cloudflare-nginx-origin-ca-setup.md

Cloudflare + Nginx Origin Certificate SSL Setup

Step 1 - Generating an Origin Certificate

First thing to do is to create your certificate on Cloudflare:

1. On your website dashboard, go to SSL/TLS > Origin Server
2. On Hostnames section, change the hostnames to your domains or subdomain. e.g. tobako.bidipeppercrap.com
3. On Origin Certificates section, press the Create Certificate button
4. Leave the default settings and press Next
5. Copy the PEM certificate to your server: /etc/ssl/certs/your.domain.com.pem
6. Copy the PEM private key to your server: /etc/ssl/certs/your.domain.com.key

Step 2 - Installing the Origin Certificate in Nginx

Previously, you have succesfully created the certificates, now it's time to register the certificate to your Nginx configuration.

Create a new Nginx .conf file for your website:

sudo vim /etc/nginx/conf.d/your.website.com.conf

Now write this to the conf file:

server {
    listen 80;
    listen [::]:80;
    
    server_name your.domain.com www.your.domain.com;
    
    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443;
    listen [::]:443;
    
    ssl on;
    ssl_certificate /etc/ssl/certs/your.domain.com.pem;
    ssl_certificate_key /etc/ssl/certs/your.domain.com.key;
    
    server_name your.domain.com www.your.domain.com;
    
    location / {
        proxy_pass http://127.0.0.1:8000;
    }
}

The first server block is used for redirecting from unsecured HTTP location, it tells the browser to redirect to $server_name which is your domain, and it will pass the request url of your domain into $request_uri. e.g https://your.domain.com/the/request/uri

ssl on;
ssl_certificate /etc/ssl/certs/your.domain.com.pem;
ssl_certificate_key /etc/ssl/certs/your.domain.com.key;

The second server block is the SSL definition for your website, we tell Nginx to turn on the SSL with ssl on. And then we tell Nginx to look for the certificate and private key for your domain that is stored in the file system.

location / {
    proxy_pass http://127.0.0.1:8000;
}

Then we just proxy_pass the location to the currently running web application in your server localhost (127.0.0.1:8000).

Don't forget to verify the syntax of your .conf file by calling sudo nginx -t. Also don't forget to restart the Nginx service to make the changes. sudo nginx -s reload

Now you can try accessing your domain in the browser, you should see the HTTPS is now activated.

Step 3 - Setting Up Authenticated Origin Pulls

If you want to add extra security to your domain, now it is the time to do it.

The Origin CA certificate will help Cloudflare verify that it is talking to the correct origin server. But how can your Nginx verify that it is actually talking to Cloudflare? Enter TLS Client Authentication.

1. First you have to download the Client Certificate.
2. Move the certificate to /etc/ssl/certs/authenticated_origin_pull_ca.pem
3. Add ssl_client_certificate and ssl_verify_client directives to your conf file:

server {
    listen 443;
    listen [::]:443;
    
    ssl on;
    ssl_certificate /etc/ssl/certs/your.domain.com.pem;
    ssl_certificate_key /etc/ssl/certs/your.domain.com.key;
    ssl_client_certificate /etc/ssl/certs/authenticated_origin_pull_ca.pem;
    ssl_verify_client on;
    
. . .

4. sudo nginx -t
5. sudo nginx -s reload
6. Enable Authenticated Origin Pulls on your Cloudflare SSL/TLS Overview menu

Now everything should be working properly without any error.

If you see an error, you could just ignore this third step. Origin certificate alone is enough for protecting your website.