If this is your first time hearing about Nginx and Cloudflare, well you should know that you are not alone. Luckily in this tutorial you will get to know why exactly they are and also how websites using Nginx and Cloudflare can be hosted on Ubuntu 18.04.
What is Nginx and Cloudflare?
To begin with, if you have built or own a website that is likely to attract a lot of traffic, then one web server that you should seriously consider turning to for the hosting of the site is Nginx.
Over the years Nginx has enhanced its reputation as an ideally suited web server for the hosting of websites with a very high traffic.
On the other hand, Cloudflare serves as an intermediary service protocol between the web server of a high traffic website and a visitor to the site.
The Cloudflare service actually acts like a “reverse proxy” for the high traffic website. It is worth noting that Cloudflare is a provider of the following services;
- Content Delivery Network or CDN
- DDoS mitigation
- Distributed Domain Name Server or DNS.
What you will Learn from this Tutorial
This tutorial is aimed at teaching you two things.
- How a high traffic website which uses Nginx web server can be made more secure by a Cloudflare Origin CA Certification.
- How Nginx can be configured to utilise ONLY those pull requests that have been properly authenticated.
There are several benefits to be gained from using this configuration like the ultra-quick resolution of DNS and the numerous advantages that can be tapped from the Content Delivery Network (CDN) offered by Cloudflare.
In addition, Cloudflare will handle every single connection to your server. This protocol will ensure that only authenticated requests will get to your server. In effect, there will be little chance of any malicious and/or unauthenticated request(s) getting to your server once Cloudflare is deployed.
In order to kick-off this tutorial, you will require the following items;
- An Ubuntu 18.04 server. To configure the Ubuntu 18.04 server, you can make reference to the setup guide. In addition, you will need both a firewall and sudo non-root user.
- The installation of Nginx on your respective server.
- You also need a fully registered Cloudflare service account.
- On your registered Cloudflare account, you need to add a domain (fully registered as well). Also, this domain should be linked to your respective Nginx web server.
- Your domain should then have a configured Nginx Server Block. You can learn how to do this here.
Step #1: How To Generate a CloudflareOrigin CA TLS Certificate
The Cloudflare Origin CA TLS certificate can be FREELY generated. This Cloudflare signed, sealed and delivered certification is installed right on your respective Nginx web server. It must be mentioned that the importance of the Cloudflare Origin CA certificate cannot be overemphasized. This certificate enables you to secure a direct link between your respective Nginx webserver and servers from Cloudflare.
If you want to generate a Cloudflare Origin CA certificate, click on “Crypto”as seen on the dashboard of your Cloudflare service account. After which, you then need to click the button labelled “Create Certificate” under the section called “Origin Certificates”.
The already selected default mode to allow Cloudflare generate both the CSR and Private Key should be left as it is.
When you click on the “Next” button, a dialog box showing both the Private Key and the Cloudflare Origin CA Can will appear. Next, you will have to transfer the Private Key and Cloudflare Origin CA Certificate right from Cloudflare and onto your respective web server.
The file for the Private Key will be held in the/etc/ssl/private directory while the Cloudflare Origin CA Certificate file will be held in the /etc/ssl/certsdirectory on your respective web server.
To save both the Private Key and Cloudflare Origin CA Certificate in the respective directories on your webserver, you will need to copy both items from the displayed dialog box mentioned earlier.
Once you have copied the Cloudflare Origin CA Certificate from the dialog box, go to your web server then open for editing, the file labelled - /etc/ssl/certs/cert.pem.
$ sudo nano /etc/ssl/certs/cert.pem
You then need to paste the Cloudflare Origin CA Certificate information in the file of the /etc/ssl/certs directory. Once this is done, save the file and then leave the editor.
You will do the same for the Private Key. Go to the dialog box as seen on the dashboard of your Cloudflare account, copy the Private Key information and then return to the /etc/ssl/private directory on your server. Open up the /etc/ssl/private/key.pem file for the purpose of editing, paste the copied Private Key information in this file, save it and then leave the editor.
$ sudo nano /etc/ssl/private/key.pem
A note of warning:
You should know that the Cloudflare Origin CA Certificate can only be utilised by this origin servers which are directly linked to Cloudflare. Where you either pause or inadvertently disable your Cloudflare account, your freely generated Cloudflare Origin CA Certificate immediately issues an error titled “untrusted certificate". This is because the Cloudflare Origin CA Certificate is trusted ONLY by Cloudflare.
As soon as you are done copying and pasting both the Private Key and Cloudflare Origin CA Certificate into separate files and in different directories on your web server, you will then be required to update your Nginx setup in order for you to properly utilise these content.
Step #2: Installation of the Cloudflare Origin CA Certificate in your Nginx server
The first step in this tutorial explained how to generate a FREE Cloudflare Origin CA Certificate, how to copy this certificate as well as Private Key from your Cloudflare dashboard and where/how to paste them on your webserver.
