Self Hosting on your Home Server – Cloudflare + Nginix Proxy Manager – Easy SSL Setup

The writer selected the Electronic Frontier Foundation to receive a donation as part of the Write for DOnations plan.

Introduction

Cloudflare is a service that sits betwixt the visitor and the website possessor’due south server, interim as a opposite proxy for websites. Cloudflare provides a Content Delivery Network (CDN), as well as DDoS mitigation and distributed domain proper noun server services.

Nginx is a popular web server responsible for hosting some of the largest and highest-traffic sites on the net. It’south common for organizations to serve websites with Nginx and employ Cloudflare as a CDN and DNS provider.

In this tutorial, you lot will secure your website served past Nginx with an Origin CA certificate from Cloudflare and then configure Nginx to utilise authenticated pull requests. The advantages of using this setup are that y’all benefit from Cloudflare’s CDN and fast DNS resolution while ensuring that all connections pass through Cloudflare. This prevents whatever malicious requests from reaching your server.

Prerequisites

To complete this tutorial, you lot’ll need the following:

  • One Ubuntu 20.04 server set upwards by following the Ubuntu 20.04 initial server setup guide, including a
    sudo
    non-root user and a firewall.
  • Nginx installed on your server. You can follow our guide on how to install Nginx on Ubuntu twenty.04.
  • A Cloudflare account.
  • A registered domain added to your Cloudflare business relationship that points to your Nginx server. Our guide on how to mitigate DDoS attacks against your website with Cloudflare tin aid y’all fix this upward. Our introduction to DNS terminology, components, and concepts can also provide assist.
  • An Nginx Server Cake configured for your domain, which you can do past post-obit Pace five of How To Install Nginx on Ubuntu twenty.04.

Step one — Generating an Origin CA TLS Certificate

The Cloudflare Origin CA lets you lot generate a free TLS document signed by Cloudflare to install on your Nginx server. By using the Cloudflare generated TLS certificate you can secure the connection between Cloudflare’south servers and your Nginx server.

To generate a certificate with Origin CA, log in to your Cloudflare business relationship in a web browser. Select the domain that you want to secure and navigate to the
SSL/TLS
section of your Cloudflare dashboard. From there, navigate to the
Origin Server
tab and click on the
Create Document
button:

Exit the default option of
Generate individual key and CSR with Cloudflare
selected.

Origin CA GUI options

Click
Next
and you will meet a dialog with the
Origin Certificate
and
Individual key. Y’all need to transfer both the origin certificate and private fundamental from Cloudflare to your server. For security reasons, the
Private Key
information volition not exist displayed again, so copy the central to your server earlier clicking
Ok.

Popular:   The Worldwide WiGig Industry is Expected to Reach $6+ Billion by 2027 - ResearchAndMarkets.com|||

Dialog showing the origin certificate and private key

You’ll use the
/etc/ssl
directory on the server to concur the origin certificate and the private primal files. The binder already exists on the server.

First, copy the contents of the
Origin Certificate
displayed in the dialog box in your browser.

And then, on your server, open up
/etc/ssl/cert.pem
in your preferred text editor:

        
          
  1. sudo nano /etc/ssl/cert.pem

Paste the certificate contents into the file. And so save and exit the editor. If yous are using
nano, printing
Ctrl+X, then when prompted,
Y
and then Enter.

Then render to your browser and copy the contents of the
Private primal. Open the file
/etc/ssl/primal.pem
for editing:

        
          
  1. sudo nano /etc/ssl/key.pem

Paste the private key into the file, save the file, and exit the editor.

Annotation:
Sometimes, when y’all copy the certificate and key from the Cloudflare dashboard and paste information technology into the relevant files on the server, blank lines are inserted. Nginx will treat such certificates and keys as invalid, then ensure that there are no blank lines in your files.

Alert:
Cloudflare’due south Origin CA Document is merely trusted by Cloudflare and therefore should only be used by origin servers that are actively continued to Cloudflare. If at any point you interruption or disable Cloudflare, your Origin CA document will throw an untrusted certificate mistake.

Now that y’all copied the central and document files to your server, you need to update the Nginx configuration to use them.

