This blog is distributed with Amazon’s global Cloudfront distribution and S3://. It costs me about 2 cents a month to operate, and updating is as simple as pushing files to S3 and expiring the existing distribution. It’s relatively easy to setup, but you need to know the little caveats.

Benefits

  • No server to manage and monitor.
  • True global edge distribution for fast content delivery.
  • Cost of ~2 cents/month, unless you have some super baller traffic, in which case, congratulations!
  • Custom Domain SSL certificate, aws managed forever, and free!
  • Easy to update.

Easy as 1,2,3,4,5

1) create S3 bucket and upload your content.
2) create ssl certificate with ACM.
3) create cloudfront distribution.
4) update dns
5) expire your cloudfront distribution (for future deployments)

1) Create the S3 bucket.

While there are methods that permit you to serve Cloudfront content from a private S3 bucket , for a basic blog where everything is public it’s a bit overkill.

  • The bucket must be publicly readable.
  • Please be careful to not make it publicly writable.

As you create the bucket in S3://, shun the following two ‘recommendations’. Uncheck these 2 boxes:

  • “Remove public access granted through public ACLs (Recommended)”.
  • “Block new public ACLs and uploading public objects (Recommended)””

After the bucket is created, make it publicly readable:

  • Click permissions -> Access Control List
  • Scroll down to “Public Access”
  • Click the circle next to everyone
  • Add a checkmark to permit “List Objects”.

2) Create your SSL Certificate using ACM

Critical info: Your SSL cert must be created in “US East 1 Region - Virginia”

You may have never realized it, but AWS managed ssl certs are region specific. CloudFront will propagate your SSL certificate globally, creating faster response times for ssl connections, however, CloudFront only propagates certificates created in the US East Region. SSL certs created in other regions will not be available for use.

  • Be sure to include your primary domain and subdomains as alternates: yourdomain.com, www.yourdomain.com.
  • If you opt to create a wildcard certificate, *.yourdomain.com, you still need to also add your primary domain as an alternate if you intend to access your site from https://yourdomain.com

3) Create the CloudFront distribution

Select Web Distribution.
Use the following values:

  • Origin domain name: nelsonenzo.com
    Domain name, no prefix

  • Origin path: production
    Path within the S3 bucket, s3://your-domain.com/production

  • Origin id: www.nelsonenzo.com
    Domain name, with primary prefix to identify (we will add a staging later)

  • Viewer Protocol Policy: Redirect http to HTTPS
    Redirect http, just a good security practice

  • Query String Forwarding and Caching: Forward All, Cache based on all.
    Since we are using S3, you need to forward all query string parameters.

  • Use default values for most other options
    Most other options, the default values are ok.

  • Alternate Domain Names (CNAME’s): www.yourdomain.com yourdomain.com
    www is pretty common as a prefix.

  • Custom SSL Certificate: Select the certificate created earlier.
    Custom SSL certificate assures our viewers they are on the right site.

4) Update dns records for yourdomain.com

Create or Update the dns record for “www.yourdomain.com"

It should be a CNAME record with a value of the Cloudfront distribution url

For your site to be accessible at yourdomain.com (no www prefix) most modern DNS hosts provide a way to get CNAME-like functionality at the zone apex (the root domain level, for the naked domain name) using a custom record type.

In Route53, you can use an “A-record Alias” with a value of www.yourdomain.com.

This will make your site accessible at https://yourdomain.com, as well as https://www.yourdomain.com

5) Deploy & Invalidate Cache

For a small blog like this, I just push and expire the entire site each time forcing any new request to fully re-cache. If you have a large corporate site, you may choose to be more strategic with your cache expiry. Be careful though, not invalidating old assets is bound to be noticed by the CEO directly, it’s Murphy’s Law.

1
2
3
aws s3 cp ./public/* s3://nelsonenzo.com/production/

aws cloudfront create-invalidation --distribution-id <distribution id> --paths /

Things to watch out for

Only the root folder of your origin in Cloudfront will serve index.html as a default.
A link to something like: https://yourdomain.com/archive/ would NOT work.
You need to ensure links point to the actual html file, https://yourdomain.com/archive/index.html