Cloudflare Origin Certificates with Nginx on Debian10

Edwardon

Server information

  1. Debian 10
  2. Nginx 19
  3. A valid domain proxied on Cloudflare

Warning

Origin cert only support xxx.domain.com, domain.com
www.xxx.domain.com no support.

Step 1 Enable proxy

Cloudflare WordPress Setup

Step 2: Enable Full (Strict) mode

Step 3: Create certificate

1. Press create certificate

2. Choose ECDSA private key

3. Save your private key on your local computer ( securely )

4. Set up correct TLS version ( Under Edge Certificates tab)

Server side configuration

Download Cloudflare Origin CA root certificates (cloudflare_origin_ecc.pem)

https://support.cloudflare.com/hc/en-us/articles/115000479507-Managing-Cloudflare-Origin-CA-certificates

Step 1: Goto Nginx vhost and ssl configuration directory

ssl dir: /usr/local/nginx/conf/ssl
vhost dir: /usr/local/nginx/conf/vhost
Domain: domain.com

Step 2: Setup ssl private key and public key

Go to ssl dir, you have to merge cloudflare_origin_ecc.pem file with your public key.

Example:

cd /usr/local/nginx/conf/ssl

## Download Cloudflare orogin ecc root pem
wget https://support.cloudflare.com/hc/article_attachments/360037898732/origin_ca_ecc_root.pem

## Public key
cat git.domain.com origin_ca_ecc_root.pem > git.domain.com.pem

## Private key 
## Paste it here, the key you save before
nano git.domain.com.key

## Done

Step 3: Config Nginx vhost

server {
  listen 80;
  listen [::]:80;
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  ssl_certificate /usr/local/nginx/conf/ssl/git.domain.com.pem;
  ssl_certificate_key /usr/local/nginx/conf/ssl/git.domain.com.key;
  ssl on;
  #ssl_client_certificate /usr/local/nginx/conf/ssl/origin-pull-ca.pem;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
  ssl_prefer_server_ciphers on;
  access_log off;
  server_name git.dadd.icu;
  root /data/wwwroot/git.domain.com;
  if ($ssl_protocol = "") { return 301 https://$host$request_uri; }

  location / {
      proxy_pass http://127.0.0.1:3001;
      # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      # proxy_set_header X-Real-IP $remote_addr;
      # proxy_set_header Host $http_host;
      # proxy_set_header X-Forwarded-Proto $scheme;
      # proxy_max_temp_file_size 0;
      # proxy_redirect off;
      # proxy_read_timeout 120;
  }
}

References

  1. https://websiteforstudents.com/how-to-setup-cloudflare-origin-certificates-with-nginx-on-ubuntu-16-04-18-04/
  2. https://kb.virtubox.net/knowledgebase/cloudflare-ssl-origin-certificates-nginx/
  3. https://support.cloudflare.com/hc/en-us/articles/115000479507-Managing-Cloudflare-Origin-CA-certificates
  4. https://community.cloudflare.com/t/community-tip-fixing-err-ssl-version-or-cipher-mismatch-in-google-chrome/42162

Photo by C Dustin on Unsplash