Step 2 — Installing the Origin CA Document in Nginx

In the previous section, y’all generated an origin certificate and private key using Cloudflare’due south dashboard and saved the files to your server. At present you’ll update the Nginx configuration for your site to use the origin certificate and private key to secure the connection between Cloudflare’s servers and your server.

First, make sure that UFW volition permit HTTPS traffic. Enable
Nginx Full, which will open both port
80
(HTTP) and port
443
(HTTPS):

        
          
  1. sudo ufw allow 'Nginx Total'

At present reload UFW:

        
          
  1. sudo ufw reload

Finally, cheque that your new rules are immune and that UFW is agile:

        
          
  1. sudo ufw status

Y’all will see an output like this:

        
          

Output

Status: active To Activeness From -- ------ ---- OpenSSH ALLOW Anywhere Nginx Full Permit Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx Full (v6) ALLOW Anywhere (v6)

Now yous are ready to adjust your Nginx server block. Nginx creates a default server cake during installation. Remove it if information technology still exists, equally yous’ve already configured a custom server cake for your domain:

        
          
  1. sudo rm /etc/nginx/sites-enabled/default

Next, open the Nginx configuration file for your domain:

        
          
  1. sudo nano /etc/nginx/sites-available/your_domain

The file should await similar this:

Popular:   Cloud Hosting Registration - Setup a Virtual Web Server

/etc/nginx/sites-bachelor/your_domain

        
          
            server
          
          {
          
            listen
            80
          
          ;
          
            heed
            [::]:80
          ;
          
            root
            /var/www/your_domain/html
          ;
          
            index
            index.html alphabetize.htm index.nginx-debian.html
          ;
          
            server_name
            your_domain
            www.your_domain
          
          ;
          
            location
            /
          {
          
            try_files
            $uri
            $uri/ =404
          ;
          }
          }
        
      

You’ll modify the Nginx configuration file to do the following:

  • Listen on port
    80
    and redirect all requests to use
    https.
  • Heed on port
    443
    and use the origin document and private fundamental added in the previous section.

Modify the file and then it looks similar the following:

/etc/nginx/sites-available/your_domain

        
          
            server
          
          {
          
            listen
            80
          
          ;
          
            listen
            [::]:80
          ;
          
            server_name
            your_domain
            www.your_domain
          
          ;
          
            
              render
              302
              https://$server_name
              $request_uri
            
            ;
          
          }
          
            
              server
            
            {
          
          
            # SSL configuration
          
          
            
              listen
              443
              ssl http2
            ;
          
          
            
              listen
              [::]:443 ssl http2
            ;
          
          
            
              ssl_certificate
              /etc/ssl/cert.pem
            ;
          
          
            
              ssl_certificate_key
              /etc/ssl/key.pem
            ;
          
          
            server_name
            your_domain
            www.your_domain
          
          ;
          
            root
            /var/www/your_domain/html
          ;
          
            index
            index.html index.htm index.nginx-debian.html
          ;
          
            location
            /
          {
          
            try_files
            $uri
            $uri/ =404
          ;
          }
          
            }
          
        
      

Save the file and go out the editor.

Next, examination to ensure that there are no syntax errors in any of your Nginx configuration files:

        
          
  1. sudo nginx -t

If you found no problems, restart Nginx to enable your changes:

        
          
  1. sudo systemctl restart nginx

Now go to the Cloudflare dashboard’south
SSL/TLS
section, navigate to the
Overview
tab, and alter
SSL/TLS encryption mode
to
Full (strict). This informs Cloudflare to always encrypt the connectedness between Cloudflare and your origin Nginx server.

Enable Full(strict) SSL mode in the Cloudflare Dashboard

Now visit your website at
https://your_domain

to verify that it’s set up properly. Yous’ll run into your home page displayed, and the browser volition study that the site is secure.

Browser Certificate

In the side by side department, you volition set Authenticated Origin Pulls to verify that your origin server is indeed talking to Cloudflare and not some other server. By doing so, Nginx will be configured to only accept requests that use a valid customer certificate from Cloudflare; all requests that have non passed through Cloudflare will exist dropped.

