Hacker News new | comments | show | ask | jobs | submit login
Show HN: How to Make an AWS S3 Static Website with SSL (josephecombs.com)
96 points by greatamerican 9 months ago | hide | past | web | favorite | 38 comments

This works, but it leaves all traffic between the CloudFront edge node and S3 unencrypted. In theory, that shouldn't be an issue, by why risk it?

A better way is to completely leave the "website" bits of S3 off, and leave that all up to CloudFront. You can create an Origin Access Identity, then grant that OAI access to read your S3 bucket (all automated in the wizard when you create a CF dist and specify an S3 origin). You then specify a default object in your CF dist, and bam, CF is using the S3 REST API over SSL to secure that CF-S3 hop.

Another important aspect of using AOI is that you don't need to make the s3 bucket public. This matters even if the website is fully public. It has to do with a simple governance rule. No public s3 buckets should be allowed.

That if monitored and enforced would stop many data breaches. With some public bucketd enforcement will be difficult

Default object only works at the root of the site. Making it work everywhere is quite a bit more complicated


Very interesting. I'll check this out.

Another way to host a Jekyll website for pennies (and with HTTPS) is https://www.netlify.com/

Go to https://www.netlify.com/features/#dev-tools and check out the dependencies in the image there. I bet an exec said "hey we need a cool looking screenshot of code" and the dev whipped up the most useless package.json they could think of and screen-shotted it. Well, I hope that's the case.

I think that's a jokey reference to the left-pad debacle.

The “executives” at Netlify are engineers themselves, so I doubt that’s the story.

I also love Netlify, but I am interested in this result from google search console:


I switched from gh-pages/cloudflare to netlify, and it looks as though page crawl performance has worsened significantly...

Based on what my own tests have shown, it seems that Netlify serves content from EC2 instances in the AWS region that's closest to the visitor (presumably using NS1's Geo Routing). That definitely results in better performance compared to a site served from a single data center or S3 bucket, but it can't quite keep up with CDNs with hundreds of PoPs like Cloudflare or Fastly (which is what GitHub pages runs on). For me, the convenience of Netlify won out over the still relatively minor performance impact.

(IIRC Netlify also has an option you can enable to serve some assets via CloudFront, so that should speed things up for subresources.)

Well, Netlify has no IPv6 support, so it's as good as useless.

This is my bill estimate for March - kinda high!


Looks like the majority of your bill -- $4.00/$4.39 -- is in hosted zones. It's $0.50/hosted zone, and you only need one for a single static site. So looks like with reasonable traffic, this jekyll setup is about $0.89/mo for hosting, that's not bad!

Highly recommend using CloudFlare instead of Cloudfront.

a) it's totally free, which means once it's cached at CF, no charges from AWS for bandwidth, also no charges for Route 53 since CF handles the DNS too.

b) it can be used to terminate SSL in front of the S3 bucket (with or without the S3 bucket properly using SSL, depending on if you're using path-based or host-based bucket access)

c) cache invalidations are stupid fast

d) any CDN changes are done nearly instant, vs. "however long" Cloudfront takes


What's the benefit of hosting a static website on AWS instead of Github or Gitlab Pages?

No HTTPS for custom domains https://github.com/isaacs/github/issues/156#issuecomment-366... is the main one.

According to the latest comments and issues linked in that very issue, GitHub Pages has started slowly enabling HTTPS support for sites that have custom domains.

Firebase Static Hosting can do that and it's very easy, fast (Google's CDN) and free for up to 10 GB/month transfer.

You can use cloudflare to get SSL with a custom domain for your GitHub pages


GitHub Pages is one of the highest causes for seeing TLS alerts for me.

IPv6 support, it would seem.

GitLab Pages offers no IPv6 support. GitHub doesn't support IPv6 for custom domains officially, but you can easily work around that by adding 2a04:4e42::403 as the AAAA record.

less dependence on GitHub, IMO - I'm open to arguments in their favor though, for sure

You just depend on Amazon instead

Unless you're hosting out of your basement you have to depend on someone. I'd rather depend on someone who makes their revenue from hosting websites.

Granted I pay for S3 hosting and Github...

https://zeit.co/now is pretty fantastic for this.

My question with this kind of setup is: what if a malicious person (or just an unexpected success on HN) gets me a gazillion request, do I end up with a $10k liability ?

I'd rather have the site go down than me go broke, so is it really a good idea ?

This is ehy you can create budget limits in AWS. DDOS to your site is not legitimate traffic and AWS will provide you protection against it. Cloudfront is limited by default too. I cant remember the actual req/s but there is a limit. You can also limit access to certain countries where your legitimate users are.

My favorite combination for a static website is AWS S3 for content and Cloudflare for caching and SSL termination. I think Cloudflare offers more capabilities as CDN.

How do you compare hosting static websites on Hasura (free SSL out of the box) or Heroku vs AWS S3?

I think cloudflare gives more options as a CDN than cloudfront.

Where can I read about the costs / month?

I’ve got the same setup at pfortuny.net/reflexiones plus amazon workmail and it costs me around 6$/month. Very low traffic, though. Anyway, the cost is 5$ for the mail, so the blog is negligible.

Amazon’s pricing is easy for this simple setup.

I run the same setup. Probably don't get any traffic because I don't write blog posts anymore. My monthly costs are around $ 0.70.

Probably nitpicking, but why not having www as an alias record as well?

Does It work with the free tier?

OP here - thanks for all the votes! If you liked this post, check out my latest post here: https://www.josephecombs.com./2018/03/09/how-I-use-a-compute...

Some of the votes were fraudulent. That's not ok on HN and not a good way to promote good work.


can you tell me what votes were fraudulent? And what can I do to prevent it in the future? God bless @dang

Ugh, just admit it if you did it, or say nothing. This post I'm responding to comes across badly. I'm sure no unaffiliated-with-you vote fraud bots were swarming to upvote your particular random article, so common sense says there's about a 99.9% chance if there was HN vote fraud, it was the person who stands to gain from the fraud doing it.

I doubt dang is going to walk you through how they detected it either. No need to make people's fraud easier in the future.

Just take your licks and move on.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact