Want to subscribe to topics you're interested in?
Become a Member

SSL Cloudflare Can someone explain how to toggle CF off with Auth. Org. Pulls enabled?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by FluxTux, Oct 11, 2019.

  1. FluxTux

    FluxTux New Member

    11
    1
    3
    Sep 22, 2019
    Ratings:
    +2
    Local Time:
    4:58 PM
    Hi there all!

    As I'm relatively new to CMM I'm struggling to understand a few mechanisms in regards to CMM vs Cloudflare as proxy.

    Hope some kind experienced CMM techie(s) maybe able to help out a bit and explain a few things or point me elsewhere for answers. Probably, on a deeper level I'm trying to wrap my head around a few server management fundamentals as well so please bear over with me.

    My questions probably relates to lack of understanding of how a bidirectional SSL setup works between a CMM server using Cloudflare as proxy. Still I hope to be pointed towards a best practice in regards to how to toggle Cloudflare protection on/off for a domain when the CF proxy setup has been secured activating CF Authentication Origin Pulls.

    Point of it all is to be able to test CMM server's performance independently of the CDN - which seems to be a hassle as I earlier today struggled with a bunch of 400 errors trying to 'rollback' the CF pulls.

    FYI the setup used looks like this:
    • Running latest version of CMM beta branch (123.09beta01)
    • Installed WP + SSL cert for my domain using CMM / acmetool via option 22. The chosen option for SSL is option for.
    • Setup Cloudflare as proxy running a SSL cert (set to Full mode) and enabled "Authenticated Origin Pulls" via CF as well cf. the safety recommendations in regards to avoiding IP leaks put forward @eva2000 in the start guide.
    • Whitelisted Cloudflare IPs on the server following the CMM guide (dont have link to post at hand).
    The CF pulls setup worked fine out of the box after setting it all up. No errors whatsoever.

    I soon realised that the "Authenticate Origin Pulls" setup was less ideal for my needs as I'm sort of used to toggle the Cloudflare cloud icon in the DNS settings to bypass the proxy in order to test the site / server's performance directly.

    However, doing so with AOP active triggers a Nginx 400 error "400 Bad Request - No required SSL certificate was sent" (which I kind of get in hindsight as I reckon the CF origin pulls acts like a sort of two way encryption handshake so guess deactivating breaks the chain?!?)

    Anyway, as I still need to test site/server's performance both with / without CF I figured the way forward would be to be simply reversing the steps in the AOP setup as it's a pretty simple process.

    So, at CMM I re- commented/inactivated the two CF lines in the SSL cert config file + in CF I toggled the Authentication Origin Pulls feature inactive for the domain in question.

    However, this only resulted in the same "400 Bad Request - No required SSL certificate was sent" - whether due to an update delay is the reason I have no clue.

    I did try restarting Nginx + other server services and ultimately tried rebooting the server to no effect in regards to 400 errors.

    In the end I had zero clue as to how to resolv - so left it with AOP reinstated as active and the site N/A and left it there for 8 hours or so.

    Heading back to check the certificate resolves correctly again with AOP active. But as such my basic issue remain unresolved - what is the recommended approach?

    Specifically:
    • When AOP has been activated for a domain how can I toggle CF off for the domain momentarily in order to test the CMM server without bottlenecking the process in 400 certificate unresolved error issues?
    • If it's insufficient to reverse the AOP setup process like I tried - what else is required by default to reverse? The 400 error issue never actually resolved once I tried to deactivate but this may be due to my lack of patience as I only waited an hour or so for new setting to resolve (?)
    • If the issue is my lack of patience what is in your experience the expected timeframe before the reverted setting catches on in order without errors?
    • ...or should I go about it in a completely different way??
    As you can tell I'm sort of shooting in the dark - any help to ease my understanding would be very much appreciated :unsure:

    Thanks!!
     
  2. JJC84

    JJC84 Premium Member Premium Member

    235
    100
    28
    Jan 31, 2018
    Ratings:
    +156
    Local Time:
    9:58 AM
    1.15.x
    10.1.x
    If I remember correctly you have to generate a certificate via Cloudflare's site and install that on your server for the full mode to work properly. Let me see if I can dig up the instructions.
     
  3. FluxTux

    FluxTux New Member

    11
    1
    3
    Sep 22, 2019
    Ratings:
    +2
    Local Time:
    4:58 PM
    @JJC84 - thanks for helping out - appreciate it! :)

    Possible I missed something. It was these CMM instructions I followed. Don't think I skipped any steps and all the stuff did work out of the box.

    Don't know if you're thinking of the official CF auth key? That was installed on the server for the handshake during the process as I'm on 123.09beta01. Got no errors activating the 2 x CF lines in the SSL conf file seems to suggest that the bidirectional thing was going well...

    In the guide linked to above there's this fair warning from Eva2000:

    Guess I either missed the implication or just thought it wouldn't be an issue to revert settings for a while in order to test the CMM server ex the proxy in front.

    Heading to bed now as it's getting late in my end. Please do let me know if you dig up anything relevant (y)
     
  4. JJC84

    JJC84 Premium Member Premium Member

    235
    100
    28
    Jan 31, 2018
    Ratings:
    +156
    Local Time:
    9:58 AM
    1.15.x
    10.1.x
  5. FluxTux

    FluxTux New Member

    11
    1
    3
    Sep 22, 2019
    Ratings:
    +2
    Local Time:
    4:58 PM
    Just to be as specific and to the point bout the current setup involved:
    • On the Cloudflare side there's an active SSL certificate set to status of "Full"
    • On the CMM server side theres a full and active LetsEncrypt cert (cf. using sub- option 4 in SSL part of the CMM installer).
    • Things do "work" in terms of the actual setup with Origin Pulls to CF - it just how to bypass them without getting looped in 4000 errors that's unclear to me (?)
    I do not recall generating a SSL certificate at CF as such (is that's not a default thing at CF - my brain's farted out as its too late here:sleep:). Anyway, if I remember correctly I simply adjusted the status of default SSL cert from "Flexible" to "Full" at the CF end (to get compliance).

    So... yeah... guess I'm on the lookout for the best possible practice in regards to switching CF on/off in spite of this AOP 'safety first' setting being active... or at least a best practice and/or insight of the most efficient / less involved way to toggle CF on/off with the AOP part active in order to do some direct testing.

    Im way out of my confort zone here. So just trying to be as explicit as possible in order for you to catch my drift... anyway... looking forward for any advice :confused::geek:
     
  6. JJC84

    JJC84 Premium Member Premium Member

    235
    100
    28
    Jan 31, 2018
    Ratings:
    +156
    Local Time:
    9:58 AM
    1.15.x
    10.1.x
    Add that origin pull ca file to your server somewhere and update your Nginx configuration file with the stated lines. Follow the link I posted it is a quick download.
     
  7. JJC84

    JJC84 Premium Member Premium Member

    235
    100
    28
    Jan 31, 2018
    Ratings:
    +156
    Local Time:
    9:58 AM
    1.15.x
    10.1.x
    If you want to rest up a bit and go at it again tomorrow I will be around to walk you through it as well as I can.
     
  8. FluxTux

    FluxTux New Member

    11
    1
    3
    Sep 22, 2019
    Ratings:
    +2
    Local Time:
    4:58 PM
    Yup - that I did do cf. my link in last post. Just missed your reply while posting myself. Just trying to make it all more clear where I'm at as the point is not how to get it working rather how to bypass the setup on occation... if that makes sense?
     
  9. JJC84

    JJC84 Premium Member Premium Member

    235
    100
    28
    Jan 31, 2018
    Ratings:
    +156
    Local Time:
    9:58 AM
    1.15.x
    10.1.x
    Are you able to toggle the cloud icon on and off? Screen Shot 2019-10-10 at 6.53.40 PM.png
     
  10. JJC84

    JJC84 Premium Member Premium Member

    235
    100
    28
    Jan 31, 2018
    Ratings:
    +156
    Local Time:
    9:58 AM
    1.15.x
    10.1.x
    You also said you have the let's encrypt cert right and I understand that, but do you have the cloudflare.crt from the origin pull certificate authority .pem file installed on the server and added to the nginx.conf for the specific domain as well?
     
  11. FluxTux

    FluxTux New Member

    11
    1
    3
    Sep 22, 2019
    Ratings:
    +2
    Local Time:
    4:58 PM
    Thanks! Awesome of you offering help out like that. Will tuck in now but tried to line my objective up in a nutshell @ post#5 - please do let me know if any ideas or experiences in regards to that goal...

    Cheers and thanks again!
     
  12. JJC84

    JJC84 Premium Member Premium Member

    235
    100
    28
    Jan 31, 2018
    Ratings:
    +156
    Local Time:
    9:58 AM
    1.15.x
    10.1.x
    Will do. I have borked this installation before and was able to fix it eventually so it is going to bother me until I can remember how I fixed it.
     
  13. FluxTux

    FluxTux New Member

    11
    1
    3
    Sep 22, 2019
    Ratings:
    +2
    Local Time:
    4:58 PM
    I know the Swedish chef routine as well - sort of my specialty. Not sure this is pure failure though as things do match up to work. Let me just address your qs before exiting though:

    I can sure toggle to grey clouds to disable CF proxy - but the result of doing so would be the mentioned 400 error when browsing the domain. Anyway, my understanding is that was what Eva2000 meant bout the heads up I cited in the grey box in Post #3 above (right?!)

    My bad if that was not clear. Should prob have mentioned that in specific terms. Having trouble remembering things like specific file names and dirs as of yet tbh.

