More HTTPS, Much Awesome with Aerobatic and AWS ACM

Reading time ~2 minutes

Ahoy!

A couple of ShipIt’s ago I noticed a snazzy looking Atlassian Connect plugin for Bitbucket called Aerobatic. On the tin it said;

Smart hosting for static web sites. Ideal for Jekyll sites, JavaScript
single page apps, and any HTML / CSS / JavaScript web site. Link your
Bitbucket repo, push your code, and your site is updated automatically. CDN,
SSL, custom domains, API proxy, and more.

A few months later and having read (only a few) pages complaining about Github pages lack of certain features I thought it was time to take a look at what this add-on can do. Turns out I migrated last weekend and this blog is now coming at you from Aerobatic. Woo!

Peeking under the hood

Installing Aerobatic is about as painful as logging into a new SaaS service using Oauth. The Getting Started page has literally two steps. Not very exciting - But the really exciting stuff is a little bit deeper.

Real HTTPS

In one of the articles I linked earlier, Eric Mill pointed out the issues with Github pages HTTPS support at the time - Have a read https://konklone.com/post/github-pages-now-sorta-supports-https-so-use-it.

So what is the problem?

  • Github only support HTTPS on *.github.io domains
  • Github doesn’t support custom domains with HTTPS
  • A hack for custom domains using Cloudflare’s “Flexible SSL” doesn’t provide end-to-end encryption

How does Aerobatic help us here? By leveraging the Amazon Certificate Manager (ACM) to issue free TLS certificates for any domain that is validated by ACM they can configure a AWS Cloudfront distribution with end-to-end encryption and delegating cipher suite hardening to AWS (which they update regularly - just have a look at your ELB policies).

The process for ACM domain validation is no different to that of other email based certificate validation. So yes, your still getting certificates from vending machines. At least now you know the value of them.

After that configuring Aerobatic to use the CNAME is trivial. It will take a fair while for the Cloudfront distribution to be configured.

Jekyll Plugins

Aerobatic’s docs on automated builds is quite a cool read and gives you a good idea what is going on. By passing your Jekyll payload to AWS Lambda they can provide more support for plugins than the current Github pages solution.

The really exciting part is that this architecture affords Aerobatic a path to support more static site generators like Hexo, Pelican and Hugo.

Private git repository

Don’t get me wrong - I am a open source advocate and am quite happy to contribute interesting projects. But pushing commits that say things like “fix typo” makes me feel bad for polluting your inbox. So Bitbucket makes a really great choice there where the HTML and user facing content (like this post) are available for all to see. Meanwhile my shameless typo’s and spelling issues can be fixed quietly.

The bad parts

None that I am aware of but if any of the below concerns you, well - good luck with that.

That is all for now folks!

Configuring dual stack IPv6 without DHCPv6-PD

Configuring dual stack IPv6 without DHCPv6-PD Continue reading

Mount Cloudmaker VK2/CT-015

Published on September 21, 2019

Tackling Mount Warrigal VK2/CT-057

Published on September 27, 2018