User:Paul/sandbox/Configure Cloudflare

From UNPM.org Wiki
< User:Paul
Revision as of 17:20, 23 September 2021 by Paul (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Nginx:

The Cloudflare interface will not accept self-generated certificate signing requests. Queries to Cloudflare on this issue have been unanswered and posts to the Cloudflare community do not result in solutions, though others will comment they have the same experience. For this reason it is it only possible to use Cloudflare provided keys.

Create the key and certificate, then save to server.key and server.crt to /etc/ssl/private/example.com/cloudflare/.

Copy the Certificate value to /etc/ssl/private/example.com/cloudflare/auth_origin_pull.pem

Copy the origin ca ecc root to /etc/ssl/private/example.com/cloudflare/origin_ca_ecc_root.pem.

Edit /etc/nginx/sites-available/example.com: 

    ssl_certificate /etc/ssl/private/example.com/cloudflare/server.crt;
    ssl_certificate_key /etc/ssl/private/example.com/cloudflare/server.key;

    ssl_verify_client on;
    ssl_client_certificate /etc/ssl/private/example.com/cloudflare/auth_origin_pull.pem;

Since a private cert is being used, ssl_stapling must be disabled. Edit https_server.conf or create a new file if being used by other server blocks with trusted certs. 

$ sudo nano /etc/nginx/global-configs/https_server.conf

ssl_ecdh_curve auto;

#ssl_stapling on;
#ssl_stapling_verify on;
#resolver 1.1.1.1 1.0.0.1 valid=300s;
#resolver_timeout 5s;


Vultr: Configure Vultr firewall to only allow Cloudflare.

Nginx:

Configure nginx to only allow Cloudflare IPv4 addresses to view the server. Note this will serve a 403 Forbidden response to queries and it may be advisable to configure a wildcard subdomain or UFW rule set to attempt to mask this. 

    include /etc/nginx/conf.d/cloudflareipv4.conf;

sudo nano /etc/nginx/package-configs/cloudflareipv4.conf

allow 173.245.48.0/20;
allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 141.101.64.0/18;
allow 108.162.192.0/18;
allow 190.93.240.0/20;
allow 188.114.96.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;
allow 162.158.0.0/15;
allow 104.16.0.0/13;
allow 104.24.0.0/14;
allow 172.64.0.0/13;
allow 131.0.72.0/22;
deny all;


Cloudflare: Set SSL/TLS to Full {strict).

Retrieved from "http://www.unpm.org/wiki/index.php?title=User:Paul/sandbox/Configure_Cloudflare&oldid=1152"