Check Balances On-Chain

Try a free widget from

This first example is styled a little bit to match the colors in our theme. Copy this address value and paste it into the input:


Html fragment for the example above:

style="border: 1px solid #272F38;
border-radius: 4px; width: 100%; height: 100%;
min-width:300px; min-height:600px;"

Of course, it is possible to use almost any colors like this vibrant combination. Note how you can add the example address value and enable access to historical data by date-and-hour:

Html fragment for the example above:

style="border: 1px solid #FF006D;
border-radius: 4px; min-height: 680px;
width: 100%; height:100%; min-width:200px;"

CoinsForOffice is an Add-in for MS Excel, OpenOffice and LibreOffice Calc

CoinsForOffice Add-in on your laptop

Do you already use a private spreadsheet to manage your crypto coins portfolio?

CoinsForOffice is a free and premium add-in for MS Excel, OpenOffice and LibreOffice Calc.

We have built our add-in using Java and C#. Moreover, we are using both RESTful and WebSocket protocols to achieve the best performance.

Real-time prices: Binance, Bitfinex, Gemini, GDAX…

Install CoinsForOffice on your private Windows, OS X or Linux machine and the add-in will deliver real-time prices directly into cells in your spreadsheet.

Since you can compare current prices from multiple exchanges you will be able to make more profitable decisions for your portfolio.

See the full list of supported exchanges.

Editions: Basic, Advanced, Professional & Institutional

Basic edition is free and suited for smaller portfolios.

Advanced, Professional and Institutional editions offer additional features for day-traders and fund managers.

Enable and configure read-only API keys in your exchange account(s) to get automated updates for positions and trades.

Professional and Institutional edition users can send orders to exchanges directly from their spreadsheets.


Use the this comparison: features & prices to select an edition and subscribe to notifications about upcoming releases.

Subscribe to monthly email about crypto exchanges, data feeds, APIs for automated bots, algos and trading tools:

Are ICO Teams Secretly Buying Their Coins to Exaggerate Funding Progress?

Secretive ICO Team

The Satis Group provides end-to-end ICO advisory services including offering structuring, legal, tax and accounting advice coordination, smart contract creation and investor outreach & marketing community management. According to their analysis of ICO quality:

…approximately 81% of ICO’s were scams, ~6% failed, ~5% had “gone dead”, and ~8% went on to trade on an exchange…

Is it possible that 81% of ICOs are exit scams:

…practice by unethical cryptocurrency promoters who vanish with investors’ money during or after an ICO…

Or, is any project with unrealistic goals really a type of an “honest” scam?

What if the team does want to “do good” and they are better marketers than they are able to formulate and then build solutions which are suited for implementation on the blockchain?

How would we even know if the ICO team is just too optimistic or even slightly delusional about their project?

Short Answer:

No way to know for sure.

Actual Answer: It’s All In Our Heads Anyway

Luckily, we do know the psychology behind marketing techniques utilized by some ICO teams to get more financial backing than their project is worth.

Are you susceptible to social proof: a psychological and social phenomenon where people assume the actions of others in an attempt to reflect correct behavior in a given situation (wiki).

How about your resistance to the bandwagon effect: a psychological phenomenon in which people do something primarily because other people are doing it, regardless of their own beliefs, which they may ignore or override (wiki).

Of course, let’s not forget that the real is the “enemy” is FOMO: a pervasive apprehension that others might be having rewarding experiences from which one is absent (wiki).

All They Can Gain is Your Money

What would prevent an ICO team from pursuing the following course of action:

  1. Come up with an “ok” idea and product to use the blockchain
  2. Get 100 wallets that are controlled by the team
  3. Do KYC for the members of the team
  4. Buy into the ICO from the 100 wallets
  5. “Scream” everywhere: OMG people look our ICO is blowing up and we have a 100 backers already…social proofget on the bandwagon to the moonFOMO
  6. Hope that others will FOMO the hell and then do the KYC and buy into the ICO…

Worst case scenario is that their only backers are their own wallets and they lose their $$ for the website and gas. But the team can keep the ETH from the 100 wallets that were theirs anyway.

Best case is that many new people “fall” for their “ok” project and fund their work because they fell under the influence of the “psycinfo warfare”.

