ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Cloudflare and Nginx reverse proxy background.

    IT Discussion
    cloudflare nginx reverse proxy
    4
    6
    968
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • travisdh1T
      travisdh1
      last edited by travisdh1

      This isn't nearly a complete guide, just some background that @EddieJennings was doing some research/learning on.

      So, I've only found one way that would get a Letsencrypt cert working with an Nginx reverse proxy for the transport back end to Cloudflare. The free Cloudflare DDOS mitigation service will normally handle all TLS traffic on their front end, and very well from the limited testing I've done (places like ssllabs.com)

      certbot-2 certonly  --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini --renew-by-default -d travisdh1.net 
      

      So, certbot-2 is the current version of the certbot client in the Fedora repositories. Comes in python2-certbot. They also have a python3-certbot, but that's only needed if you've switched to python3, and I don't see a reason to do such on a reverse proxy.

      certonly because certbot just doesn't deal with reverse proxy configs properly yet. It's great if you're only running a single web server off a single box, but tends to mess up configs for you in more complex configurations.

      --dns-cloudflare is a plugin. Also available in the default repositories now as python2-certbot-dns-cloudflare.noarch. Handles the Cloudflare authorization, which used to be more difficult than with this plugin. I didn't find any documentation on this plugin when Googling on how to do this, I blame bad Googlefu.

      --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini Exactly what it looks like, an .ini file with your Cloudflare credentials. You're registered email address and api_key should be all that's needed. Mine looks something like:

      # Cloudflare API credentials used by Certbot
      dns_cloudflare_email = [email protected]
      dns_cloudflare_api_key = longstringofgobelygook
      

      --renew-by-default Tell Certbot that we want to renew the certificate(s). Honestly, I forget why I put this in here with the initial cert request.

      Finally, every single domain and/or subdomain you want the certificate to be valid for needs to be listed with -d domain.com. So subdomains are -d subdomain.domain.com. I currently have 17 subdomains and the main domain that all get certs this way.

      That doesn't mean they all work at any given time, it is my home lab box that I purposely break **** on.

      1 Reply Last reply Reply Quote 0
      • travisdh1T
        travisdh1
        last edited by

        Almost forgot a couple other "little" items.

        I have a crontab setup to have certbot check the renewal every day.

        1 5 * * * /usr/bin/certbot-2 renew
        

        The certifications themselves go in /etc/letsencrypt/live/domain.com/. I created a couple of symlinks in /etc/ssl/ that point back to the letsencrypt files. At the time, it was much easier to remember the full path and filename to /etc/ssl/domain.com.key and /etc/ssl/domain.com.crt than the full path and filenames that certbot used.

        travisdh1.net.key -> /etc/letsencrypt/live/travisdh1.net/privkey.pem
        travisdh1.net.pem -> /etc/letsencrypt/live/travisdh1.net/fullchain.pem
        

        Then it's just a matter of plugging those two files into the ssl_certificate and ssl_certificate_key lines from @JaredBusch's guide: https://mangolassi.it/topic/16651/install-nginx-as-a-reverse-proxy-on-fedora-27

        1 Reply Last reply Reply Quote 1
        • T
          taurex
          last edited by

          @travisdh1 Are there any benefits of configuring your own reverse-proxy if it's running behind CloudFlare that is essentially the one already? I know they offer their own Origin CA certs that you can install on your web servers to encrypt the traffic between CF and your cloud. As long as you're happy to stick with CloudFlare, there will be no need to run cron jobs with certbot renewals every 3 months.

          JaredBuschJ black3dynamiteB travisdh1T 3 Replies Last reply Reply Quote 0
          • JaredBuschJ
            JaredBusch @taurex
            last edited by

            @taurex said in Cloudflare and Nginx reverse proxy background.:

            @travisdh1 Are there any benefits of configuring your own reverse-proxy if it's running behind CloudFlare that is essentially the one already? I know they offer their own Origin CA certs that you can install on your web servers to encrypt the traffic between CF and your cloud. As long as you're happy to stick with CloudFlare, there will be no need to run cron jobs with certbot renewals every 3 months.

            You can run a self signed cert on your local server and still be 100% encrypted with CloudFlare.

            1 Reply Last reply Reply Quote 3
            • black3dynamiteB
              black3dynamite @taurex
              last edited by

              @taurex said in Cloudflare and Nginx reverse proxy background.:

              @travisdh1 Are there any benefits of configuring your own reverse-proxy if it's running behind CloudFlare that is essentially the one already? I know they offer their own Origin CA certs that you can install on your web servers to encrypt the traffic between CF and your cloud. As long as you're happy to stick with CloudFlare, there will be no need to run cron jobs with certbot renewals every 3 months.

              I still use a reverse proxy but I'm using self-signed certs. I just have to make sure to select Full SSL instead of Full SSL (strict). To many cool things I can do using reverse proxy like upstream.

              1 Reply Last reply Reply Quote 1
              • travisdh1T
                travisdh1 @taurex
                last edited by

                @taurex said in Cloudflare and Nginx reverse proxy background.:

                @travisdh1 Are there any benefits of configuring your own reverse-proxy if it's running behind CloudFlare that is essentially the one already? I know they offer their own Origin CA certs that you can install on your web servers to encrypt the traffic between CF and your cloud. As long as you're happy to stick with CloudFlare, there will be no need to run cron jobs with certbot renewals every 3 months.

                As @JaredBusch said, you can run self-signed certs with CloudFlare just fine. This was for my home lab, so I purposely do things the hard way sometimes, just to see what it's like. That's why I originally tackled this anyway. Running a reverse proxy mostly so I don't have to pay for nearly 30 IP addresses on the box I rent for it.

                1 Reply Last reply Reply Quote 0
                • 1 / 1
                • First post
                  Last post