Secure GitHub pages with SSL/TLS
At the time of writing, this blog is hosted on GitHub and they do not support serving https on custom domains. But because there are many reasons why every website should be hosted under https this guide will show you how I got https for this blog on GitHub.
First you’ll need a couple things:
- A website hosted on GitHub Pages with a custom domain.
- An account with Cloudflare.
Then follow these steps:
- After signing up with Cloudflare you’ll be prompted to add your domain, at which point it’ll scan your DNS records automatically. You’ll want to make sure that it has all of them and that they are correct by cross referencing them with your current DNS provider.
- Switch to the Crypto tab and change the
SSL type
toFlexible
. - Update the Nameservers at your domain registrar to point to the ones provided by Cloudflare in your setup steps.
- Redirect all of your http traffic to https traffic using Cloudflare by adding a
Page Rule
. You’ll want to add a rule which looks likehttp://*example.com/*
and then add a setting forAlways Use HTTPS
. After clicking Save and Deploy all requests to the http version of your site will be 301 redirected to the https version of your site. Cloudflare knowledge base - Set up a canonical url on each page so that web crawlers will know that any path which gets the user to the site that the canonical url is the primary path that should be stored. To do that add
<link rel="canonical" href="http://example.com/path/to/post"/>
to the head of each page. - Update the paths for your assets so that they are requested from the https path or browsers won’t load them.
Once the DNS records propagate you’ll be able to visit your website by visiting https://example.com
. You might notice that you’ll still be using the github.com certificate for a bit still, I found that it took a few hours for a new certificate to be issued from Cloudflare.
The one caveat here is that the connection between Cloudflare and GitHub is not under https. However these steps will still protect your users from an unscrupulous ISP and users at coffee shops. But as GitHub themselves say “GitHub Pages sites shouldn’t be used for sensitive transactions like sending passwords or credit card numbers.” anyways.
I hope you enjoyed this post, if you have any questions or comments let me know on Twitter @fromanegg or comment below. Thanks for reading!