Want to subscribe to topics you're interested in?
Become a Member

Cloudflare Domains SSL Cloudflare & Centminmod

Discussion in 'Domains, DNS, Email & SSL Certificates' started by denellum, Feb 11, 2017.

  1. denellum

    denellum Member Premium Member

    79
    19
    8
    May 11, 2016
    Dallas
    Ratings:
    +24
    Local Time:
    12:37 AM
    1.11.10
    10.1.21
    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.11.9
    • PHP Version Installed: 7.0.15
    • MariaDB MySQL Version Installed: 10.1.21
    • When was last time updated Centmin Mod code base ? : Today
    Installing centminmod and allowed cloudflare's IPs through CSF :
    /usr/local/src/centminmod/tools/csfcf.sh auto (set up as a cronjob as well)

    Able to hit it via port 80, but not 443, when I set up my domain I did select no to letsencrypt & selfcert... is that where i possibly messed up?

    insertblank.com
    https://insertblank.com
     
  2. eva2000

    eva2000 Administrator Staff Member

    28,968
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    3:37 PM
    Nginx 1.13.x
    MariaDB 5.5
    Shouldn't be a problem then as cloudflare cdn looks to http version port 80 for serving http/https.

    cloudflare reports 521 http error code from tests at Web Performance Test - 14+ Global Test Locations

    Error 521: Web server is down

    did you uncomment the cloudflare include line in your site's nginx vhost ?
    Code (Text):
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;

    and maybe uncomment the include file in /usr/local/nginx/conf/nginx.conf
    Code (Text):
    # uncomment cloudflare.conf include if using cloudflare for
    # server and/or vhost site
    #include /usr/local/nginx/conf/cloudflare.conf;
    
     
  3. eva2000

    eva2000 Administrator Staff Member

    28,968
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    3:37 PM
    Nginx 1.13.x
    MariaDB 5.5
    Also have you at least manually run
    Code (Text):
    /usr/local/src/centminmod/tools/csfcf.sh auto 
    

    once yet ? or see if cronjob has ran it once to whitelist ips yet ?
     
  4. denellum

    denellum Member Premium Member

    79
    19
    8
    May 11, 2016
    Dallas
    Ratings:
    +24
    Local Time:
    12:37 AM
    1.11.10
    10.1.21
    Just did all of the above, did a csf -r and init 6... still the same :/
     
  5. eva2000

    eva2000 Administrator Staff Member

    28,968
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    3:37 PM
    Nginx 1.13.x
    MariaDB 5.5
    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)
     
  6. denellum

    denellum Member Premium Member

    79
    19
    8
    May 11, 2016
    Dallas
    Ratings:
    +24
    Local Time:
    12:37 AM
    1.11.10
    10.1.21
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    
    # redirect from non-www to www 
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    #server {
    #            listen   80;
    #            server_name insertblank.com;
    #            return 301 $scheme://www.insertblank.com$request_uri;
    #       }
    
    server {
     
      server_name insertblank.com www.insertblank.com;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Content-Type-Options "nosniff" always;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;  
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/insertblank.com/log/access.log main_ext buffer=256k flush=60m;
      error_log /home/nginx/domains/insertblank.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/insertblank.com/autoprotect-insertblank.com.conf;
      root /home/nginx/domains/insertblank.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      #location ~ (?:^|/)\. {
      # deny all;
      #}  
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files        $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
     
  7. eva2000

    eva2000 Administrator Staff Member

    28,968
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    3:37 PM
    Nginx 1.13.x
    MariaDB 5.5
    what's contents of include file for auto protect at /usr/local/nginx/conf/autoprotect/insertblank.com/autoprotect-insertblank.com.conf ?

    If on Centmin Mod 123.09beta01, you may have ran into the new tools/autoprotect.sh cronjob feature outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community You uploaded scripts may have .htaccess deny from all type files in their directories which may need bypassing autoprotect. It's a security feature that no other nginx based stack has as far as I know :)

    So instead, all .htaccess 'deny from all' detected directories now get auto generated Nginx equivalent location match and deny all setups except if you want to manually bypass the directory from auto protection via a .autoprotect-bypass file - details below here.

