Cloudflare and Nginx reverse proxy background.

travisdh1

This isn't nearly a complete guide, just some background that @EddieJennings was doing some research/learning on.

So, I've only found one way that would get a Letsencrypt cert working with an Nginx reverse proxy for the transport back end to Cloudflare. The free Cloudflare DDOS mitigation service will normally handle all TLS traffic on their front end, and very well from the limited testing I've done (places like ssllabs.com)

certbot-2 certonly  --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini --renew-by-default -d travisdh1.net 

So, certbot-2 is the current version of the certbot client in the Fedora repositories. Comes in python2-certbot. They also have a python3-certbot, but that's only needed if you've switched to python3, and I don't see a reason to do such on a reverse proxy.

certonly because certbot just doesn't deal with reverse proxy configs properly yet. It's great if you're only running a single web server off a single box, but tends to mess up configs for you in more complex configurations.

--dns-cloudflare is a plugin. Also available in the default repositories now as python2-certbot-dns-cloudflare.noarch. Handles the Cloudflare authorization, which used to be more difficult than with this plugin. I didn't find any documentation on this plugin when Googling on how to do this, I blame bad Googlefu.

--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini Exactly what it looks like, an .ini file with your Cloudflare credentials. You're registered email address and api_key should be all that's needed. Mine looks something like:

# Cloudflare API credentials used by Certbot
dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = longstringofgobelygook

--renew-by-default Tell Certbot that we want to renew the certificate(s). Honestly, I forget why I put this in here with the initial cert request.

Finally, every single domain and/or subdomain you want the certificate to be valid for needs to be listed with -d domain.com. So subdomains are -d subdomain.domain.com. I currently have 17 subdomains and the main domain that all get certs this way.

That doesn't mean they all work at any given time, it is my home lab box that I purposely break **** on.

travisdh1

Almost forgot a couple other "little" items.

I have a crontab setup to have certbot check the renewal every day.

1 5 * * * /usr/bin/certbot-2 renew

The certifications themselves go in /etc/letsencrypt/live/domain.com/. I created a couple of symlinks in /etc/ssl/ that point back to the letsencrypt files. At the time, it was much easier to remember the full path and filename to /etc/ssl/domain.com.key and /etc/ssl/domain.com.crt than the full path and filenames that certbot used.

travisdh1.net.key -> /etc/letsencrypt/live/travisdh1.net/privkey.pem
travisdh1.net.pem -> /etc/letsencrypt/live/travisdh1.net/fullchain.pem

Then it's just a matter of plugging those two files into the ssl_certificate and ssl_certificate_key lines from @JaredBusch's guide: https://mangolassi.it/topic/16651/install-nginx-as-a-reverse-proxy-on-fedora-27

taurex

@travisdh1 Are there any benefits of configuring your own reverse-proxy if it's running behind CloudFlare that is essentially the one already? I know they offer their own Origin CA certs that you can install on your web servers to encrypt the traffic between CF and your cloud. As long as you're happy to stick with CloudFlare, there will be no need to run cron jobs with certbot renewals every 3 months.

JaredBusch

@taurex said in Cloudflare and Nginx reverse proxy background.:

@travisdh1 Are there any benefits of configuring your own reverse-proxy if it's running behind CloudFlare that is essentially the one already? I know they offer their own Origin CA certs that you can install on your web servers to encrypt the traffic between CF and your cloud. As long as you're happy to stick with CloudFlare, there will be no need to run cron jobs with certbot renewals every 3 months.

You can run a self signed cert on your local server and still be 100% encrypted with CloudFlare.

black3dynamite

@taurex said in Cloudflare and Nginx reverse proxy background.:

@travisdh1 Are there any benefits of configuring your own reverse-proxy if it's running behind CloudFlare that is essentially the one already? I know they offer their own Origin CA certs that you can install on your web servers to encrypt the traffic between CF and your cloud. As long as you're happy to stick with CloudFlare, there will be no need to run cron jobs with certbot renewals every 3 months.

I still use a reverse proxy but I'm using self-signed certs. I just have to make sure to select Full SSL instead of Full SSL (strict). To many cool things I can do using reverse proxy like upstream.

travisdh1

@taurex said in Cloudflare and Nginx reverse proxy background.:

@travisdh1 Are there any benefits of configuring your own reverse-proxy if it's running behind CloudFlare that is essentially the one already? I know they offer their own Origin CA certs that you can install on your web servers to encrypt the traffic between CF and your cloud. As long as you're happy to stick with CloudFlare, there will be no need to run cron jobs with certbot renewals every 3 months.

As @JaredBusch said, you can run self-signed certs with CloudFlare just fine. This was for my home lab, so I purposely do things the hard way sometimes, just to see what it's like. That's why I originally tackled this anyway. Running a reverse proxy mostly so I don't have to pay for nearly 30 IP addresses on the box I rent for it.