Difference between revisions of "User:Paul/sandbox/Configure Cloudflare"
| Line 1: | Line 1: | ||
| + | Nginx: | ||
| + | |||
| + | The Cloudflare interface will not accept self-generated certificate signing requests. Queries to Cloudflare on this issue have been unanswered and posts to the Cloudflare community do not result in solutions, though others will comment they have the same experience. For this reason it is it only possible to use Cloudflare provided keys. | ||
| + | |||
| + | Create the key and certificate, then save to <code>server.key</code> and <code>server.crt</code> to <code>/etc/ssl/private/example.com/cloudflare/</code>. | ||
| + | |||
| + | Copy the [https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull#certificate-value Certificate value] to <code>/etc/ssl/private/example.com/cloudflare/auth_origin_pull.pem</code> | ||
| + | |||
| + | Copy the [https://developers.cloudflare.com/ssl/origin-configuration/origin-ca#4-required-for-some-add-cloudflare-origin-ca-root-certificates origin ca ecc root] to <code>/etc/ssl/private/example.com/cloudflare/origin_ca_ecc_root.pem</code>. | ||
| + | |||
| + | Edit <code>/etc/nginx/sites-available/example.com</code>: | ||
| + | |||
| + | ssl_certificate /etc/ssl/private/example.com/cloudflare/server.crt; | ||
| + | ssl_certificate_key /etc/ssl/private/example.com/cloudflare/server.key; | ||
| + | |||
| + | ssl_verify_client on; | ||
| + | ssl_client_certificate /etc/ssl/private/example.com/cloudflare/auth_origin_pull.pem; | ||
| + | |||
| + | Since a private cert is being used, <code>ssl_stapling</code> must be disabled. Edit <code>https_server.conf</code> or create a new file if being used by other server blocks with trusted certs. | ||
| + | |||
| + | $ sudo nano /etc/nginx/global-configs/https_server.conf | ||
| + | |||
| + | ssl_ecdh_curve auto; | ||
| + | |||
| + | #ssl_stapling on; | ||
| + | #ssl_stapling_verify on; | ||
| + | #resolver 1.1.1.1 1.0.0.1 valid=300s; | ||
| + | #resolver_timeout 5s; | ||
| − | |||
| − | |||
Vultr: | Vultr: | ||
Configure Vultr firewall to only allow Cloudflare. | Configure Vultr firewall to only allow Cloudflare. | ||
| + | |||
| + | Nginx: | ||
| + | |||
| + | Configure nginx to only allow Cloudflare IPv4 addresses to view the server. Note this will serve a <tt>403 Forbidden</tt> response to queries and it may be advisable to configure a wildcard subdomain or <code>UFW</code> rule set to attempt to mask this. | ||
| + | |||
| + | include /etc/nginx/conf.d/cloudflareipv4.conf; | ||
| + | |||
| + | sudo nano /etc/nginx/package-configs/cloudflareipv4.conf | ||
| + | |||
| + | allow 173.245.48.0/20; | ||
| + | allow 103.21.244.0/22; | ||
| + | allow 103.22.200.0/22; | ||
| + | allow 103.31.4.0/22; | ||
| + | allow 141.101.64.0/18; | ||
| + | allow 108.162.192.0/18; | ||
| + | allow 190.93.240.0/20; | ||
| + | allow 188.114.96.0/20; | ||
| + | allow 197.234.240.0/22; | ||
| + | allow 198.41.128.0/17; | ||
| + | allow 162.158.0.0/15; | ||
| + | allow 104.16.0.0/13; | ||
| + | allow 104.24.0.0/14; | ||
| + | allow 172.64.0.0/13; | ||
| + | allow 131.0.72.0/22; | ||
| + | deny all; | ||
| + | |||
| + | |||
Cloudflare: | Cloudflare: | ||
Set SSL/TLS to Full {strict). | Set SSL/TLS to Full {strict). | ||
Latest revision as of 17:20, 23 September 2021
Nginx:
The Cloudflare interface will not accept self-generated certificate signing requests. Queries to Cloudflare on this issue have been unanswered and posts to the Cloudflare community do not result in solutions, though others will comment they have the same experience. For this reason it is it only possible to use Cloudflare provided keys.
Create the key and certificate, then save to server.key and server.crt to /etc/ssl/private/example.com/cloudflare/.
Copy the Certificate value to /etc/ssl/private/example.com/cloudflare/auth_origin_pull.pem
Copy the origin ca ecc root to /etc/ssl/private/example.com/cloudflare/origin_ca_ecc_root.pem.
Edit /etc/nginx/sites-available/example.com:
ssl_certificate /etc/ssl/private/example.com/cloudflare/server.crt;
ssl_certificate_key /etc/ssl/private/example.com/cloudflare/server.key;
ssl_verify_client on;
ssl_client_certificate /etc/ssl/private/example.com/cloudflare/auth_origin_pull.pem;
Since a private cert is being used, ssl_stapling must be disabled. Edit https_server.conf or create a new file if being used by other server blocks with trusted certs.
$ sudo nano /etc/nginx/global-configs/https_server.conf
ssl_ecdh_curve auto;
#ssl_stapling on; #ssl_stapling_verify on; #resolver 1.1.1.1 1.0.0.1 valid=300s; #resolver_timeout 5s;
Vultr: Configure Vultr firewall to only allow Cloudflare.
Nginx:
Configure nginx to only allow Cloudflare IPv4 addresses to view the server. Note this will serve a 403 Forbidden response to queries and it may be advisable to configure a wildcard subdomain or UFW rule set to attempt to mask this.
include /etc/nginx/conf.d/cloudflareipv4.conf;
sudo nano /etc/nginx/package-configs/cloudflareipv4.conf
allow 173.245.48.0/20; allow 103.21.244.0/22; allow 103.22.200.0/22; allow 103.31.4.0/22; allow 141.101.64.0/18; allow 108.162.192.0/18; allow 190.93.240.0/20; allow 188.114.96.0/20; allow 197.234.240.0/22; allow 198.41.128.0/17; allow 162.158.0.0/15; allow 104.16.0.0/13; allow 104.24.0.0/14; allow 172.64.0.0/13; allow 131.0.72.0/22; deny all;
Cloudflare: Set SSL/TLS to Full {strict).