In this next step, you will learn how the Nginx setup can be updated so that it can properly utilise both the saved Private Key and Cloudflare Origin CA Certificate in order to perfect the link between your webserver and these server belonging to Cloudflare.
Note that a default server block is created by Nginx at the point of installation. Make sure to remove this server block if it already exists, this is because your domain has a customised server block already configured.
$ sudo rm /etc/nginx/sites-enabled/default
You will then have to open up your domain’s Nginx setup file;
sudo nano /etc/nginx/sites-available/mywebsite.com
This Nginx setup file may appear in the format below;
The Nginx setup file will then be fine-tuned to listen on both port 80 and port 443. With regards to port 80, every request will be redirected to utilise “https”. As for port 443, the Private Key and Cloudflare Origin CA Certificate will be utilised.
This Nginx setup file will be modified to appear in this format;
Next, you will need to have the file saved and after that, you can leave the editor.
You will also need to carry out checks to ensure that the Nginx setup files have no form of syntax errors in them;
$ sudo nginx -t
Where there are no identified syntax errors, your Nginx server would have to be restarted in order for the changes to become active.
$ sudo systemctl restart nginx
The next thing you will need to do is to visit the dashboard page of your Cloudflare account. Go to the section labelled “Crypto”, in this section adjust the “SSL” mode and set it to - “Full”. By so doing, Cloudflare would encrypt at all times, every link up between your Nginx webserver and Cloudflare servers.
Ensure that the setup has been done well by going over to your respective website - https://mywebsite.com. As you visit your site, the home page is shown while a report is made by the browser ultimately stating that your website is fully secure.
Step #3: How To Configure Authenticated Origin Pulls
The final step in this tutorial will show you how to configure Authenticated Origin Pulls. This is done in order to ascertain and confirm that your origin Nginx webserver is linked/connected/talking ONLY to servers belonging to Cloudflare.
Your origin Nginx web server is setup ONLY to accommodate requests utilising authenticated Cloudflare client certification. Any request without such certification will not be entertained.
What the Cloudflare Origin CA Certificate does, is to assist Cloudflare in confirming that it is ONLY communicating with an authenticated origin webserver. However, for your own origin Nginx webserver to know if it is communicating ONLY to serves from Cloudflare, the “TLS Client Authentication” comes into play.
As your origin Nginx webserver has been setup to receive ONLY requests with authenticated Cloudflare client certification, any requests with malicious intent for example, will not be able to bypass the Cloudflare security protocol in place and link up directly to your origin Nginx web server.
The Cloudflare Origin CA Certificate can be downloaded right here.
You can copy the Cloudflare Origin CA Certificate and paste it in the created file (/etc/ssl/certs/cloudflare.crt). After pasting the certificate, save and leave the editor.
$ sudo nano /etc/ssl/certs/cloudflare.crt
Next, to utilise TLS Authenticated Origin Pulls, you will need to have your Nginx setup updated. Open up your domain's setup file;
$ sudo nano /etc/nginx/sites-available/mywebsite.com
You then need to include both the ssl_verify_client and ssl_client_certificate commands as seen below;
Once this is done, have the file saved and then subsequently leave the editor.
Also, check to ensure that your origin Nginx web server setup is devoid of syntax errors.
$ sudo nginx -t
Where you have not uncovered any issues,have your origin Nginx web server restarted to ensure that all changes are effected.
$ sudo systemctl restart nginx
If you want to allow for Authenticated Pulls, you simply have to visit “Crypto” under the dashboard page of your Cloudflare account. To activate Authenticated Puls, just click on the option provided.
Go to your website https://mywebsite.com to confirm that the configuration was properly done. Similar to before, your home page will be displayed. If you want to confirm that your origin Nginx webserver ONLY accommodates those requests that are duly signed by a CA from Cloudflare, disable the option for Authenticated Origin Pulls and subsequently have your website reloaded. When you do this, the error message below should be seen;
Note that your origin Nginx webserver will produce an error message where a request has not been signed by a CA of Cloudflare.
Once you have confirmed that everything works well, you should go back to the section labelled “Crypto” under the dashboard page of your Cloudflare account and enable the option for Authenticated Origin Pulls.
You were taught how to secure a website powered by Nginx web server through the use of encrypted communication between servers from Cloudflare and your Nginx web server which is made possible through the use of a FREE Cloudflare Origin CA Certificate. In addition, you were also shown how to configure Authenticated Origin Pulls right on your origin Nginx webserver. The purpose of which is to make sure that your web server will ONLY permit those requests emanating from servers belonging to Cloudflare. This is done as a security protocol to ensure that no attacker with malicious intent can link up to your origin Nginx web server.