As far as the authorities and lack of regulations: they would have KYC docs for each participant at all times.

In today’s ICO ecosystem, there are no filling & prospectus regulations akin to SEC’s requirements for IPOs. Moreover, small anonymous investors are not in the position to get insight into ICO team’s finances like the VC investors get from startups.

If some ICO teams are exaggerating funding, then the last “line” of defense are the exchanges. They could demand to see the KYC docs before listing a new coin. This review would confirm that the team is NOT “pumping” their own ICO and would justify exchange listing fees.

Before It Is Too Late for Your Money

Check the ICO pages on, and on their blog: no comments means no real interest and claims of participation could be “fake”.

Subscribe to monthly email about crypto exchanges, data feeds, APIs for automated bots, algos and trading tools:

Crypto Algo & Trading Jobs at Top Trading Firms

Computer running an algo to prints easy money

Updated on October 14, 2018.

Do you work at a prop trading firm and want to know what is your competition doing in the crypto trading markets?

Or perhaps you made your own crypto trading bot in Python or Java and want to find out if your skills are a match for a job in the “big-leagues”?

Consider These Open Positions

Akuna Capital: has multiple crypto related positions

Belvedere Trading: NO crypto jobs found on careers pages

Chimera Securities: NO crypto jobs found on careers pages

CTC (Chicago Trading Company): NO crypto jobs found on careers pages

D.E. Shaw: NO crypto jobs found on careers pages

DRW (incl. subsidiary Vigilant): has a crypto trading / OTC subsidiary Cumberland Mining and numerous crypto related positions

DV Trading: has a crypto trading division DV Chain with a few crypto related jobs

Five Rings: NO crypto jobs found on careers pages

Flow Traders: NO crypto jobs found on careers pages

Gelber Group: NO crypto jobs found on careers pages

Geneva Trading: NO crypto jobs found on careers pages

GTS Securities: NO crypto jobs found on careers pages but is mentioned in articles about trading firms in cryptos (see below)

HC Technologies: NO crypto jobs found on careers pages but is mentioned in articles about trading firms in cryptos (see below)

Hudson River Trading: NO crypto jobs found on careers pages but is mentioned in articles about HFT firms in cryptos (see below)

IMC: NO crypto jobs found on careers pages

Jane Street: NO crypto jobs found on careers pages but has been mentioned in articles about trading in the crypto markets

Jump Trading: NO crypto jobs found on careers pages but has been mentioned in articles about investments in the crypto companies and is also named in articles about HFT firms in cryptos (see below)

Optiver: NO crypto jobs found careers pages but the former head of ETF expansion founded the crypto trading firm Wintermute which has open position(s)

PEAK6: NO crypto jobs found on careers pages

Point72: NO crypto jobs found on careers pages but a former manager launched a crypto fund

SALT Lending: has a few crypto algo / trading jobs
FYI: not strictly a “prop trading firm” but I have included them for their postings

Simplex Investments: NO crypto jobs found on careers pages

Susquehanna International Group: NO crypto jobs found on careers pages but is mentioned in articles about HFT firms in cryptos (see below). Recently, SIG expanded services for their clients by allowing access to their prop crypto-trading facilities.

Teza: NO crypto jobs found on careers pages

3Red Trading: NO crypto jobs found on careers pages

Tower Research: NO crypto jobs found on careers pages but is mentioned in articles about HFT firms in cryptos (see below)

TwoSigma: NO crypto jobs found on careers pages

Vatic Labs: NO crypto jobs found on careers pages

Virtu Financial (incl. KCG): NO crypto jobs found on careers pages

Volant Trading: NO crypto jobs found on careers pages

Wolverine: NO crypto jobs found on careers pages

XR Trading: NO crypto jobs found on careers pages but is mentioned in this article to be hiring crypto positions

Major Investors

Also of note is that Goldman Sachs hired the head of its new digital assets division. Moreover they are invested in Circle Trade, which acquired Poloniex, the #4 of the top US exchanges (GDAX, Bittrex, Kraken, Poloniex, Gemini).

Similarly, ICE (Inter Continetal Exchange) is invested in GDAX (Coinbase) via ICE’s subsidiary NYSE.

Relevant “Rumors”

Jump Trading, Tower Research, Hudson River Trading and Susquehanna International are said to be trading bitcoin, while “GTS Securities, Virtu Financial, and HC Technologies are among the electronic traders sizing up opportunities”.

Subscribe to monthly email about crypto exchanges, data feeds, APIs for automated bots, algos and trading tools:

API Key+secret vs. Name+password: Which is More Secure?

Bitcoin hacker


At least 40 top crypto exchanges provide API access to their trading systems. For these exchanges, users can choose to access their accounts in two ways:

Manually login to the exchange website with their username+password each time they want to access their account.

Or, users can configure their account to permit access from external applications using a set of 2 values specific to their account and defined by the exchange for use with the exchange API: a.k.a. API key+secret.

On March 8th 2018, we’ve learned that Binance was able to thwart a phishing+API attack by an unidentified individual or group.

According to reports, the attacker(s) phished out regular user credentials (name+password); then created API keys in those cracked accounts (key+secret); and finally attempted to use these API keys to execute their attack.

Binance did not detect compromised accounts nor the unauthorized creation or API keys. Instead, Binance detected unusual trading activity in their market for the target coin and then Binance suspend all withdrawals until they were able to neutralize the attack.

The crux of the attack was that real users GAVE AWAY their own usernames & passwords to a site running on a very similar domain name. Their credentials were later used by the attackers to manually login into accounts and configure them to be accessible via Binance’s API.

API Key+secret Is More Secure

Theoretically speaking, this attack would have been more unlikely if the uses were accessing their accounts exclusively via the API key+secret protocol:

  • API keys are used with an endpoint domain which is almost always hardcoded in the client application. Therefore, API domain is much less susceptible to domain-name phishing attacks than the exchange website “home” domain. Moreover, users might type the web domain name and end up on a phishing site by their own error or click on a malicious link in a spam email.
  • Even if the API endpoint is compromised, the attacker can not use the API information to hijack the actual user account on the exchange server. API based communication uses the key-secret to sign the message cryptographically but the key-secret value is never sent in the message in any form. Therefore, the attacker inspecting the messages between the user and the exchanges is not able to reconstruct the key-secret it would need to generate “impostor” messages to make bad trades or transfer assets. On the other hand, username+password communication protocols do send the password value itself which can be copied and stored by the attacker in the middle for later malicious use.
  • Assuming that exchanges’ own iOS and Android apps use API key+secret protocols, is it safe to say that they are more secure than accessing the accounts via exchanges’ websites.

Subscribe to monthly email about crypto exchanges, data feeds, APIs for automated bots, algos and trading tools:

AWS vs. Crypto Exchanges

Amazon AWS > My MacBook at Home

I enjoy using AWS and intend to run my bot for automated crypto trading from one of the AWS’ locations. Since my home machine depends on my “civilian” internet bandwidth and latency I will be using a data center to reduce this risk. Another benefit is that I can rent as many CPUs as necessary for data capture, analysis and trading.

Can’t Trade Alone…

All trading requires at least two sides: one buyer and one seller. My “chances” for trading opportunities are greater when I am also participating on exchanges that have already attracted many other traders. Earlier I mapped the geographical locations of the 40+ biggest crypto exchanges ranked based on their trading volume. I am adding AWS’ coordinates to get a ball-park idea which data center is “closest” to each crypto exchange. In theory, shorter distance between my bot and the order-matching “engine” should result in faster, more profitable trades. Since some trading strategies exploit differences in prices between exchanges I should be also able to guesstimate the “best” data centers for combinations of crypto exchanges.

Included and Excluded Exchages

Few top exchanges have choosen to conceal information about their location. I was able to find clues about their corporate registration in places like Samoa or the Seychelles. Since they are probably not hosting their servers in such exotic locations, these exchanges are excluded from the map:

This list in alphabetic order represents the top crypto exchanges on the map with the locations of the AWS data centers:

Click (Tap) Clusters to Zoom In

It’s Simple?

Asumming that my coordinates are reasonably precise and that order-matching engines are located in the vicinity of the exchange offices I can see that AWS Seoul should be an excelent host to bots for trading on bithumb, Upbit, KORBIT, GOPAX, COINNEST and coinone.

