X
X
X
X

How to Host a Website Using Cloudflare and Nginx on Ubuntu

HomepageArticlesHostingHow to Host a Website Using Cloudfl...

Login
Cloudflare is a service that sits between the visitor and the website owner's server and acts as a reverse proxy for websites. Cloudflare provides DDoS mitigation and distributed domain name server services, as well as a Content Delivery Network (CDN).

Nginx is a popular web server responsible for hosting some of the largest and highest traffic sites on the internet. It is common for organizations to serve their websites with Nginx and use Cloudflare as their CDN and DNS provider.

In this tutorial, you will secure your Nginx-served website with an Origin CA certificate from Cloudflare and configure Nginx to use authenticated pull requests. The advantages of using this setup are that you get all connections going through Cloudflare while taking advantage of Cloudflare's CDN and fast DNS resolution. This prevents malicious requests from reaching your server.

Prerequisites
You will need the following to complete this tutorial:

An Ubuntu 16.04 server was installed following the Ubuntu 16.04 initial server setup guide, including a sudo non-root user and a firewall.
Nginx is installed on your server, as shown in How to Install Nginx on Ubuntu 16.04.
A Cloudflare account.
A registered domain added to your Cloudflare account pointing to your Nginx server. To set this up, watch How to Mitigate DDoS Attacks on Your Website with CloudFlare.
An Nginx Server Block configured for your domain, which you can do by following How to Install Nginx Server Blocks (Virtual Hosts) in Ubuntu 16.04.
Step 1 — Creating an Origin CA TLS Certificate
Cloudflare Origin CA allows you to generate a free Cloudflare signed TLS certificate to upload to your Nginx server. Using the TLS certificate generated by Cloudflare, you can secure the connection between Cloudflare servers and your Nginx server.

To generate a certificate with Origin CA, go to the Crypto section of your Cloudflare control panel. From there, click on the Create Certificate button in the Certificates of Origin section:

 

Leave the default option of Allow CloudFlare to generate a private key and a CSR selected.

 

 

Click Next and you will see a dialog box containing the Certificate of Origin and Private key. You need to import both the origin certificate and the private key from CloudFlare to your server.

 

/etc/ssl/certsWe will use the directory on the server to hold the origin certificate. The /etc/ssl/private directory will edit the private key file. Both folders already exist on the server.

First, copy the contents of the Certificate of Origin displayed in the dialog box in your browser.

Then open /etc/ssl/certs/cert.pem for editing on your server:

sudo nano /etc/ssl/certs/cert.pem

copy
Paste the certificate content into the file. Then save and exit the editor.

Then return to your browser and copy the contents of the private key. /etc/ssl/private/key.pem Open the file to edit:

sudo nano /etc/ssl/private/key.pem

copy
Paste the key into the file, save the file and exit the editor.

Warning: Cloudflare's Origin CA Certificate is trusted only by Cloudflare and therefore should only be used by Origin servers that are actively connected to Cloudflare. If you pause or disable Cloudflare at any point, your Origin CA certificate will return an untrusted certificate error.

Now that you have copied the key and certificate files to your server, you need to update the Nginx configuration to use them.

Step 2 — Upload Origin CA certificate to Nginx
In the previous section, you created a resource certificate and private key using Cloudlfare's control panel and saved the files to your server. You will now update your site's Nginx configuration to use the origin certificate and private key to secure the connection between Cloudflare servers and your server.

Nginx creates a default server block during installation. If you have already configured a dedicated server block for your domain, remove it:

sudo rm /etc/nginx/sites-enabled/default

copy
Next, open the Nginx configuration file for your domain:

sudo nano /etc/nginx/sites-available/example.com

copy
The file should look like this:

example.com'>/etc/nginx/sites-available/example.com
server {
listen 80;
listen [::]:80;

root /var/www/example.com/html;
index index.html index.htm index.nginx-debian.html;

server_name example.com www.example.com;

location / {
try_files $uri $uri/ =404;
}
}

copy
We will modify the Nginx configuration file to do the following:

Listen on port 80and all requests to https.
Listen to port 443 and use the source certificate and private key you added in the previous section.
View the file as below

change it to:

example.com'>/etc/nginx/sites-available/example.com
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 302 https://$server_name$request_uri;
}

server {

# SSL configuration

listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl on;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;

server_name example.com www.example.com;

root /var/www/example.com/html;
index index.html index.htm index.nginx-debian.html;


location / {
try_files $uri $uri/ =404;
}
}

copy
Save the file and exit the editor.

