Cloud Web Server - How to Host the Website Using Cloudflare and Nginx on Ubuntu 16.04

Cloudflare can be termed as a service which sits between the visitor and the website owners server. It acts as the reverse proxy for the website. Cloudflare comes with CDN as well as the DDoS mitigation and distributed domain name server services.

Nginx is another popular web server which is mainly responsible for hosting some big websites on the internet. Its a common practice for business to serve the websites with an nGINX and then use the Cloudflare as the DNS and CDN provider.

Here you will be given the information on securing the website which is served by Nginx with a CA certificate from the cloudflare and then configure the Nginx for using the authenticated pull requests. One of the biggest advantage of using this setup is that you will be benefited from the Cloudflare's CDN and the fast DNS resolution by ensuring that all the connections is passing through the Cloudflare CDN and the fast DNS resolution by ensuring that the connection is passed through the cloudflare. This will prevent any type of malicious requests from being reached to the server.


Generation of CA TLS Certificate

The Cloudflare Origin CA lets in generating a free TLS certificate which is signed by the Cloudflare for installing the Nginx server. With the usage of the Cloudflare generated TLS certificate you can be ensured that the connection between the Cloudflares servers and the Nginx server.

For generating the certificate with the origin CA, one needs to navigate to the Crypto section of the cloudflare dashboard. Now from here you will be able to click on the create certificate button in the Origin Certificates section:






Now you need to leave the default option of Let CloudFlare for generating a private key and a CSR selected.




Now you need to click on Next and the you will be able to see a dialog with  the Origin Certificate as well as the private key. You will be required to transfer both the origin certificate as well as the private key from the cloudflare to the server.




We will be using the /etc/ssl/certs directory on the cloud server for holding the origin certificate. The /etc/ssl/private directory will be holding the private key file. Here both the folders will already exist on the server. One needs to first copy the contents of the Origin Certificate which is displayed in the dialog box in the browser. Then on the server one needs to open /etc/ssl/certs/cert.pem for editing purpose.

$ sudo nano /etc/ssl/certs/cert.pem

Now you need to paste the certificate contents into the file and then click on save and after that exit editor.

Then you need to return to the browser and then copy the contents of the Private key. One needs to open the file /etc/ssl/private/key.pem for editing purpose:

$ sudo nano /etc/ssl/private/key.pem

You need to paste this key into the file, save file and then exit the editor.

  

For Installing the Origin CA certificate in Nginx

You could have generated an origin certificate and the private key using the cloudflares dashboard and then saves the files to the server. Now you will be able to update the Nginx configuration for the website in using the origin certificate and the private key for securing the connection between the Cloudflares servers and the server.
Nginx is able to create a default server block during the installation process. Remove if it is existing as it has been already configured a custom server block for the domain name:


$ sudo rm /etc/nginx/sites-enabled/default


Now you need to open the Nginx configuration file for the domain:

$ sudo nano /etc/nginx/sites-available/example.com


The file should be looking like this:

server {
listen 80;
listen [::]:80;

root /var/www/xyz.com/html;
index index.html index.htm index.nginx-debian.html;

server_name example.com www.xyz.com;

location / {
try_files $uri $uri/ =404;
}
}


You will be able to modify the Nginx configuration for the following:
Listen on the port 80 and then redirecting all the requests to be used https.
Listening on port 443 and then using the origin certificate and the private key that is been added in the previous section.

 


Modify the file so it looks like the following:

server {
listen 80;
listen [::]:80;
server_name example.com www.xyz.com;
return 302 https://$server_name$request_uri;
}

server {

# SSL configuration

listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl on;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;

server_name example.com www.xyz.com;

root /var/www/xyz.com/html;
index index.html index.htm index.nginx-debian.html;


location / {
try_files $uri $uri/ =404;
}
}


Now you need to save the file and then exit the editor.
Next you have to test to make it sure that there have been no syntax errors in any of the Nginx configuration files:

$ sudo nginx -t

If there is no problem that has been found the restart the Nginx for enabling the changes:

$ sudo systemctl restart nginx


Now you need to go to the Cloudflare dashboard Crypto section and then change SSL mode to the Full. This will inform the Cloudflare in always encrypting the connection between Cloudflare and the origin Nginx server.
Now you need to visit the website for example https://xyz.com for verfyting that it has been set up properly. You will be able to see the home page been displayed and browser will be reporting that the website is secure.

 

Setting Up the Authenticated Origin Pulls

The origin CA certificate will be helping the cloudflare verifying that it is talking to the correct origin server. Then how can the origin Nginx server verify that it is actually talking to the Cloudflare? You need to enter the TLS Client authentication.

In the client authenticated TLS handshake both sides will be proving the certificate to be verified. The origin server is been configured for only accepting the requests that is using a valid client certificate provided from the Cloudflare. Requests which have not been passed through the cloudflare will be dropped as they will not be having the cloudflare certificate. This would mean that the attackers will not be able to attack the cloudflares security measures and then directly connect it to the Nginx server.