Likewise, AWS Tokyo is relatively near and equidistant to Zaif, bitbank, FISCO, bitFlyer, BTCBOX and QUOINEX.

AWS London is probably a decent choice for BTCC and CEX.IO and EXMO. If COINEGG is indeed in Manchester, it might be better served by the AWS Dublin.

Now, Wait a Millisecond!

Everything looks straightforward until I “poke” around Hong Kong. It is assumed to be the home to several prominent crypto exchanges but all AWS centers are quite far away. AWS locations in Seoul, Tokyo, and Singapore might work well. One way to find out what’s going on is to spin up a nano server in AWS Seoul and ping API endpoints for a few exchanges in Seoul and in Hong Kong. I hope that pings from AWS Seoul to exchanges in Hong Kong will be almost the same as pings to exchanges in Seoul.

Assumed to be in Hong Kong & pinged from AWS Seoul:
PING ( ...
rtt min/avg/max/mdev = 244.844/244.904/245.024/0.545 ms
PING ( ...
rtt min/avg/max/mdev = 84.023/84.123/84.177/0.192 ms
PING ( ...
rtt min/avg/max/mdev = 32.080/32.148/32.263/0.236 ms

Assumed to be in Seoul & pinged from AWS Seoul:
PING ( ...
rtt min/avg/max/mdev = 32.072/32.131/32.217/0.063 ms
PING ( ...
rtt min/avg/max/mdev = 32.135/32.185/32.223/0.229 ms
PING ( ...
rtt min/avg/max/mdev = 32.144/32.201/32.280/0.167 ms

Btw, crypto exchange powerhouse Binance is also assumed to be in Hong Kong and Bithumb should be in Seoul but their end-points did not respond to my pings.

Looking at the results, it appears that AwsSeoul-to-Seoul is ~32 milliseconds. Meanwhile, AwsSeoul-to-HongKong was much “slower” at 244 millis and 84 millis but also a very competitive 32 millis for Bitfinex. Perhaps my assumptions are incomplete or even flat-out wrong? I found a useful hint in COINNEST’s ping: its endpoint domain was resolved to a CNAME with the word “cloudflare” and the IP address “104.16…” looks very similar to Bitfinex’s “104.16…”. Quick IP/Geo lookup indicated that both IPs belong to the same CDN provider. In other words, the Bitfinex ping was ~32 millis because it was returned by the nearest CloudFlare edge server, probably located in the vicinity of AWS Seoul.

Another unexpected discovery was this fragment from BitMEX:
64 bytes from

“eu-west-1” is in Dublin and I am sure that AWS Dublin would be much faster and better location for bots intending to trade on BitMEX.

Considering the above findings, the next step in my data center selection process is to measure the network latency between all AWS regions and all exchange API endpoints. I will write a Java program and use AWS’ Lambda service to ping all the endpoints for a total of ~550 measurements. Stay tuned…

Subscribe to monthly email about crypto exchanges, data feeds, APIs for automated bots, algos and trading tools:

Review: Modern Stock Markets

Originally published in AlgosForCryptos on

I have some earlier experience with trading and stock exchanges. This review of stock markets is intended to provide background information to my comparison between markets for cryptos and today’s stock markets.

It’s a Network

Today’s stock trading takes place in a vast network of computers, communicating over the public internet and via private dedicated high-performance networks. The regulations, processes, and systems in use have been built over many years and are based on contributions of many individuals.

A so-called “order-matching” engine is located in the center of the trading network. It is an instance of specialized software tasked to “exchange” money for stocks and vice verse. Each such engine is owned and maintained by a company providing stock exchange services a.k.a. “The Stock Exchange”.

Services Provided by a Stock Exchange Company

  • Maintenance and operation of the order-matching engine software — e.g. market participants pay trading fees to send order messages and receive the results of the work performed by the matching engine.
  • Sale and distribution of market data necessary for all other interested parties to “see” what is going on “inside” the order-matching engine.
  • Initial acceptance and ongoing review of companies whose stocks can be traded — e.g. a reputable stock exchange would reject an application by your local doughnut shop because the exchange sets various conditions such as minimum yearly revenue etc.
  • Initial acceptance and ongoing review of companies which are allowed to trade — e.g. a reputable stock exchange would reject your trading application because they have minimum available capital requirements, certifications etc.

