Druid project website is not secure

[leerho]

Attempting to reference pages of the website using https:// will fail. Example:

datasketches-aggregators

Many corporations are now requiring browsers automatically block non-secure sites.

I suggest the Druid team place a priority on getting this fixed.

[gianm]

This is because it is hosted on github pages, which doesn't support https for custom domains: https://help.github.com/articles/securing-your-github-pages-site-with-https/. Fwiw http://static.druid.io/ (where we release artifacts) doesn't support https either, since it's hosted on S3 which also doesn't support https for custom domains. CloudFront does though.

At Imply we moved https://imply.io/ from github pages to self hosting on EC2, and https://static.imply.io/ from S3 to CloudFront so we could support https on both. We'd happy to help out with migrating druid.io and static.druid.io as well. That could just mean sharing what we did to migrate our domains, but we would also be happy to do the work ourselves and donate the servers and bandwidth for hosting.

[gianm]

Some notes on what should work for the two druid.io domains, based on what worked for us:

static.druid.io

• S3 bucket can stay static.druid.io
• Set up an SSL cert using AWS Certificate Manager
• Set up a CloudFront distribution using that cert, with CNAME static.druid.io, and HTTP and HTTPS behaviors
• Set up an ALIAS record in Route 53 from static.druid.io to the CloudFront distribution

This procedure is pretty straightforward, so we might as well do it first. This domain hosts our release artifacts, so that'll at least give people confidence that the distribution is being downloaded securely.

druid.io

• Set up an S3 bucket that will hold the static content for the site
• Write a script that does bundle exec jekyll build and uploads the generated content to the S3 bucket, & run it either manually or automatically
• For hosting there are a couple options: either CloudFront (similar to static.druid.io) or self-hosting with nginx on EC2. We can use AWS Certificate Manager certs either way, since with self-hosting we can still use ELB to terminate SSL.

Some reasons we might want to not choose CloudFront for druid.io:

• redirecting www.druid.io -> druid.io gets a bit wonky: http://stackoverflow.com/questions/28675620/cloudfront-redirect-www-to-naked-domain-with-ssl, http://stackoverflow.com/questions/22740084/amazon-s3-redirect-and-cloudfront
• redirects and file extension handling doesn't work exactly the same way as GitHub Pages, so some links may break (or they may not, it depends whether the cases get hit)

The reason in favor of CloudFront is obvious, it's simpler than setting up EC2 instances.

[yuppie-flu]

Github now supports SSL for github pages with custom domains: https://blog.github.com/2018-05-01-github-pages-custom-domains-https/