So I finally got off my arse and ditched S3. S3 works well enough for what it is (arguably better than anything else I tried) but it was pretty much overkill for this website, and if you don't couple it with CloudFront there are some serious limitations (such as the ability to set security headers, which kinda bothered me). I already had a small webhost box set up (a couple of them actually), so I figured I might as well do that and trash my AWS account completely.
Pointing Pelican at it was easy enough, I just used
rsync instead of
s3cmd. A bit of configuration later:
gzip_static on; error_page 404 /404/index.html; error_page 403 /403/index.html; add_header x-frame-options "SAMEORIGIN"; add_header Referrer-Policy "same-origin"; add_header X-Content-Type-Options "nosniff" always; add_header X-Xss-Protection "1; mode=block" always; add_header Strict-Transport-Security "max-age=31536000" always; add_header Content-Security-Policy "default-src https: data: 'sha256-BHQ9y6QUlMkXhVGW7D/Jpqswc/+M9yamTE+1cfKdMcs='" always;
... and we're in business. The SHA-256 blob is necessary so that my use of timeago.js will fire without needing another external script, but I can probably do better than that at some point anyway.
Because the machine is hosted in Sydney, instead of a west-coast S3 bucket, performance for the only audience I actually give a shit about (myself) is greatly improved.
Update: So interestingly, the very hour I swapped Cloudflare over to point at the VPS, the number of SSH attacks on the server skyrocketed. It stayed that way for about 12 hours, before dropping back to the "usual rate". I wondered allowed on several different chats if there were a way to unmask the origin of a site that's behind Cloudflare. Apparently, in some situations there is, but none of those appear to apply to my site.
I've double and triple-checked that I've not screwed anything up. To combat the most obvious explanations: No, I did not point the site at the VPS absent the CF cloud for any length of time. No, there are no common hostnames on the same domain that resolve to the IP. Yes, I realize that cheap VPS providers are scanned all the time - the issue is a marked uptick in attacks quite quickly after the change. This is not a new VPS, and I've been tracking attacks on it and other hosts as part of my "penaltybox" project for quite some time now.
So as it stands, I'm just chalking this up to a creepy coincidence. Despite having had a healthy paranoia for decades now, I don't actually believe anyone's out to get me, but it did lead to some interesting reading.