In other words, each stock exchange company has a department of people responsible to collect information about the companies whose stocks are traded in order to reduce the likelihood of financial fraud like another Enron or WorldCom.

Moreover, other companies submit to a rigorous review of their finances and capabilities for the privilege to become trading members and to connect their internal trading systems to the stock exchange’s order-matching engine. This group is called “Exchange Members” and the stock exchange company is confident that its members do have both money and stocks that they claim to have when they send orders to the matching engine.

Each exchange member is allowed to use their access privileges to make money as long as they adhere to applicable laws as well as regulations set by the exchange. These members may decide to buy and/or sell specific stocks using their own money and profit on the difference in price. The members can also re-sell access to the trading facilities and act as trading “brokers” on anyone’s behalf, including mine or yours.

Process: Steps to Trade Stocks

  1. We must first find a company already a member of an exchange and also in the business of providing stock brokering services.
  2. Once we create an account at our broker of choice and establish our identity, we have to transfer cash from the bank before the broker’s trading systems will allow us to create orders (and/or transfer our stocks from our previous broker).
  3. Upon deposit, we use the public internet to login and type buy/sell/short/, limit/market order(s). This information is transmitted from the browser to the broker’s order & account management system(s). So far, the overall system performance is mostly subject to the personal computer and the ISP.
  4. Broker’s account management system validates the funds necessary to fulfill the order and their order management system (OMS) validates its adherence to rules set forth by the destination matching engine.
  5. Next, the OMS will “rename” the order and transmit it to the exchange for processing by their order matching engine and do so over a high-performance network dedicated to each individual exchange member. The order message will be formulated in a way to identify the broker but will not have any information about its original “instigator”. In other words, the stock exchange company computers only know their members. Nowadays, the broker’s OMS is most often located in the same data center supporting the stock exchange.
  6. Meanwhile, another broker has received a similar but opposite order, in the sense that I wanted to Buy 100 shares of AAPL for $50 whereas “they” are looking to Sell 100 shares of AAPL (for best price).
  7. The order matching engine will match orders from two of its brokers and notify the brokers what happened. Since the stock exchange membership department has already certified both brokers, the engine trusts that my broker will pay $$ and also trusts that the other broker does have 100 shares of AAPL.
  8. In real time or at least at the end of the day, the exchange and all the brokers will net all trades, net all accounts, transfer all money and all shares between brokers and do the reporting to various regulatory bodies (e.g. prevention of insider trading).
  9. Brokers will also collect fees from clients in order to pay for their own services and for services rendered indirectly by other participants in the marketplace — e.g. the stock exchange trading fees, stock ownership registration fees etc.
  10. The trade is finalized when my broker becomes the owner-representative of record for quantity of +100 shares of AAPL as recorded by a depository records corporation maintaining the custody all shares (DTCC in US). Should AAPL decide to pay a dividend AAPL shareholders, they will contact the custodian to begin the process of transferring the dividend amounts to brokers and their clients.

In case of problems, we can call our broker(s) and their client services team will undertake the necessary actions to convince us that we are mistaken and everything is fine indeed, or they will investigate the state of their account and order management systems and might even get in touch with the exchange since the exchange is not even aware that I exist (as it was intended).

The stock trading ecosystem is a hub-and-spoke network with 3 layers:

client <-> broker <-> exchange <-> other broker <-> other client

Centralized vs. Decentralized

The stock exchange company manages data, connections, and trust-relationships with a relatively small number of brokers and can do so very efficiently for a great number of fast transactions. Likewise, each broker supports only their own clients and not the whole “universe” of individuals interested/participating in stock trading. Lastly, the DTCC records current quantities of shares represented by brokers who are then responsible to maintain records of ownership by their specific clients.

The alternative to this tiered-centralized approach would be to maintain one record of ownership for each specific share — e.g. 5.13 billion records for all of AAPL + another 606 million records for GOOG + 482 million records for AMZN and so on for about 4,333 publicly traded companies in the US alone.

Or, we could encode something similar in a public ledger “file” stored in a “network” and whose maintenance is distributed amongst voluntary participants who choose to perform a utility “bookkeeping” role in exchange for a (relatively small & well deserved) fee: eureka — I say we call this a blockchain!

