GitHub Pages require disabling CF's HTTP Proxy

Using GitHub (GH) Pages with CloudFlare (CF) requires disabling CF’s HTTP Proxy, as I was told today by GH advisors.

What are the effects of disabling CF’s HTTP Proxy (for all A DNS records)? Which services of CF are disabled by this?

The quick answer? All of them except for DNS resolution obviously…

Does this mean that it doesn’t really make sense to use CF for GH Pages?

You can use it, you just have to set the SSL mode (preferably only for that subdomain) ti Flexible. It’s not the safest option, you wouldn’t have full encryption on the traffic everywhere, but it’s the only solution GitHub supports as far as I know.

Do you propose that I can enabe CF’s HTTP proxy if I set CF’s SSL mode to Flexible?

They were telling me:

Cloudflare enables their HTTP/DNS proxy feature by default, meaning GitHub isn’t able to see the DNS records required to generate an HTTPS certificate. You’ll need to disable this for any DNS records that point towards GitHub.

Exactly, that is the reason. They don’t issue certificates based on the content, but based on the record being there.

If you set it to flexible they receive HTTP requests. You could try Full, not strict, but I am not sure GitHub even serves a certificate (even self-signed or not for the correct domain) at all if they don’t see the records. Trying takes a couple of minutes though.

After setting SSL mode to Flexible and re-activating the proxy, my GitHub site was no longer available (first with ERR_TOO_MANY_REDIRECTS and then DNS_PROBE_FINISHED_NXDOMAIN).

So, my frustrating conclusion is that all the fine cloud services of CF cannot be used for GH Pages.

I’m wondering why CF doesn’t clearly tell this to users. Shouldn’t there be a (help) page warning CF users that they have to turn off CF’s proxy for their GH Pages?

Have you tried Full? The first error tells me that could work, the second is kinda strange and unrelated to all the issues we are seeing.

I am not sure it’s Cloudflare’s duty to say so, as it’s GitHub pages that doesn’t follow standard practices with regards to proxies. They also tell you that their service doesn’t need a CDN/proxy in front though…

I had tried setting the SSL mode to Full before, without success. It seems that CF’s proxy is simply not compatible with GH Pages.

I think both CF and GH should point this out to their users for saving them going through all the trouble of finding this out themselves. This is quite frustrating given the fact that, unlike Netlify, GH doesn’t provide a CDN and therefore it’s natural for users trying to combine it with CF.

Would you mind telling me the two domains? The GitHub pages and currently configured domain.

I have tried right now on my own repository, it works just fine as I expected. It needs to be Flexible SSL, but works just fine.

I’ve the CF domain “dpmn.info” and the GH repo “https://github.com/gwagner57/dpmn”. But I have rolled my changes back, deactivating the CF proxy again, as advised by a GitHub support staff member.

What is the CNAME you are pointing the domain at?

The GH CNAME file contains “dpmn.info”. The CF CNAME DNS record for www points to “dpmn.info”.

Understood, but in the DNS dashboard, what did you put in the CNAME name field for the root record?

I’ve created the following records:

Let’s try one more thing while I am on mobile and I can’t test certificates well.

I would suggest using the www version as the website and then CNAME the root to it (basically reverse the current set-up, but both with CNAMEs). Then set at least the www as Flexible (make sure to disable the Enforce HTTPS in Github’s settings, which unfortunately can’t be turned on) and try again.

edit if the enforce HTTPS option is on, try disabling it and switch to Flexible with this setup. It may work!

I’ve changed the DNS records following your advice to

However, with CF’s SSL mode set to Flexible, it still does not allow to activate the CF proxies, otherwise the GH Pages site becomes unavailable.

I’ll gve up now. It’s disappointing that GH does not allow using CF’s proxy-based services.

The combination of GH+CF still makes sense, if the domain is bought (and registered) with CF for a fair price. But then, CF is only used as a DNS provider.

Have you actually set up the website in the repository settings in GitHub (it may be technically different than the CNAME file in the repository itself)? I can make it work just fine with the proxy enabled.

I’ve got the following settings:

Should I turn on “Enforce HTTPS”?

Not really, it would work now, but it wouldn’t once the cert expires since they seem to not be able to renew it.

And if now you set the SSL to Flexible and then enable the proxy it does not work? Can you try now for just one last time? I want to see the error…