How to shoot yourself in the foot while setting up Bunny CDN
For andreas-jaggi.ch I wanted to try out Bunny CDN.
Everything went very smooth and I nicely used Terraform to configure Edge Rules blocking all unwanted access.
As andreas-jaggi.ch does not have much content this resulted in a list of allowed files similar to this:
resource "bunnynet_pullzone_edgerule" "andreas_jaggi_4" { pullzone = bunnynet_pullzone.andreas_jaggi.id description = "block not(known good) http://www.andreas-jaggi.ch" enabled = true match_type = "MatchNone" actions = [{ type = "BlockRequest", parameter1 = null, parameter2 = null, parameter3 = null }] triggers = [ { match_type = "MatchAny", patterns = [ "http://www.andreas-jaggi.ch/", "http://www.andreas-jaggi.ch/favicon.ico", "http://www.andreas-jaggi.ch/robots.txt", "http://www.andreas-jaggi.ch/security.txt", ], type = "Url", parameter1 = null, parameter2 = null }, ] }
After this I did setup the www subdomain as CNAME and added it as additional hostname to the CDN Pullzone.
But the process to get a Let's Encrypt certificate for the www subdomain always failed with an error.
This is where I messed up.
Turns out my Edge Rules blocking all unwanted access also blocked the Let's Encrypt validation requests. 🤦
Once I realized this (which took a shamefully long amount of time), I added an entry to the Edge Rules for the .well-known/acme-challenge/
subpath:
resource "bunnynet_pullzone_edgerule" "andreas_jaggi_4" { pullzone = bunnynet_pullzone.andreas_jaggi.id description = "block not(known good) https://www.andreas-jaggi.ch" enabled = true match_type = "MatchNone" actions = [{ type = "BlockRequest", parameter1 = null, parameter2 = null, parameter3 = null }] triggers = [ { match_type = "MatchAny", patterns = [ "http://www.andreas-jaggi.ch/", "http://www.andreas-jaggi.ch/favicon.ico", "http://www.andreas-jaggi.ch/robots.txt", "http://www.andreas-jaggi.ch/security.txt", "http://www.andreas-jaggi.ch/.well-known/acme-challenge/*", ], type = "Url", parameter1 = null, parameter2 = null }, ] }
With this in place, the process worked immediately and the www subdomain now also serves encrypted traffic. 🔐