cloudflare. You will have to pay for ssl but barring that s3 +
cloudflare will let you host a naked domain for almost free. Suppose you want
some cheap static publishing, set up a dev heroku instance (free) and have it
publish to your s3 bucket.

~~~
julien
So, <http://www.cloudflare.com/plans> shows that to get your custom SSL, you
need a "Business" plan at $200/month... so about 20x more expensive than GAE
in this case.

~~~
taf2
are you certain about needing a business plan, it looks to me that pro for
$20/month also supports SSL? perhaps I'm missing an important bullet?

[update]: i am guessing from the language on the "SSL encryption type" bullet:

"CloudFlare-issued" vs "CloudFlare-issued or custom"

or custom must be what's required to host your own domain ssl cert?

~~~
julien
I think, yes, that the "CloudFlare-issued" means you have to use a CloudFlare
subdomain... But again I did not test. Even if it works, it's still twice as
expensive as GAE, doesn't seem to cache the HTML files (as per above
comment)...

~~~
jschlesser
It is a cloudflare subdomain but it doesn't show that way in the URL, I dont
know how that works though. Can anybody explain why this works? I dont have a
naked domain with ssl with them but you can check this one out to see what it
looks like <https://www.luckybolt.com> (also thats my brothers startup, if you
are in SF, check it out). As you point out though, GAE is $10 / Mo. cheaper.
I'll check that out for new projects.

~~~
giovannibajo1
They basically generate the SSL certificate for your domain for you. Their SSL
CA partner (GlobalSign IIRC) is basically trusting them with it since they
manage their certificate and the domain owner is trusting Cloudflare (this can
also be checked in Whois). So you just activate SSL in the options and bam,
your site works with SSL within a couple of minutes.

BTW: they use certificates with multiple SANs, so many different domains in
the same certificate (and without SNI). This allows to terminate SSL on a
single box for many different domains/customers. If you look at certificates
details, you will see many unrelated domains in the SAN list.

------
mappu
SNI is a curious choice for a 'Universal' widget, especially when GAE offers
dedicated(?) IP addresses. Carriers are still selling Android 2.x phones which
will give a certificate error with the widget, and IE on XP isn't exactly a
small target. Although i guess it depends on your market.

EDIT: Wow, GAE charges $39/mo[1] for an IP? I know IPv4 is scarce, but i
charge my customers $10/mo for SSL, and even that is a big markup on the $1/mo
Linode charge me. I would honestly suggest going the VPS route to improve
browser compatibility.

1\. <https://cloud.google.com/pricing/>

------
ck2
If you just need a few small things hosted on SSL for page inclusion, use
dropbox.

Wouldn't do it for heavy access though.

------
papsosouid
We have a bunch of sites that are almost entirely static, but have a php
"contact us" email form. Right now they are some bloated PHP CMS thing, and I
would really like to switch them over to being static. Does anyone know of a
cheap service that provides a form to send email we could have our contact
form POST to?

~~~
jeremyjh
Uhm, do you know you can do a post to a mailto: action with your form
contents? The browser will open your email client the same as a mailto link.

[http://www.w3schools.com/html/tryit.asp?filename=tryhtml_for...](http://www.w3schools.com/html/tryit.asp?filename=tryhtml_form_mail)

~~~
papsosouid
Yes, but since half the people who contact us have no smtp server, that
doesn't work out too well.

~~~
criley
Not sure about operating system's other than Windows, but gmail (opens a
compose window in a new window) is my "default" handler for mailto: links.