Getting back to the stock trading ecosystem, it is important to cover additional characteristics, especially for readers with experience in trading on N.American or European markets.

In most countries/economies and for most companies, there is one (regional) stock exchange company as the only venue available for trading of stocks issued by companies incorporated (registered) in that specific jurisdiction — e.g. all Brazilian companies with publicly available shares are traded on the B3 exchange, only (in São Paulo). In such cases, any broker you choose will always send your (renamed) order to the same exchange order matching engine and your trading will be subject to fees set by one such company only.

Regulations in N.America and The EU

Trading ecosystems in N.America and the EU are more competitive and therefore both more complicated and more flexible: shares issued by (almost) all companies can be traded on multiple exchanges simultaneously. You could buy 100 shares of AAPL on BATS exchange and immediately sell them on NASDAQ or NYSE. This means that your broker must undertake costs for network integration with multiple exchanges if the broker wants to enable their clients’ maximum access to liquidity and best pricing fees as each exchange collects slightly different trading fees for different trading scenarios.

Since each order matching engine establishes prices based on the equilibrium of buy and sell orders available to that engine only, it is possible that the best prices might be different on each of the 11 main stock exchanges trading in the US. In order to protect the trading public, US regulators have initiated the creation of price protection mechanisms: the result is that all US exchanges are networked to see each other’s best prices and will forward their orders to the matching engine currently “hosting” the best price, better than their own price. Moreover, several professional trading companies specialize in price arbitration by monitoring market data feeds from multiple exchanges in order to buy/sell directly across exchanges and profit while “forcing” the price equilibrium across the entire ecosystem.

The net result is that all best prices are (almost) always identical on all US stock exchanges and brokers don’t have to incur integration costs with all 11 trading venues.

In Europe, the situation is similar in the sense that one can trade most of the big stocks on 2 or 3 main exchanges, but these trading venues are not networked to forward orders to each other. Since the brokers compete for clients’ business, the brokers are incentivized to connect to each venue and utilize Smart Order Routing (SOR) applications to achieve the best prices for their trades.

In the US and in Europe, the stock custodian services and banks are able to settle stocks and cash from all trades across multiple exchanges (and borders) and the best prices for all stocks are (almost) always identical on all trading venues.

Stock Markets: Structure & Organization

  • Your bank might have a division providing brokerage services or you have to transfer money to another company specializing in such services.
  • Your brokerage company holds your trading cash and stocks.
  • The broker represents & “vouches” for you at the stock exchange.
  • The stock exchange is run by another company which has no idea who you are: they only know & trust their registered brokers.
  • Your broker may offer additional services to help you get more out of your trading activity, such as advanced order types implemented in the broker’s computers, lending of capital for (margin) trading, investment advice, and research materials etc.
  • In case of issues, your broker will investigate broker’s own systems.
  • If necessary, your broker will also speak with the exchange to investigate any possible issues there.
  • All best prices for individual stocks are (almost) always identical on all stock exchanges that trade respective stocks.
  • Cash & stock settlement (transfer) for all trades runs through a central provider / third party which is utilized by all brokers and stock exchanges.
  • Brokers, exchanges and settlement services act together to make cash transfers, stock ownership transfers and to eliminate fluctuations of best prices across multiple trading venues.
  • When you trade from your computer, you are communicating with your broker over the public internet and the broker is communicating with the stock exchange over a dedicated high-performance network.
  • Brokers, stock exchanges, and custodian companies are regulated by each other and by governments in their jurisdictions.
  • Subscribe to monthly email about crypto exchanges, data feeds, APIs for automated bots, algos and trading tools:

Genesis Post: Low Cost WordPress on AWS with SSL and CloudFront



  • Setup a modern blog about my work in the crypto / trading domain.
  • Learn (more about) the WordPress platform & ecosystem.
  • Leverage my experience with Amazon / AWS while making use of all the relevant free-tier services.
  • Achieve the lowest total cost.

A “recipe” for these goals:

  1. Use because they sell .com domains for USD 8.53.

    HOST records management for A, CNAME, MX etc. types, is included as well as a free first-year of domain privacy.

