I had trouble getting AWS CloudFront to work with SquareSpace. Issues with forms not submitting and the site saying website expired. What are the settings that are needed to get CloudFront working with a Squarespace site?
This is definitely doable, considering I just set this up. Let me share the settings I used on Cloudfront, Squarespace, and Route53 to make it work. If you want to use a different DNS provide than AWS Route53, you should be able to adapt these settings. Keep in mind that this is not an e-commerce site, but a standard site with a blog, static pages, and forms. You can likely adapt these instructions for other issues as/if they come up.
Cloudfront (CDN)
To make this work, you need to create a Cloudfront Distribution for Web.
Origin Settings
Origin Domain Name should be set to ext-cust.squarespace.com. This is Squarespace's entry point for external domain names.
Origin Path can be left blank.
Origin ID is just the unique ID for this distribution and should auto-populate if you're on the distribution creation screen, or be fixed if you're editing Origin Settings later.
Origin Custom Headers do not need to be set.
Default Cache Behavior Settings / Behaviors
Path Patterns should be left at Default.
I have Viewer Protocol Policy set to Redirect HTTP to HTTPS. This dictates whether your site can use one or both of HTTP or HTTPS. I prefer to have all traffic routed securely, so I redirect all HTTP traffic to HTTPS. Note that you cannot do the reverse and redirect HTTPS to HTTP, as this will cause authentication issues (your browser doesn't want to expose what you thought was a secure connection).
Allowed HTTP Methods needs to be GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE. This is because forms (and other things such as comments, probably) use the POST HTTP method to work.
Cached HTTP Methods I left to just GET, HEAD. No need for anything else here.
Forward Headers needs to be set to All or Whitelist. Squarespace's entry point we mentioned earlier needs to know where what domain you're coming from to serve your site, so the Host header must be whitelisted, or allowed with everything else if set to All.
Object Caching, Minimum TTL, Maximum TTL, and Default TTL can all be left at their defaults.
Forward Cookies cookies is the missing component to get forms working. Either you can set this to All, or Whitelist. There are certain session variables that Squarespace uses for validation, security, and other utilities. I have added the following values to Whitelist Cookies: JSESSIONID, SS_MID, crumb, ss_cid, ss_cpvisit, ss_cvisit, test. Make sure to put each value on a separate line, without commas.
Forward Query Strings is set to True, as some Squarespace API calls use query strings so these must be passed along.
Smooth Streaming, Restrict Viewer Access, and Compress Objects Automatically can all be left at their default values, or chosen as required if you know you need them to be set differently.
Distribution Settings / General
Price Class and AWS WAF Web ACL can be left alone.
Alternate Domain Names should list your domain, and your domain with the www subdomain attached, e.g. example.com, www.example.com.
For SSL Certificate, please follow the tutorial here to upload your certificate to IAM if you haven't already, then refresh your certificates (there is a control next to the dropdown for this), select Custom SSL Certificate and select the one you've provisioned. This ensures that browsers recognize your SSL over HTTPS as valid. This is not necessary if you're not using HTTPS at all.
All following settings can be left at default, or chosen to meet your own specific requirements.
Route 53 (DNS)
You need to have a Hosted Zone set up for your domain (this is specific to Route 53 setup).
You need to set an A record to point to your Cloudfront distribution.
You should set a CNAME record for the www subdomain name pointing to your Cloudfront distribution, even if you don't plan on using it (later we'll go through setting Squarespace to only use the root domain by redirecting the www subdomain)
Squarespace
On your Squarespace site, you simply need to go to Settings->Domains->Connect a Third-Party Domain. Once there, enter your domain and continue. Under the domain's settings, you can uncheck Use WWW Prefix if you'd like people accessing your site from www.example.com to redirect to the root, example.com. I prefer this, but it's up to you. Under DNS Settings, the only value you need is CNAME that points to verify.squarespace.com. Add this CNAME record to your DNS settings on Route 53, or other DNS provider. It won't ever say that your connection has been fully completed since we're using a custom way of deploying, but that won't matter.
Your site should now be operating through Cloudfront pointing to your Squarespace deployment! Please note that DNS propogation takes time, so if you're unable to access the site, give it some time (up to several hours) to propogate.
Notes
I can't say exactly whether each and every one of the values set under Whitelist Cookies is necessary, but these are taken from using the Chrome Inspector to determine what cookies were present under the Cookie header in the request. Initially I tried to tell Cloudfront to whitelist the Cookie header itself, but it does not allow that (presumably because it wants you to use the cookie-specific whitelist). If your deployment is not working, see if there are more cookies being transmitted in your requests (under the Cookie header, the values you're looking for should look like my_cookie=somevalue;other_cookie=othervalue—my_cookie and other_cookie in my example are what you'd add to the whitelist).