Then test to make sure there are no syntax errors in any of your Nginx config files:

sudo nginx -t

copy
If no problems are found, restart Nginx to activate your changes:

sudo systemctl restart nginx

copy
Now go to the Crypto section of the Cloudflare dashboard and change the SSL mode to Full . This instructs Cloudflare to always encrypt the connection between Cloudflare and your starting Nginx server.

 

Now, to verify that it has been set up correctly, visit your website at You will see your homepage displayed and the browser will report that the site is safe.https://example.com

In the next section, you will set up Authenticated Origin Pulls to verify that your origin server is indeed talking to Cloudflare and not to any other server. By doing this, Nginx will be configured to only accept requests using a valid client certificate from Cloudflare, leaving any requests not going through CloudFlare.

Step 3 — Setting Up Authenticated Origin Shots
The Origin CA certificate helps Cloudflare verify that it is talking to the correct Origin server. However, how can your Origin Nginx server verify that it is indeed talking to Cloudflare? Enter TLS Client Authentication.

In a client-verified TLS negotiation, both parties provide a certificate to be validated. Origin server is configured to only accept requests using a valid client certificate from Cloudflare. Requests that do not go through Cloudflare will be canceled as they will not have the Cloudflare certificate. This means that attackers cannot bypass Cloudflare's security measures and connect directly to your Nginx server.

Cloudflare offers certificates signed by a CA with the following certificate:

-----BEGIN CERTIFICATE-----
MIIGBjCCA/CgAwIBAgIIV5G6lVbCLmEwCwYJKoZIhvcNAQENMIGQMQswCQYDVQQG
EwJVUzEZMBcGA1UEChMQQ2xvdWRGbGFyZSwgSW5jLjEUMBIGA1UECxMLT3JpZ2lu
IFB1bGwxFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEzARBgNVBAgTCkNhbGlmb3Ju
aWExIzAhBgNVBAMTGm9yaWdpbi1wdWxsLmNsb3VkZmxhcmUubmV0MB4XDTE1MDEx
MzAyNDc1M1oXDTIwMDExMjAyNTI1M1owgZAxCzAJBgNVBAYTAlVTMRkwFwYDVQQK
ExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmlnaW4gUHVsbDEWMBQGA1UE
BxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5pYTEjMCEGA1UEAxMa
b3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4IC
DwAwggIKAoICAQDdsts6I2H5dGyn4adACQRXlfo0KmwsN7B5rxD8C5qgy6spyONr
WV0ecvdeGQfWa8Gy/yuTuOnsXfy7oyZ1dm93c3Mea7YkM7KNMc5Y6m520E9tHooc
f1qxeDpGSsnWc7HWibFgD7qZQx+T+yfNqt63vPI0HYBOYao6hWd3JQhu5caAcIS2
ms5tzSSZVH83ZPe6Lkb5xRgLl3eXEFcfI2DjnlOtLFqpjHuEB3Tr6agfdWyaGEEi
lRY1IB3k6TfLTaSiX2/SyJ96bp92wvTSjR7USjDV9ypf7AD6u6vwJZ3bwNisNw5L
ptph0FBnc1R6nDoHmvQRoyytoe0rl/d801i9Nru/fXa+l5K2nf1koR3IX440Z2i9
+Z4iVA69NmCbT4MVjm7K3zlOtwfI7i1KYVv+ATo4ycgBuZfY9f/2lBhIv7BHuZal
b9D+/EK8aMUfjDF4icEGm+RQfExv2nOpkR4BfQppF/dLmkYfjgtO1403X0ihkT6T
PYQdmYS6Jf53/KpqC3aA+R7zg2birtvprinlR14MNvwOsDOzsK4p8WYsgZOR4Qr2
gAx+z2aVOs/87+TVOR0r14irQsxbg7uP2X4t+EXx13glHxwG+CnzUVycDLMVGvuG
aUgF9hukZxlOZnrl6VOf1fg0Caf3uvV8smOkVw6DMsGhBZSJVwao0UQNqQIDAQAB
o2YwZDAOBgNVHQ8BAf8EBAMCAAYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4E
FgQUQ1lLK2mLgOERM2pXzVc42p59xeswHwYDVR0jBBgwFoAUQ1lLK2mLgOERM2pX
zVc42p59xeswCwYJKoZIhvcNAQENA4ICAQDKDQM1qPRVP/4Gltz0D6OU6xezFBKr
LWtDoA1qW2F7pkiYawCP9MrDPDJsHy7dx+xw3bBZxOsK5PA/T7p1dqpEl6i8F692
g//EuYOifLYw3ySPe3LRNhvPl/1f6Sn862VhPvLa8aQAAwR9e/CZvlY3fj+6G5ik
3it7fikmKUsVnugNOkjmwI3hZqXfJNc7AtHDFw0mEOV0dSeAPTo95N9cxBbm9PKv
qAEmTEXp2trQ/RjJ/AomJyfA1BQjsD0j++DI3a9/BbDwWmr1lJciKxiNKaa0BRLB
dKMrYQD+PkPNCgEuojT+paLKRrMyFUzHSG1doYm46NE9/WARTh3sFUp1B7HZSBqA
kHleoB/vQ/mDuW9C3/8Jk2uRUdZxR+LoNZItuOjU8oTy6zpN1+GgSj7bHjiy9rfA
F+ehdrz+IOh80WIiqs763PGoaYUyzxLvVowLWNoxWVoc9G+PqFKqD988XlipHVB6
Bz+1CD4D/bWrs3cC9+kk/jFmrrAymZlkFX8tDb5aXASSLJjUjcptci9SKqtI2h0J
wUGkD7+bQAr+7vr8/R+CBmNMe7csE8NeEX6lVMF7Dh0a1YKQa6hUN18bBuYgTMuT
QzMmZpRpIBB321ZBlcnlxiTJvWxvbCPHKHj20VwwAz7LONF59s84ZsOqfoBv8gKM
s0s5dsq5zpLeaw==
-----END CERTIFICATE-----
You can also download the certificate directly from Cloudflare here.

