blog

SEAN K.H. LIAO

https

Secure all the things! HTTPS everywhere. But how do you chain 2 not very compatible things together in an unbroken chain of HTTPS?

Google Cloud Storage

There are 3 ways to access things on GCS:

You'll notice there's no support for HTTPS with your custom domain, the supported way is with a load balancer.

With Cloudflare and page rules, you can have HTTPS on a custom domain without paying for a load balancer.

Note: you can't use a Resolve Override because it won't pass cloudflare validation

Google Cloud Run

Cloud run gives you a stable domain per app at your-app.a.run.app. You can map custom domains to it, and Google will tell you to map a CNAME to ghs.googlehosted.com. But if you have Cloudflare proxying turned on, it will forever be stuck provisioning the certificate, likely because Cloudflare hijacks /.well-known/. If you turn off proxying temporarily, it will succeed now, but fail silently in 90 days when the letsencrypt certificate expire, and if you have Cloudflare strict origin SSL on, you'll get HTTP 525.

Your best bet is to do the same (also recommended by a Google engineer for a no downtime switch):

Note: you can't use a Resolve Override because it won't pass cloudflare validation