The same procedure can be used to forward other headers entirely that may be needed via the Forward Headers whitelist. Simply inspect and see if there's something that looks like it might need to go through.
Remember, if you're not whitelisting a header or cookie, it's not getting to Squarespace. If you don't want to bother, or everything is effed (pardon my language), you can always set to allow all headers/cookies, although this adversely affects caching performance. So be conservative if you can.
Hope this helps!
Here are the settings to get CloudFront working with Squarespace!
Behaviours:
Allowed HTTP Methods Ensure that you select: GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE. Otherwise forms will not work:
Forward Headers: Select whitelist and choose 'Host'. Otherwise squarespace will not know which website they need to load up and you get the message 'Website has expired' or similar.
Origins:
Origin Domain Name set as: ext-cust.squarespace.com
Origin Protocol Policy Select HTTPS so that traffic between the CDN and the origin is secure too
General
Alternate Domain Names (CNAMEs) put both your www and none www addresses here and let Squarespace decide on if to direct www to root or vice-versa (.e.g example.com www.example.com)
You can now configure SSL on CloudFront
HTTPS You can now enforce HTTPS using a certificate for your site here rather than in Squarespace
Setting I'm unsure about still:
Forward Query Strings: recommended not for caching reasons but I think this could break things...
Route53
Create A records for www and root (e.g. example.com www.example.com) and set as an alias to your CloudFront distribution
Related
I have a HPKP pinned domain at sub.domain.tld with a 2 month expiry and includeSubdomains flag present.
I noticed now that sub2.domain.tld, using a different certificate that is not pinned, still works.
Does this mean that includeSubdomains is relative to the domain sending the header, and does not cover all subdomains of domain.tld?
I.e. I would assume subsub.sub.domain.tld to fail HPKP validation with a different certificate with above configuration, but sub2.domain.tld to work.
Is this correct?
Yes that is all correct. It should not be assumed that those with access to a subdomain have access to a top level domain - though the reverse can be assumed.
If it worked as you originally thought then anyone on user1.example.com could directly break user2.example.com site.
If you want to pin all subdomains then you should set your HPKP policy at the top level domain as well as at the subdomains. As most users don't typically visit the top level domain, they won't pick up this policy, so to get around this you are best to load a resource from your top level domain in your subdomain so they effectively visit your top level domain. I think this works even if that resource is redirected to your subdomain.
For example if visiting https://www.example.com you should load something like https://example.com/icon.jpg to pick up this policy from top level, even if that attempting to load that causes a redirect to https://www.example.com/icon.jpg.
I have a SaaS app where every user has a personal subdomain: username.domain.com. Every user has a personal blog at username.domain.com/blog.
Now I want to accept custom domains, e.g. www.mycustomblog.com would be an alias for username.domain.com/blog.
If someone browses to www.mycustomblog.com/123, the page username.domain.com/blog/123 should be served.
However, I do NOT want a redirect. The user should still see www.mycustomblog.com/123in their address bar.
How can I achieve this behaviour? I have looked into Nginx reverse proxies, DNS CNAME records... but nothing seems to suit my needs. I can access both the custom domain DNS settings and all of the server's config files.
I think what you're looking for is a rewrite. However your described logic doesn't work:
www.mycustomblog.com -> username.domain.com/blog
appears to be missing a piece of identifying information on the left side. Perhaps www.mycustomblog.com/username? After that, it's just a matter of writing out the match/map statements to change the request to match what you've got on the server.
This question is specifically about page rules in Cloudflare, which allow you to specify wildcard patterns on your site using rules - and handle each pattern differently.
One of the patterns is "Force SSL" - in effect, any request that matches that pattern will be forced down the path of https:// - whether that's Flexible SSL or otherwise.
The problem with choosing this option is that all other options over the CDN/cache time, etc. disappear.
This raises some obvious issues to which I've found no clear answer:
If Cloudflare serves a https:// resource, does it still cache static resources?
How do I control the nature of the resources cached? In other words, the settings equivalent to "Simple" caching, and "Aggressive" caching.
Is there any ability to set options such as cache expiry, time that they reside on edge servers before expiration, etc?
Is it possible to set "Cache Everything" when serving requests over https://? It certainly exists on the http:// equivalent.
I would like Cloudflare to re-direct my visitors from http:// to https:// automatically as opposed to do it on my app, because the various apps on my domain (Wordpress included) have various quirks that make configuring each one both tedious and error-prone.
you can add another rule for caching for https - the first rule would be to divert all http to https with another rule right after that to handle the https traffic.
"If Cloudflare serves a https:// resource, does it still cache static resources?"
Yes. It doesn't matter if it is http or https://
What CloudFlare caches by default
"How do I control the nature of the resources cached? In other words, the settings equivalent to "Simple" caching, and "Aggressive" caching."
By using those settings in your performance settings.
"Is it possible to set "Cache Everything" when serving requests over https://? It certainly exists on the http:// equivalent."