Copy this certificate.

Next, create the filename to hold the /etc/ssl/certs/cloudflare.crtCloudflare certificate:

sudo nano /etc/ssl/certs/cloudflare.crt

copy
certificate

paste it into the file. Then save the file and exit the editor.

Now update your Nginx configuration to use TLS Authenticated Resource Pulls. Open the configuration file for your domain:

sudo nano /etc/nginx/sites-available/example.com

copy
Add the ssl_client_certificate and ssl_verify_client directives as shown in the example below:

example.com'>/etc/nginx/sites-available/example.com
. . .

server {

# SSL configuration

listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl on;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
ssl_client_certificate /etc/ssl/certs/cloudflare.crt;
ssl_verify_client on;

. . .

copy
Save the file and exit the editor.

Then test to make sure there are no syntax errors in your Nginx configuration.

sudo nginx -t

copy
If no problems are found, restart Nginx to activate your changes:

sudo systemctl restart nginx

copy
Finally, to enable Authenticated Pulls, open the Crypto section on the Cloudflare dashboard and change the Authenticated Origin Pulls option.

Now visit your website at to verify that it has been set up correctly. As before, you will see your homepage displayed.https://example.com

To verify that your server will only accept requests signed by Cloudflare's CA, change the Authenticated Origin Pulls option to disable, and then reload your website. You should get the following error message:

If a request is not signed by Cloudflare's CA, your origin server will throw an error.

Now that you know it works properly, go back to the Crypto section on the Cloudflare dashboard and change the Authenticated Origin Pulls option again to enable it.

Result
In this tutorial, you secure your Nginx powered website by encrypting traffic between Cloudflare and Nginx server using an Origin CA certificate from Cloudflare. You then set up Authenticated Origin Pulls on the Nginx server to make sure it only accepts requests from Cloudflare servers and prevent anyone else from connecting directly to the Nginx server.


Hosting Billing Software by WISECP
Top