TLS/SSL Configuration for Medulla Labs

Current Setup

Domain: medullalabs.io Hosting: GitHub Pages DNS/CDN: Cloudflare Certificate: GitHub Pages (Let’s Encrypt, auto-provisioned)

Configuration Steps

1. Repository CNAME File (✅ COMPLETED)

The CNAME file in the repository root tells GitHub Pages which custom domain to serve.

File: /CNAME Content: medullalabs.io

This file is critical - without it, GitHub Pages won’t provision an SSL certificate for your custom domain.

2. Cloudflare DNS Configuration

You need to configure DNS records in Cloudflare:

A Records for Apex Domain (medullalabs.io)

Point to GitHub Pages IP addresses:

Type: A
Name: @
Value: 185.199.108.153
Proxy status: DNS only (grey cloud) OR Proxied (orange cloud)*

Type: A
Name: @
Value: 185.199.109.153
Proxy status: Same as above

Type: A
Name: @
Value: 185.199.110.153
Proxy status: Same as above

Type: A
Name: @
Value: 185.199.111.153
Proxy status: Same as above

CNAME Record for WWW Subdomain (✅ ALREADY CONFIGURED)

Type: CNAME
Name: www
Value: medullalabs.github.io
Proxy status: Same as apex domain

Current Status: ✅ This is already correctly configured

3. Cloudflare SSL/TLS Settings

CRITICAL: Choose the right SSL/TLS encryption mode in Cloudflare:

Option A: Cloudflare Proxied (Orange Cloud) - RECOMMENDED

If using Cloudflare proxy (orange cloud on DNS records):

  1. Go to Cloudflare dashboard → SSL/TLS
  2. Set encryption mode: Full or Full (strict)
    • Full: Cloudflare ↔ GitHub Pages encrypted (accepts self-signed)
    • Full (strict): Requires valid certificate (use after GitHub cert provisions)
  3. Enable Always Use HTTPS
  4. Enable Automatic HTTPS Rewrites
  5. Set Minimum TLS Version: TLS 1.2

Benefits:

Important: If using Cloudflare proxy, you get Cloudflare’s certificate for browsers, and Cloudflare connects to GitHub Pages over TLS.

Option B: DNS Only (Grey Cloud)

If NOT using Cloudflare proxy (grey cloud on DNS records):

  1. DNS records point directly to GitHub Pages
  2. GitHub Pages serves Let’s Encrypt certificate directly
  3. No Cloudflare SSL/TLS settings needed (GitHub handles it)
  4. Less complexity, but no CDN benefits

Current Setup: Your DNS appears to be in DNS-only mode (pointing directly to GitHub IPs)

4. GitHub Pages HTTPS Enforcement

After DNS propagates and certificate provisions:

  1. Go to GitHub repository settings
  2. Navigate to Pages section
  3. Check Enforce HTTPS checkbox

This ensures all traffic uses HTTPS.

5. Certificate Provisioning Timeline

After creating the CNAME file and pushing to GitHub:

  1. Immediate: GitHub Pages recognizes custom domain
  2. 1-5 minutes: DNS propagates (if records already correct)
  3. 10-60 minutes: GitHub provisions Let’s Encrypt certificate
  4. Up to 24 hours: Full DNS propagation worldwide

Check status: Repository Settings → Pages → Custom domain section

Current Status & Next Steps

Completed ✅

To Complete

  1. Push CNAME file to GitHub: 
    git add CNAME
git commit -m "Add CNAME file for custom domain TLS"
git push origin main
  2. Verify GitHub recognizes domain:
    • Go to: https://github.com/medullalabs/medullalabs.github.io/settings/pages
    • Should show “medullalabs.io” as custom domain
    • Wait for “DNS check successful” message
    • Wait for “HTTPS certificate provisioning” to complete

  3. Choose Cloudflare configuration:

    Option A - With Cloudflare Proxy (Recommended):

    • In Cloudflare DNS, set all records to “Proxied” (orange cloud)
    • In Cloudflare SSL/TLS, set mode to “Full”
    • Enable “Always Use HTTPS”
    • Benefits: CDN, DDoS protection, faster global delivery

    Option B - Direct to GitHub Pages:

    • In Cloudflare DNS, set all records to “DNS only” (grey cloud)
    • Simpler setup, GitHub handles all TLS
    • Benefits: Fewer moving parts, simpler troubleshooting
  4. Enable HTTPS enforcement in GitHub:
    • After certificate provisions (10-60 min)
    • Check “Enforce HTTPS” in repository Pages settings
  5. Test: 
    # Test apex domain
curl -I https://medullalabs.io

# Test www subdomain
curl -I https://www.medullalabs.io

# Both should return 200 OK with valid TLS

Troubleshooting

Certificate Not Provisioning

Check:

  1. CNAME file exists and contains only the domain
  2. DNS records are correct (A records for apex, CNAME for www)
  3. No CAA DNS records blocking Let’s Encrypt
  4. Wait up to 24 hours for provisioning

Fix:

Mixed Content Warnings

Symptom: Page loads but shows “Not Secure” with warnings

Cause: Loading HTTP resources (images, CSS, JS) on HTTPS page

Fix: Ensure all asset references use HTTPS or protocol-relative URLs

Cloudflare SSL Mode Errors

Error: “Too many redirects” or “Redirect loop”

Cause: Wrong SSL/TLS mode in Cloudflare

Fix:

DNS Propagation Issues

Check propagation:

# Check from different locations
dig @8.8.8.8 medullalabs.io
dig @1.1.1.1 medullalabs.io

# Check globally
# Visit: https://dnschecker.org

Fix: Wait for TTL to expire, flush local DNS cache

For optimal performance and security:

  1. DNS: Cloudflare proxied (orange cloud)
  2. SSL/TLS Mode: Full (strict)
  3. Minimum TLS: 1.2
  4. HSTS: Enabled (after confirming HTTPS works)
  5. Always Use HTTPS: Enabled
  6. Automatic HTTPS Rewrites: Enabled
  7. GitHub Pages: HTTPS enforced

Security Headers

Cloudflare can add security headers automatically:

  1. Go to Cloudflare → Security → Settings
  2. Enable:
    • HTTP Strict Transport Security (HSTS)
    • X-Content-Type-Options: nosniff
    • X-Frame-Options: DENY
    • X-XSS-Protection: 1; mode=block

Monitoring

Check certificate expiry:

echo | openssl s_client -servername medullalabs.io -connect medullalabs.io:443 2>/dev/null | openssl x509 -noout -dates

Monitor uptime:

Support

GitHub Pages:

Cloudflare:

Let’s Encrypt:

Certificate Details

Once provisioned, your certificate will be:

GitHub handles all certificate renewal automatically.