Step 3 — Setting Up Authenticated Origin Pulls

The Origin CA document will help Cloudflare verify that it is talking to the correct origin server. This footstep will employ TLS Client Authentication to verify that your origin Nginx server is talking to Cloudflare.

In a customer-authenticated TLS handshake, both sides provide a document to be verified. The origin server is configured to only accept requests that use a valid client certificate from Cloudflare. Requests which have not passed through Cloudflare will exist dropped as they will not have Cloudflare’south certificate. This ways that attackers cannot circumvent Cloudflare’s security measures and directly connect to your Nginx server.

Cloudflare presents certificates signed by a CA with the post-obit certificate:

        -----BEGIN Certificate----- MIIGCjCCA/KgAwIBAgIIV5G6lVbCLmEwDQYJKoZIhvcNAQENBQAwgZAxCzAJBgNV BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmln aW4gUHVsbDEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZv cm5pYTEjMCEGA1UEAxMab3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwHhcNMTkx MDEwMTg0NTAwWhcNMjkxMTAxMTcwMDAwWjCBkDELMAkGA1UEBhMCVVMxGTAXBgNV BAoTEENsb3VkRmxhcmUsIEluYy4xFDASBgNVBAsTC09yaWdpbiBQdWxsMRYwFAYD VQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMSMwIQYDVQQD ExpvcmlnaW4tcHVsbC5jbG91ZGZsYXJlLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQAD ggIPADCCAgoCggIBAN2y2zojYfl0bKfhp0AJBFeV+jQqbCw3sHmvEPwLmqDLqynI 42tZXR5y914ZB9ZrwbL/K5O46exd/LujJnV2b3dzcx5rtiQzso0xzljqbnbQT20e ihx/WrF4OkZKydZzsdaJsWAPuplDH5P7J82q3re88jQdgE5hqjqFZ3clCG7lxoBw hLaazm3NJJlUfzdk97ouRvnFGAuXd5cQVx8jYOOeU60sWqmMe4QHdOvpqB91bJoY QSKVFjUgHeTpN8tNpKJfb9LIn3pun3bC9NKNHtRKMNX3Kl/sAPq7q/AlndvA2Kw3 Dkum2mHQUGdzVHqcOgea9BGjLK2h7SuX93zTWL02u799dr6Xkrad/WShHchfjjRn aL35niJUDr02YJtPgxWObsrfOU63B8juLUphW/4BOjjJyAG5l9j1//aUGEi/sEe5 lqVv0P78QrxoxR+MMXiJwQab5FB8TG/ac6mRHgF9CmkX90uaRh+OC07XjTdfSKGR PpM9hB2ZhLol/nf8qmoLdoD5HvODZuKu2+muKeVHXgw2/A6wM7OwrinxZiyBk5Hh CvaADH7PZpU6z/zv5NU5HSvXiKtCzFuDu4/Zfi34RfHXeCUfHAb4KfNRXJwMsxUa +4ZpSAX2G6RnGU5meuXpU5/V+DQJp/e69XyyY6RXDoMywaEFlIlXBqjRRA2pAgMB AAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1Ud DgQWBBRDWUsraYuA4REzalfNVzjann3F6zAfBgNVHSMEGDAWgBRDWUsraYuA4REz alfNVzjann3F6zANBgkqhkiG9w0BAQ0FAAOCAgEAkQ+T9nqcSlAuW/90DeYmQOW1 QhqOor5psBEGvxbNGV2hdLJY8h6QUq48BCevcMChg/L1CkznBNI40i3/6heDn3IS zVEwXKf34pPFCACWVMZxbQjkNRTiH8iRur9EsaNQ5oXCPJkhwg2+IFyoPAAYURoX VcI9SCDUa45clmYHJ/XYwV1icGVI8/9b2JUqklnOTa5tugwIUi5sTfipNcJXHhgz 6BKYDl0/UP0lLKbsUETXeTGDiDpxZYIgbcFrRDDkHC6BSvdWVEiH5b9mH2BON60z 0O0j8EEKTwi9jnafVtZQXP/D8yoVowdFDjXcKkOPF/1gIh9qrFR6GdoPVgB3SkLc 5ulBqZaCHm563jsvWb/kXJnlFxW+1bsO9BDD6DweBcGdNurgmH625wBXksSdD7y/ fakk8DagjbjKShYlPEFOAqEcliwjF45eabL0t27MJV61O/jHzHL3dknXeE4BDa2j bA+JbyJeUMtU7KMsxvx82RmhqBEJJDBCJ3scVptvhDMRrtqDBW5JShxoAOcpFQGm iYWicn46nPDjgTU0bX1ZPpTpryXbvciVL5RkVBuyX2ntcOLDPlZWgxZCBp96x07F AnOzKgZk4RzZPNAxCXERVxajn/FLcOhglVAKo5H0ac+AitlQ0ip55D2/mf8o72tM fVQ6VpyjEXdiIXWUq/o= -----Terminate CERTIFICATE-----
        