    Alternative to free HOST records management would be to use AWS/Route53 for USD 6/year (minimum) since Rout53 does not have a free-tier.

  2. Use (affiliate) for email/inbox-only hosting with unlimited domains & emails plans starting at ~USD 25/ year: much cheaper than Google.Apps at USD 5/inbox-month.
  3. Amazon / AWS hosting & free-tier services: Bitnami’s WordPress AMI on EC2; CloudFront CDN to improve performance for visitors around the globe; S3 storage for WordPress caching & backup; free SSL cert issued by Amazon, to get the cute green lock in the address bar.
  4. I like Medium’s style so I selected a free WordPress theme Wilson which I thought would let me deliver my content in a similar way: thank you Anders Norén.

Valuable “cooking” lessons I learned:

  • AWS’ SSL certs require domain ownership validation. You can choose to do so via a CNAME entry or by a confirmation email sent to the WHOIS contacts. My first attempt using the CNAME, timed out after 72h and I never understood what went awry. Luckily, the confirmation email showed up immediately and I was validated in mere minutes.
  • RTFM: AWS certs for use with CloudFront MUST best requested/issued in the AWS/Virginia region.
  • When browsers ask for https sites or are redirected (“forced”) from http-to-https, the browsers “expect” all links/content from the respective site/domain to be also delivered via “https”. Otherwise, we will get a security warning and the browser will “refuse” to display the page due to its mixed security content.
  • WordPress serves all its content with fully qualified absolute URLs. Therefore, all content is http only or https only, depending on the protocol defined in the site name configuration.
  • I setup CloudFront with the SSL cert and configured it to force http-to-https for all visitors irrespective of the protocol they might have requested. Therefore, CloudFront passes all requests to my EC2/WordPress “origin” also using https. In order for the WordPress to return all pages and their links with https only, I had to setup WordPress to also use https only and respond to CloudFront with the WordPress https & cert. Allowing WordPress to still use http results in mixed security content issues when pages are processed by the clients’ browsers.
  • Since CloudFront does not accept https from “self-signed” certs, I had to install a legitimate “Let’s Encrypt” SSL cert specific to my domain, on the EC2/WordPress server. Originally, I hoped to avoid this as I mistakenly assumed that the AWS’ cert on CloudFront would suffice.
  • I wanted the AWS’ cert for the entire site. Therefore, I had to configure CloudFront to use my own domain name in the “alternative domains” setting. When I attempted use CF’s default domain in the WordPress CDN/cache settings I got “could not contact origin” errors.
    Btw, CF’s default domain name goes into host/CNAME records (“@” and “*”).

Conclusions & unresolved “mysteries”:

  • I was somewhat wrong about https and caching. When I had to setup https on the EC2, I thought that the CDN would not cache any assets. Page performance by GTmetrix and Response/HEADERS indicate that content is being served by the CDN. I have configured an S3 “origin” to offload some assets for caching but I am not sure if CF is using S3 over http or EC3 over https and then caching after decryption.
  • My EC2 does have to do more processing than I originally hoped because it must encrypt/decrypt all its communication with CloudFront.
  • Domain host records use CNAME pointed at the CloudFront’s domain for my distribution. Without CF I would use A records and point them to the EC2’s ip address. If the dynamic content is always served by the EC2 and never cached by the CF due to https, does that mean that I am wasting an extra network hop between the CDN and EC2?
  • If I am “wasting” a hop perhaps the “speed” of the AWS’ network between CF and EC2 makes up for the slowness of the “wild” internet between the browser and EC2?
  • I used BackWPup plugin to setup WordPress backup to S3. It seems that the free version has a bug which prevents the plugin from working with S3 buckets in US-Ohio region. Instead, I set it to use the “US-Standard” setting which corresponds to the US-N.Virginia region.
  • W3 Total Cache plugin does not “play” well with CloudFront backed by S3. It was pushing all wp-includes and wp-content files to S3 each time it was supposed to push just those that have changed. The consequence was that it quickly spent the entire free-tier provision for S3 operations. After a lot trial-and-error I resolved the issue by switching off the setting that says:

    Force over-writing of existing files / If modified files are not always detected and replaced, use this option to over-write them

Subscribe to monthly email about crypto exchanges, data feeds, APIs for automated bots, algos and trading tools: