HTTPS를 사용하여 GitHub Pages 사이트 보호

HTTPS는 다른 사용자가 사이트에 대한 트래픽을 스누핑 또는 변조하지 못하도록 하는 암호화 계층을 추가합니다. GitHub Pages 사이트에 HTTPS를 적용하여 모든 HTTP 요청을 HTTPS로 투명하게 리디렉션할 수 있습니다.

누가 이 기능을 사용할 수 있나요?

GitHub Pages은(는) 조직의 GitHub Free 및 GitHub Free이(가) 있는 퍼블릭 리포지토리와 GitHub Pro, GitHub Team, GitHub Enterprise Cloud 및 GitHub Enterprise Server의 퍼블릭 및 프라이빗 리포지토리에서 사용할 수 있습니다. 자세한 내용은 GitHub 계획을(를) 참조하세요.

이 문서의 내용

People with admin permissions for a repository can enforce HTTPS for a GitHub Pages site.

About HTTPS and GitHub Pages

All GitHub Pages sites, including sites that are correctly configured with a custom domain, support HTTPS and HTTPS enforcement. For more information about custom domains, see About custom domains and GitHub Pages and Troubleshooting custom domains and GitHub Pages.

GitHub Pages sites created after June 15, 2016, and using github.io domains are served over HTTPS automatically.

GitHub Pages sites shouldn't be used for sensitive transactions like sending passwords or credit card numbers.

경고

GitHub Pages sites are publicly available on the internet, even if the repository for the site is private (if your plan or organization allows it). If you have sensitive data in your site's repository, you may want to remove the data before publishing. For more information, see About repositories.

참고 항목

RFC3280 states that the maximum length of the common name should be 64 characters. Therefore, the entire domain name of your GitHub Pages site must be less than 64 characters long for a certificate to be successfully created.

Enforcing HTTPS for your GitHub Pages site

  1. On GitHub, navigate to your site's repository.

  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.

  3. In the "Code and automation" section of the sidebar, click Pages.

  4. Under "GitHub Pages," select Enforce HTTPS.

Troubleshooting certificate provisioning ("Certificate not yet created" error)

When you set or change your custom domain in the Pages settings, an automatic DNS check begins. This check determines if your DNS settings are configured to allow GitHub to obtain a certificate automatically. If the check is successful, GitHub queues a job to request a TLS certificate from Let's Encrypt. On receiving a valid certificate, GitHub automatically uploads it to the servers that handle TLS termination for Pages. When this process completes successfully, a check mark is displayed beside your custom domain name.

The process may take some time. If the process has not completed several minutes after you clicked Save, try clicking Remove next to your custom domain name. Retype the domain name and click Save again. This will cancel and restart the provisioning process.

Resolving problems with mixed content

If you enable HTTPS for your GitHub Pages site but your site's HTML still references images, CSS, or JavaScript over HTTP, then your site is serving mixed content. Serving mixed content may make your site less secure and cause trouble loading assets.

To remove your site's mixed content, make sure all your assets are served over HTTPS by changing http:// to https:// in your site's HTML.

Assets are commonly found in the following locations:

  • If your site uses Jekyll, your HTML files will probably be found in the _layouts folder.
  • CSS is usually found in the <head> section of your HTML file.
  • JavaScript is usually found in the <head> section or just before the closing </body> tag.
  • Images are often found in the <body> section.

If you can't find your assets in your site's source files, try searching your site's source files for http:// in your text editor or on GitHub.

Examples of assets referenced in an HTML file

Asset typeHTTPHTTPS
CSS<link rel="stylesheet" href="http://example.com/css/main.css"><link rel="stylesheet" href="https://example.com/css/main.css">
JavaScript<script type="text/javascript" src="http://example.com/js/main.js"></script><script type="text/javascript" src="https://example.com/js/main.js"></script>
Image<a href="http://www.somesite.com"><img src="http://www.example.com/logo.jpg" alt="Logo"></a><a href="https://www.somesite.com"><img src="https://www.example.com/logo.jpg" alt="Logo"></a>

Verifying the DNS configuration

In some cases, a HTTPS certificate will not be able to be generated due to the DNS configuration of your custom domain. This can be caused by extra DNS records, or records not pointing to the IP addresses for GitHub Pages.

To ensure a HTTPS certificate generates correctly, we recommend the following configurations. Any additional A, AAAA, ALIAS, ANAME records with the @ host, or CNAME records pointing to your www subdomain or other custom subdomain that you would like to use with GitHub Pages may prevent the HTTPS certificate from generating.

ScenarioDNS record typeDNS record nameDNS record value(s)
Apex domain
(example.com)		A@185.199.108.153
185.199.109.153
185.199.110.153
185.199.111.153
Apex domain
(example.com)		AAAA@2606:50c0:8000::153
2606:50c0:8001::153
2606:50c0:8002::153
2606:50c0:8003::153
Apex domain
(example.com)		ALIAS or ANAME@USERNAME.github.io or
ORGANIZATION.github.io
Subdomain
(ww​w.example.com,
blog.example.com)		CNAMESUBDOMAIN.example.com.USERNAME.github.io or
ORGANIZATION.github.io