    Anyway - yes, CMM actually does the lifting in regards to most of this. I have just checked once again at CMM serverside to make sure and it's all there and setup right thanks to latest branch. Eg. I just had to uncomment those 2 lines manually that's all. They were already imported and the cloudflare crt was imported as well dueing the setup context following the link above (or maybe a sublink from that guide - it's sort of a blur). All confirmed - the setup does work.

    Anyway, so just to be clear cf. post #5. Issue is not as such that I can't get the certs working per se. The setup in itself seems to be all good and correct. Issue at hand is how to best circumvent said 400 errors - or to put it more straight - how to efficiently bypassing the CF proxy even with this added security measure activated (if possible) in order to test the CMIN server directly?

    Evidently the cloud toggle thing won't work in this case.

    Do think this sums the matter / questions on my part up the best I'm able... maybe we need point this @eva2000 for a bit of expert insight.

    Phew think my brain just pooped... just felt I owed some specific answers to questions as you vert kindly invested you time trying to help me (y)
     
  14. JJC84

    JJC84 Premium Member Premium Member

    235
    100
    28
    Jan 31, 2018
    Ratings:
    +156
    Local Time:
    9:58 AM
    1.15.x
    10.1.x
    Ahh, I finally get it! I believe unfortunately that if you have full SSL enabled that you can't bypass the proxy. Let's see what Eva says. He always saves the day.
     
    • Like Like x 1
  15. JJC84

    JJC84 Premium Member Premium Member

    235
    100
    28
    Jan 31, 2018
    Ratings:
    +156
    Local Time:
    9:58 AM
    1.15.x
    10.1.x
    When your configuration is set to Authenticated Origin Pulls restricted to the Cloudflare network you aren't going to be able to proxy off and have it return anything but 400.

    Once again since Cloudflare gets in between the client request and your server, they are able to provide you with what's called a "flexible SSL". This means that the traffic is secure/encrypted between the visitor and Cloudflare's servers, but then they send the request to your server over http (port 80) which is insecure. While this doesn't guarantee 100% secure communication. The good thing is that most of the time the man in the middle type attack occurs by a hacker intercepting the data going to and from the client. Not data that is being transferred from server to server.

    That's the explanation I got while finding this cute diagram.
    cloudflare-flexible-ssl-v1.png
     
    • Informative Informative x 1
    • Friendly Friendly x 1
  16. eva2000

    eva2000 Administrator Staff Member

    41,725
    9,395
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,431
    Local Time:
    12:58 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Temp disabling Cloudflare proxy protection/acceleration isn't the ideal way to test your origin without Cloudflare as then attackers can know your real origin server's (Centmin Mod server) IP address which will then allow attackers to bypass Cloudflare at DNS level to access your Centmin Mod server directly. Cloudflare Authenticated Origin Pull certificate setup does protect from such on HTTP port 80 and HTTPS port 443 releated traffic for web application level Layer 7 attacks of your site/web app i.e. Wordpress. So access would get expected Nginx 400 bad requests as only requests from Cloudflare SSL cert authenticated servers to your origin server would be accepted as you and @JJC84 have found out :)

    Right now for testing origin instead of disabling Cloudflare proxy, just disable the Cloudflare Authenticated Origin Pull cert lines in your nginx vhost but leave Cloudflare proxy enabled.
    comment out to disable with hash # in front
    Code (Text):
    #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain.com/origin.crt;
    #ssl_verify_client on;
    

    restart Nginx and then you can test your origin directly via local hosts files DNS override method like one outlined at Upgrade - Nginx - Insight Guide - Centmin Mod Site Data Migration Guide so that only you directly hit your Centmin Mod origin server's real IP when you know the real IP and every other visitor hits Cloudflare proxy.

    Then for page speed testing, only tool I use most is webpagetest.org. See WebPerf - PageSpeed - How to use webpagetest.org for page load speed testing and you have advanced scripting options to configure setDns to again override DNS at webpagetest.org test server level Scripting - WebPagetest Documentation

    This basically allows you to test the real origin server behind Cloudflare (when Authenticated Origin Pulls is temp disabled) as you're telling webpagetest to override DNS locally via setDns to point your domain to the real server IP while still keeping Cloudflare proxy protection for all other visitors.
     
    • Friendly Friendly x 1
  17. FluxTux

    FluxTux New Member

    11
    1
    3
    Sep 22, 2019
    Ratings:
    +2
    Local Time:
    4:58 PM
    Aaah, okay... makes sense guys!

    As I tried the solution of uncommenting the 2 lines in the nginx vhost the resulting 400 errors that seemed persistant threw me off. I do believe I toggled the CF proxy off for the domain as well - so makes sense not to do so next time.

    Will proceed testing without toggling the CF proxy off. At least now I have a sense of direction and can proceed with confidence.

    Thanks a lot @eva2000 and @JJC84 for helping me getting to the bottom of this and sharing your insight (y):)
     
    • Friendly Friendly x 1