Create a Custom Domain CDN with Google
The Google Cloud Platform introduced Google-managed Certificates for Load-Balancers. That means that my previous post about setting up a Https-Only CDN with letsencrypt is useless. There is a new, better way, to set up a Custom Domain HTTPS-only CDN based on a Google cloud storage bucket.
EDIT: since April 27, 2020, Google Managed SSL Certificates are out of beta and General Available (GA) https://cloud.google.com/load-balancing/docs/release-notes#April_27_2020 🎉
Disclaimer: Google Managed SSL certificates are a beta feature and will be until late 2019. So use with caution.
Objectives
- I want to serve images on my website (comparison for contact lenses) from a cloud bucket.
- I want to serve it from my domain, cdn.kontaktlinsen-preisvergleich.de
- I need HTTPS for that domain, because my website uses HTTPS everywhere and I don’t want to mix that.
Old Approach
- create a Google Cloud Storage Bucket
- install Certbot
- Create a letencypt DNS Challenge to prove that it is your domain
- Update your DNS with the TXT Record
- Wait until the DNS has updated
- create the HTTPS Loadbalancer with Google Cloud Storage Bucket as Backend
- Add a Nameserver entry for the cdn
New Approach
- create a Google Cloud Storage Bucket
- create the HTTPS Loadbalancer with Google Cloud Storage Bucket as Backend
- Add a Nameserver entry for the cdn
Yes — it is that easy, but lets get into the details…
Step 1: Create a Google Cloud Storage Bucket
You need a Google Cloud Bucket that is accessible via HTTP, like mine under http://storage.googleapis.com/kontaktlinse-staging/air-optix-aqua-6-400x400.jpg
It is important that the bucket or the elements that should be served have public access! In my case I simply gave “allUsers” the role Storage Object Viewer.
Step 2: Create the HTTPS Loadbalancer with Google Cloud Storage Bucket as Backend
In the Cloud Console, go to Network Services / Load Balancer and on the right click “Create Load Balancer”, then click “Start Configuration” in the HTTP(S) Load Balancing part.
In the Backend Section, select “Create a backend bucket”
Select the bucket and enable the cloud CDN!
The Host and Path rules can be ignored. In the Frontend section reserve a new static IP…
… and select “Create a new certificate” in the certificate section.
And there is the magic point… select “Create Google-managed certificate” instead of uploading a your own certificate! You only need to entry your domain name.
This should end up as expected: A running Loadbalancer!
HINT: If you now have a HTTP and a HTTPS connector, you can also simply delete the HTTP. Then the content is only accessible via HTTPS.
Step 3: Add a Nameserver entry for the cdn
At last we need to add an A Record to the nameserver to direct staging-cdn.kontaktlinsen-preisvergleich.de to our loadbalancer (35.201.64.95 in my case). Then wait again until the DNS has updated everywhere and we are ready to serve!
Attention: It takes some time for the Loadbalancer to provision the new certificate. After the certificate is ACTIVE, you’ll have SSL issues for a few minutes with the error message ERR_SSL_VERSION_OR_CIPHER_MISMATCH. It took 15 minutes for mine to have everything up and running.
You can check your certificate here: https://www.ssllabs.com/ssltest/
Summary
Google-managed Certificates are a big improvement. Less setup needed, no renew hassle.
If you have questions or problems, please write me here or on twitter.