With the push for back to static, I found myself looking for static hosting again. And with some specific requirements:
- DNS on Cloudflare
- SSL support for 4th level subdomains (sub.sub.domain.com). Which means SSL termination can’t happen on Cloudflare – their free plan only allows to proxy 3rd level subdomains, and business one is too expensive
- Not necessarily free, but unexpensive, at least.
And here’s what I came up with:
- First idea: AWS S3. Looks good at first site, but the problem is that it doesn’t support SSL without Cloudfront. So you have to create a CF distribution for each site, then invalidate it each time it’s updated… too complicated for a simple static website.
- Second: Github pages. Very good, except that it doesn’t allow to publish sites from private repos, unless you pay for your account. Pass.
- Gitlab pages, on the other hand, do allow that. Sadly, they have no automatic SSL renewal, they actually recommend to “When you finish setting up, just put in your calendar to remember to renew the certificate in time“. Seems ridiculous for a service that is all about DevOps and IaC.
- And finally I found the holy grail: Netlify. It has everything that’s on the list, plus automatic Jekyll (and other site generators) support. And their own CDN. So all you have to do to deploy is push to website repo.
So for now, Netlify is my static hosting platform of choice. Still, there are some gotchas and things where it can be improved:
- It’s a lot of clicking to create a website: create, pick repo, receive Netlify’s default subdomain, add a CNAME to DNS, enable SSL in settings, add redirect from default subdomain to the main domain in netlify.toml. All this is manual. That is fine while you have one or two sites, but when it’s a dozen, you really need to employ infrastructure as code. An Ansible role where you could just specify a list of domains and corresponding repos to have them all created automatically would be perfect.
- Netlify gets full access to your Gitlab (Github, etc) account. In some cases, that might be acceptable. In others, you might want to create a dedicated account for it instead and grant access only to the website repos.
- Make no mistake – if you’re not paying for the product, you are the product. (Which is why S3 was my first go-to option: I’d rather pay a little, than nothing at all. Alas, S3 just didn’t cut it.)