      

You tin also download the certificate directly from Cloudflare’s documentation.

Popular:   SpotOn Calls for Fans to Order Direct from Restaurants During Sunday’s Game with #TipTheRealMVPs Campaign|||

Re-create this certificate.

And so create the file
/etc/ssl/cloudflare.crt
file to hold Cloudflare’s certificate:

        
          
  1. sudo nano /etc/ssl/cloudflare.crt

Add together the document to the file. Then save the file and exit the editor.

Now update your Nginx configuration to apply TLS Authenticated Origin Pulls. Open the configuration file for your domain:

        
          
  1. sudo nano /etc/nginx/sites-available/your_domain

Add together the
ssl_client_certificate
and
ssl_verify_client
directives as shown in the following instance:

/etc/nginx/sites-available/your_domain

        . . .
          
            server
          
          {
          # SSL configuration
          
            listen
            443
            ssl http2
          ;
          
            listen
            [::]:443 ssl http2
          ;
          
            ssl_certificate
            /etc/ssl/cert.pem
          ;
          
            ssl_certificate_key
            /etc/ssl/key.pem
          ;
          
            
              ssl_client_certificate
              /etc/ssl/cloudflare.crt
            ;
          
          
            
              ssl_verify_client
              on
            
            ;
          
          . . .
        
      

Save the file and exit the editor.

Next, test Nginx to make certain that there are no syntax errors in your Nginx configuration:

        
          
  1. sudo nginx -t

If no bug were found, restart Nginx to enable your changes:

        
          
  1. sudo systemctl restart nginx

Finally, to enable Authenticated Pulls, open the
SSL/TLS
department in the Cloudflare dashboard, navigate to the
Origin Server
tab and toggle the
Authenticated Origin Pulls
option .

Enable Authenticated Origin Pulls

At present visit your website at
https://your_domain

to verify that it was fix up properly. As before, you’ll encounter your habitation page displayed.

To verify that your server volition only accept requests signed past Cloudflare’s CA, toggle the
Authenticated Origin Pulls
option to disable it and so reload your website. You should get the following mistake message :

Error message

Your origin server raises an fault if Cloudflare’s CA does not sign a request.

Note:
Virtually browsers will enshroud requests, so to meet the higher up alter you tin use Incognito/Individual browsing mode in your browser. To forestall Cloudflare from caching requests while y’all set your website, navigate to
Overview
in the Cloudflare dashboard and toggle
Development Mode.

At present that you know it works properly return to the
SSL/TLS
section in the Cloudflare dashboard, navigate to the
Origin Server
tab and toggle the
Authenticated Origin Pulls
choice again to enable it.

Conclusion

In this tutorial, you secured your Nginx-powered website by encrypting traffic between Cloudflare and the Nginx server using an Origin CA document from Cloudflare. Yous then fix upwards Authenticated Origin Pulls on the Nginx server to ensure that it just accepts Cloudflare servers’ requests, preventing anyone else from direct connecting to the Nginx server.

Self Hosting on your Home Server – Cloudflare + Nginix Proxy Manager – Easy SSL Setup

Source: https://www.digitalocean.com/community/tutorials/how-to-host-a-website-using-cloudflare-and-nginx-on-ubuntu-20-04