Stack Overflow’s Journey to HTTPS: Challenges, Architecture, and Lessons Learned

Operator HTTP hijacking (non‑DNS) that injects ads and even steals passwords has become a persistent problem in China, prompting many companies, including Hujiang, to adopt HTTPS to protect traffic.

Nick Craver, Chief Architect of Stack Overflow, published a blog post titled “HTTPS on Stack Overflow: The End of a Long Road,” describing the four‑year effort to enable HTTPS across the entire Stack Exchange network.

The migration required supporting hundreds of domains (including second‑level, third‑level, and meta sub‑domains), handling user‑generated content, advertising networks, a single data center, massive WebSocket connections, and DDoS protection, all while maintaining strict performance requirements.

Key challenges included:

Ensuring TLS support for TLS 1.0, 1.1, 1.2 (with plans for TLS 1.3) and disabling insecure SSL v2/v3.

Choosing cipher suites: Fastly’s default suites for the CDN and Mozilla’s modern compatibility suites for internal load balancers.

Managing certificates: using DigiCert SAN certificates to cover hundreds of domains, dealing with wildcard limitations (RFC 6125), and handling meta sub‑domains that cannot be covered by a simple wildcard.

Implementing HSTS, but not HPKP, and using SNI‑compatible certificates.

Because Let’s Encrypt does not support wildcard certificates for the scale required, Stack Overflow opted for custom SAN certificates and a global login system to consolidate sub‑domains under *.meta.stackexchange.com.

Performance considerations led to the adoption of HTTP/2, which, while not requiring encryption, is effectively mandatory for modern browsers; HTTP/2’s multiplexing, server push, header compression, and connection reduction improve latency when combined with HTTPS.

HAProxy was the chosen load balancer, upgraded to version 1.5+ with OpenSSL support, running multiple processes to handle HTTP and HTTPS traffic, using socket abstraction for efficient hand‑off to backend services.

The CDN/proxy layer leverages Cloudflare and Fastly to provide TLS termination, DDoS protection, and low‑latency edge delivery. DNS queries for stackoverflow.com and cdn.sstatic.net resolve to the same IPs, enabling shared certificates and potential HTTP/2 server push across domains.

Extensive client‑side performance testing is performed using the browser’s window.performance API, with results stored in SQL Server columnstore tables and aggregated via BosunReporter.NET, providing real‑time metrics from billions of requests.

For the full translated article, readers can follow the Hujiang Technical Academy public account and request the “HTTPS” keyword, or view the original translation on Juejin.