How to configure origin Cloudflare SSL with Nginx


How to configure origin Cloudflare SSL with Nginx

Overview

In this article we’re going to go through the steps how to configure the Cloudflare SSL origin certificate with the Nginx web server. These steps are for web servers which run on Linux(CentOS, Debian etc…).  Cloudflare is a quite famous CDN and DDoS protection platform but they offer many other services – one of those services are the SSL certificates. If you are already using Cloudflare, you can also acquire an SSL certificate from them as well. The SSL certificates are free(even in the free plan) but the origin server certificates are that are free. Edge certificates are not. One downside of the origin certificates is that the generated certificate is a shared one(one ssl certificate by multiple users) but on the good side is that the provided certificate can last up to 15 years and it supports TLS v1.3, HSTS and Onion routing.

Generate the SSL certificate on Clouflare

So in order to acquire the SSL certificate from the Cloudflare, you need to already use their services and add your domain on Cloudflare. In your dashboard, navigate to the SSL/TLS menu and then go to the Origin server.

configure cloudflare ssl nginx

Click on the option to Create a certificate. You’ll then get a prompt on which you need to choose the key type(go with the RSA type). Also, select that you want the Cloudflare to generate the key for you.

configure cloudflare ssl nginx

After that, select how long you want they to be valid. Cloudflare offers keys to be valid from 7 days up to 15 years. Once you click on create button, you’ll get a window prompt on which are going to be public and private keys displayed.

configure cloudflare ssl nginx

Copy both of the keys. Those are needed for the next step.

Create the certificate file and private key file on the server

Once the SSL certificate is generated, next step is to install the certificate on the Linux server. For that, we need to create two files on our server and in those files paste the keys we copied from the Cloudflare. To create files, we can simply use a text editor and then in the new file we paste in the key codes.  Each certificate file needs to go to the specific directory. You can use these commands to create the files:

sudo nano /etc/ssl/certs/cert.pem

sudo nano /etc/ssl/private/key.pem

As you can see, we need two files, for each key we copied from Cloudflare. Also, you can tell by the command line where they need to go, in which directory. First the cert.pem file – in that one paste in the certificate code and in they key.pem file, paste in the private key code.  Once you pasted the code, save the files.

Configure your server and Nginx with the Cloudflare SSL

After the certificate files are created, now we need to configure our Nginx web server to use those files so that the Cloudflare SSL could work. Again with the text editor open the Nginx server configuration for your website. It’s usually located at:

etc/nginx/sites-available/default

or if you don’t use the default config file and have a specific configuration file for your site, then edit that file instead. In the file, right after the – listen 80 lines: add these lines as well:

listen 443 ssl http2;
listen [::]:443 ssl http2;

ssl on;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;

Save the file and exit. In the end, the new configuration should look like this:

server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;

ssl on;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;

root /var/www/html/;
index index.php index.html index.htm;

server_name somesite.com www.somesite.com;

location / {
try_files $uri $uri/ /index.php?$args;
}

location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
## include fastcgi_params;
}

}

Note – the server name line should reflect your domain name. The entry in configuration above is just used as an example.

Once the configuration is saved, exit the editor and restart the Nginx server:

sudo systemctl restart nginx.service

And that is it.

Summary

We covered the steps how to configure the origin Cloudflare SSL with Nginx. Again, I must state the origin certificates are the only ones that are free in the Cloudflare free plan. They are not the perfect SSL solution but they do job quite alright and they support many SSL protocols. Considering that they offer free certificates up to 15 years, that’s not even bad at all.

I thank you for your time and hope that the information was useful.


You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

Secured By miniOrange