Securing github pages

How to add TLS security to your github pages site. These instructions should work for other free website hosting services too.

Securing github pages sites

Github have annouced the availability of TLS (SSL) security for the numerous sites on Github pages that use custom domains. Whilst this is great news, and at no additional cost, it doesn’t work for ‘apex’ domains unless your domain’s DNS provider supports ANAMES or ALIAS records. Neither of these are standard DNS record types and almost no DNS providers support them, so I suspect the uptake of TLS on custom domains is going to be slow.

The Cloudflare alternative

Fortunately there is an alternative which can, potentially at zero cost, enable TLS and maintain that nice vanity domain on a github pages site. It should work for any provider of free hosting of ‘custom’ or ‘vanity’ domains. If you’d like the details, read on.

RTFM

A blog post from Cloudflare is the essential background reading, and this gist is handy. However, these instructions on enabling TLS assume you are not already operating a github pages site. The instructions below are for an existing site.

Instructions for existing site operators

You are going to have to use Cloudflare’s DNS. For single-site operations that’s fine, as it’s free, the DNS editor is good and it has an excellent track record of reliability. If you are used to babysitting your own authoritative server running a custom-modified version of DJBDNS then you’ll be looking for a new hobby if you follow these steps.

  1. Sign up for Cloudflare here
  2. Click ‘add a site’
  3. Type the domain name (use the custom name not the github.io name, and omit ‘www’)
  4. Wait a second while Cloudflare try and copy all your DNS records (not just the ones related to your website), then click ‘next’
  5. Select the FREE plan and click ‘Confirm Plan’ then ‘Purchase’
  6. Cloudflare will present you with the DNS records it has found
  7. Check these new DNS records against the ones your existing DNS provider has, if there are any missing, add them back in (for example if you use DKIM for your email, it will be missing from the list, you need to add it back). If there are a lot of absent records you could consider getting the zone file for your old domain and uploading the whole thing to Cloudflare. Click ‘Continue’ when you have added back any missing records.
  8. You should see the ‘Change your nameservers’ page. If not, click on DNS in the top navigation and you see towards the bottom of the page the names of the Cloudflare Nameservers. Copy this, click ‘Continue’.
  9. Go to your existing DNS Registrar or DNS provider and switch to using the Cloudflare nameservers instead. It is at this point that if you have got anything wrong in the previous steps your website, email etc will be broken, so tread carefully and test thoroughly.
  10. Go back to Cloudflare. You will probably see Status: Website not active (DNS modification pending). DNS Nameserver changes can be quick to propagate or slow, depending on factors over which you have no control. So now take a moment to configure a few other things on Cloudflare.
  11. Click ‘Page rules’ at the top of the page then click ‘Create page rule’. In the first box put http://example.com/* (use your own domain name not ‘example’) and click ‘Add a setting’. From the dropdown select ‘Always use HTTPS’. Click ‘Save and deploy’.
  12. Click ‘Overview’, and ‘Recheck Nameservers’ if required. With a bit of luck the site is now up and running with TLS.
Written on June 2, 2018