I always loved GitHub Pages, thanks to open-source and free hosting. Last thing that made me feel too oldschool was the plain "http://" protocol. That is usually the main argument why people move from GitHub Pages elsewhere, i.e. their own VPS. What a pity.
Fortunately, thanks for Michal Špaček's ability to explain complex stuff in a simple way, we solved this over a single weekend.
WARNING: This post is now DEPRECATED, custom domains on GitHub pages support HTTPS directly since May 2018. Check this GitHub blog for more information.
I thought setting up HTTPS is a very difficult process that requires at least owning a VPS, extensive work via SSH and buying, paying and setting up the certificate. This is practically impossible to do with just GitHub Pages.
But is it really?
Cloudflare will pre-fill the DNS records by scanning your current records. Continue.
Pick free plan.
Go to your domain administration (look for "change DNS servers" or similar) and change current name servers to those provided by Cloudflare. You can either create a new NSSET or change the current one, if your registry supports NSSETs.
Keep in mind that the servers may be different for each domain you add to Cloudflare.
The site will be served via Cloudflare once the browsers notice the change, that is when the DNS changes are propagated world-wide. That could take some time, from minutes to even days, depending on the expiration of these records in the DNS. Don't worry though, there's no downtime, the site should be accessible either via Cloudflare or not, the change we made doesn'ẗ affect the origin servers – GitHub's in this case – those are still up and running.
The changes could be verified in the browser or using the command-line interface. Look for the
Server response header, it should contain
curl -I http://pehapkari.cz | grep Server Server: cloudflare-nginx
Now try https://pehapkari.cz, if there's no error, we have HTTPS enabled!
Note that it can take up to 24 hours for HTTPS to enable.
Not quite there yet
Now we have a website running over HTTPS. But it is also accessible without HTTPS, through http://pehapkari.cz, so we need to redirect all HTTP requests to the HTTPS ones. This is especially important due to security, but also to avoid duplicate content (that would hurt SEO).
Scroll down a bit, roughly to the middle of the page.
This will redirect both
If you need more or different redirections you can use Page Rules.
Now run this diagnostics using your command-line interface:
curl -I http://pehapkari.cz | grep -i Location curl -I http://www.pehapkari.cz | grep -i Location curl -I https://www.pehapkari.cz | grep -i Location
These commands should show:
Location: https://pehapkari.cz/ Location: https://www.pehapkari.cz/ Location: https://pehapkari.cz/
If they do, you're done! If not, leave us a comment below and we'll try to help you and also improve this tutorial.
If you ever get to any security troubles, call Michal to the rescue. Thank you!