I would actually recommend not doing cache everything, really. While it is an option that is available, you could have issues with users that have to sign in, etc.
"Is there any ability to set options such as cache expiry, time that they reside on edge servers before expiration, etc?"
You can set a browser cache TTL in your performance settings; we should also honor the expire headers you have set on your server.
What I'd really like to do is set up an azure site called site.com. Then have hundreds of subdomains such as foo.site.com, bar.site.com, baz.site.com etc. My asp.net mvc application will pull out the subdomain as this will be used as an identifier.
Next I'd like to have other domains CNamed to the subdomains. Such as hello.othersite.com -> foo.site.com, so that the browser still shows hello.othersite.com but I'd be able to get the foo subdomain out of the request.
I don't want to have to configure any of this because there are going to be lots of subdomains, essentially one per account.
Is this actually possible?
I've tried a few tests but I'm not 100% sure how to proceed. Would I just:
Setup site.com to accept *.site.com
CNAME hello.othersite.com to foo.site.com (do I want masking, forwarding etc?)
Does the incoming http request contain any information about the subdomain (foo) that
it's CNAMED to?
I hope this isn't too vague and hand wavey but some confirmation of its plausibility would be a great help.
It is not just Azure, but the whole web.
I don't think it is possible to get out of the HTTP request for hello.othersite.com that it actually mapped in the DNS to foo.site.com. And this is because your actual HTTP request will look something like
GET /index.html HTTP/1.1
(other headers)
host: hello.othersite.com
Your web server, whatever it is, has no idea that hello.othersites.com is mapped via CNAME to foo.site.com. The request you receive is for hello.othersite.com.
If you do forwarding, the users will never stay on hello.othersite.com but will be redirected to foo.site.com. I guess this is not what you want.
Direct domain masking is usually done via iFrame, which would also not recommend.
I would do the following, as nothing else comes to mind at the moment:
Setup the site to accept *.site.com and *.othersite.com
Add Wildcard CNAME map to my Azure cloud service, i.e. *.site.com -> CNAME -> my.cloudapp.net. Same for both custom domains I want to have.
Perform necessary checks in my app to figure out domain mappings <-> user accounts.
How to respect "Serve static content from a cookieless domain" page speed rule in IIS6?
To create a cookieless site (or subdomain, which is a very common best-practice) in IIS6/IIS7/IIS7.5 is simple : you need to tell the website that you are not to use cookies :) Which means in IIS terms, not to use a session.
This can be achieved in IIS6/IIS7 via two ways.
Modifying the Web.config file (my personal recommendation)
Using the IIS Manager GUI to find the setting and changing it.
IMPORTANT
Before you do any testing, you must must must clear all cookies (or all cookies for the domain u are testing) otherwise, they will get passed along even if u have done all the steps.
1. Via Config File
You need to define the session state to off.
<system.web>
<sessionState cookieName="What_ever" mode="Off" />
</system.web>
NOTE: Please note that the attribute cookieless (true|false) does NOT mean 'send cookies/do not sent cookies). That's for using sessions with/without cookies ... and passes some cookie guid into the url instead (if set to true).
2. Via Gui
Hope this Helps (i assume u know how to test that no cookies are working/not working...)
What this means is that your content needs to come from a domain that has no cookies attached to it. StackOverflow.com is an example of a site that does this. You will notice that all SO's static content comes from a domain called sstatic.net.
http://sstatic.net/stackoverflow/all.css
http://sstatic.net/js/master.js
This is so that the client and the server don't have to waste resources on actually parsing and handling cookie data. The good news is, you can use a sub-domain, assuming that you set your cookie path correctly.
Yahoo Best Practices for Speeding Up
Your Web Site
Use Cookie-free Domains for Components
When the browser makes a request for a
static image and sends cookies
together with the request, the server
doesn't have any use for those
cookies. So they only create network
traffic for no good reason. You should
make sure static components are
requested with cookie-free requests.
Create a subdomain and host all your
static components there. If your
domain is www.example.org, you can
host your static components on
static.example.org. However, if you've
already set cookies on the top-level
domain example.org as opposed to
www.example.org, then all the requests
to static.example.org will include
those cookies. In this case, you can
buy a whole new domain, host your
static components there, and keep this
domain cookie-free. Yahoo! uses
yimg.com, YouTube uses ytimg.com,
Amazon uses images-amazon.com and so
on.
Another benefit of hosting static
components on a cookie-free domain is
that some proxies might refuse to
cache the components that are
requested with cookies. On a related
note, if you wonder if you should use
example.org or www.example.org for
your home page, consider the cookie
impact. Omitting www leaves you no
choice but to write cookies to
*.example.org, so for performance reasons it's best to use the www
subdomain and write the cookies to
that subdomain.
create subdomain ( for example static.example.com ) and store all static content(images, css, js) here