The following certificate is presented by Cloudflare which is signed by CA:

-----BEGIN CERTIFICATE-----
MIIGBjCCA/CgAwIBAgIIV5G6lVbCLmEwCwYJKoZIhvcNAQENMIGQMQswCQYDVQQG
EwJVUzEZMBcGA1UEChMQQ2xvdWRGbGFyZSwgSW5jLjEUMBIGA1UECxMLT3JpZ2lu
IFB1bGwxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEzARBgNVBAgTCkNhbGlmb3Ju
aWExIzAhBgNVBAMTGm9yaWdpbi1wdWxsLmNsb3VkZmxhcmUubmV0MB4XDTE1MDEx
MzAyNDc1M1oXDTIwMDExMjAyNTI1M1owgZAxCzAJBgNVBAYTAlVTMRkwFwYDVQQK
ExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmlnaW4gUHVsbDEWMBQGA1UE
BxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5pYTEjMCEGA1UEAxMa
b3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4IC
DwAwggIKAoICAQDdsts6I2H5dGyn4adACQRXlfo0KmwsN7B5rxD8C5qgy6spyONr
WV0ecvdeGQfWa8Gy/yuTuOnsXfy7oyZ1dm93c3Mea7YkM7KNMc5Y6m520E9tHooc
f1qxeDpGSsnWc7HWibFgD7qZQx+T+yfNqt63vPI0HYBOYao6hWd3JQhu5caAcIS2
ms5tzSSZVH83ZPe6Lkb5xRgLl3eXEFcfI2DjnlOtLFqpjHuEB3Tr6agfdWyaGEEi
lRY1IB3k6TfLTaSiX2/SyJ96bp92wvTSjR7USjDV9ypf7AD6u6vwJZ3bwNisNw5L
ptph0FBnc1R6nDoHmvQRoyytoe0rl/d801i9Nru/fXa+l5K2nf1koR3IX440Z2i9
+Z4iVA69NmCbT4MVjm7K3zlOtwfI7i1KYVv+ATo4ycgBuZfY9f/2lBhIv7BHuZal
b9D+/EK8aMUfjDF4icEGm+RQfExv2nOpkR4BfQppF/dLmkYfjgtO1403X0ihkT6T
PYQdmYS6Jf53/KpqC3aA+R7zg2birtvprinlR14MNvwOsDOzsK4p8WYsgZOR4Qr2
gAx+z2aVOs/87+TVOR0r14irQsxbg7uP2X4t+EXx13glHxwG+CnzUVycDLMVGvuG
aUgF9hukZxlOZnrl6VOf1fg0Caf3uvV8smOkVw6DMsGhBZSJVwao0UQNqQIDAQAB
o2YwZDAOBgNVHQ8BAf8EBAMCAAYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4E
FgQUQ1lLK2mLgOERM2pXzVc42p59xeswHwYDVR0jBBgwFoAUQ1lLK2mLgOERM2pX
zVc42p59xeswCwYJKoZIhvcNAQENA4ICAQDKDQM1qPRVP/4Gltz0D6OU6xezFBKr
LWtDoA1qW2F7pkiYawCP9MrDPDJsHy7dx+xw3bBZxOsK5PA/T7p1dqpEl6i8F692
g//EuYOifLYw3ySPe3LRNhvPl/1f6Sn862VhPvLa8aQAAwR9e/CZvlY3fj+6G5ik
3it7fikmKUsVnugNOkjmwI3hZqXfJNc7AtHDFw0mEOV0dSeAPTo95N9cxBbm9PKv
qAEmTEXp2trQ/RjJ/AomJyfA1BQjsD0j++DI3a9/BbDwWmr1lJciKxiNKaa0BRLB
dKMrYQD+PkPNCgEuojT+paLKRrMyFUzHSG1doYm46NE9/WARTh3sFUp1B7HZSBqA
kHleoB/vQ/mDuW9C3/8Jk2uRUdZxR+LoNZItuOjU8oTy6zpN1+GgSj7bHjiy9rfA
F+ehdrz+IOh80WIiqs763PGoaYUyzxLvVowLWNoxVVoc9G+PqFKqD988XlipHVB6
Bz+1CD4D/bWrs3cC9+kk/jFmrrAymZlkFX8tDb5aXASSLJjUjcptci9SKqtI2h0J
wUGkD7+bQAr+7vr8/R+CBmNMe7csE8NeEX6lVMF7Dh0a1YKQa6hUN18bBuYgTMuT
QzMmZpRpIBB321ZBlcnlxiTJvWxvbCPHKHj20VwwAz7LONF59s84ZsOqfoBv8gKM
s0s5dsq5zpLeaw==
-----END CERTIFICATE-----


You need to copy this certificate

And then create the file /etc/ssl/certs/cloudflare.crt file for holding the cloudflare certificate.

$ sudo nano /etc/ssl/certs/cloudflare.crt

You need to paste this certificate into the file and then save the file and exit the editor.
Now you can update the Nginx configuration to use the TLS Authenticated Origin Pulls. You need to open the configuration file for the domain name:

$ sudo nano /etc/nginx/sites-available/xyz.com

Now you need to add the ssl_client_certificate and ssl_verify_client directives as it has been shown below:

. . .

server {

# SSL configuration

listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl on;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
ssl_client_certificate /etc/ssl/certs/cloudflare.crt;
ssl_verify_client on;

. . .


Now you need to save the file and then exit the editor.
Next part is to test it make it sure that there has been no syntax errors in the Nginx configuration.


$ sudo nginx -t

If there has been no problems that were found then one needs to restart the Nginx for enabling the changes:


$ sudo systemctl restart nginx

Finally for enabling the authenticated pulls, one needs to open the Crypto section which is the cloudflare dashboard and then toggle the authenticated origin pulls option.







Now you can visit the website https://xyz.com for verifying that it has been properly set up. Like before itself you will be able to see the home page been displayed.