    You can read a few threads below on how autoprotect.sh may have caught some folks web apps falsely and the workarounds or improvements made to autoprotect.sh with the help of users feedback and troubleshooting.
     
    • Informative Informative x 1
  8. denellum

    denellum Member Premium Member

    79
    19
    8
    May 11, 2016
    Dallas
    Ratings:
    +24
    Local Time:
    12:37 AM
    1.11.10
    10.1.21
    I selected not to create an SSL due to using CloudFlare's Flex... should i have opted to create my own? Or letsencrypt?
     
  9. denellum

    denellum Member Premium Member

    79
    19
    8
    May 11, 2016
    Dallas
    Ratings:
    +24
    Local Time:
    12:37 AM
    1.11.10
    10.1.21
    since it wasnt generated :

    Code:
    [07:18][root@web01 log]# cat /usr/local/nginx/conf/autoprotect/insertblank.com/autoprotect-insertblank.com.conf
    [07:18][root@web01 log]# /usr/local/src/centminmod/tools/autoprotect.sh
    generated nginx include file [same]: /usr/local/nginx/conf/autoprotect/demodomain.com/autoprotect-demodomain.com.conf
    generated nginx include file [same]: /usr/local/nginx/conf/autoprotect/insertblank.com/autoprotect-insertblank.com.conf
    
    autoprotect.sh run completed skipped nginx restart...
    
    [07:19][root@web01 log]# cat /usr/local/nginx/conf/autoprotect/insertblank.com/autoprotect-insertblank.com.conf
    
    still empty... :(
     
  10. eva2000

    eva2000 Administrator Staff Member

    28,968
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    3:37 PM
    Nginx 1.13.x
    MariaDB 5.5
    no need to create nginx side https if you use cloudflare flexible ssl

    though ssl cert from cloudflare may take a few hours to work/issue etc

    that's actually good if empty means for /usr/local/nginx/conf/autoprotect/insertblank.com/autoprotect-insertblank.com.conf means no un protected directories you may have missed
     
    • Informative Informative x 1
  11. denellum

    denellum Member Premium Member

    79
    19
    8
    May 11, 2016
    Dallas
    Ratings:
    +24
    Local Time:
    12:37 AM
    1.11.10
    10.1.21
    Alright :) ill give it some time to set up then! That might be the issue xD (i did this just minutes ago)
     
  12. denellum

    denellum Member Premium Member

    79
    19
    8
    May 11, 2016
    Dallas
    Ratings:
    +24
    Local Time:
    12:37 AM
    1.11.10
    10.1.21
    Ugh... i set it to strict... not flex. Fixed that after reading documentation... how abouts would i go with setting up a strict + letsencrypt?

    Domain only when creating the letsencrypt?
     
  13. eva2000

    eva2000 Administrator Staff Member

    28,968
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    3:37 PM
    Nginx 1.13.x
    MariaDB 5.5
    strict would cause issues if you didn't setup https on nginx with Cloudflare Strict SSL

    For Cloudflare Strict SSL, you can use official site vhost generator to setup the HTTPS side for nginx vhost https://community.centminmod.com/th...t-generator-add-letsencrypt-ssl-support.9424/

    also outlined in more detail at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates just skip step 8 and 9 for HTTPS default and HTTP to HTTPS redirect as you can do that on Cloudflare level
     
    • Like Like x 1
  14. denellum

    denellum Member Premium Member

    79
    19
    8
    May 11, 2016
    Dallas
    Ratings:
    +24
    Local Time:
    12:37 AM
    1.11.10
    10.1.21
  15. eva2000

    eva2000 Administrator Staff Member

    28,968
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    3:37 PM
    Nginx 1.13.x
    MariaDB 5.5
    Did you skip steps 8 and 9 for http to https redirect don't need it and skip HSTS enabling
     
    • Like Like x 1
  16. denellum

    denellum Member Premium Member

    79
    19
    8
    May 11, 2016
    Dallas
    Ratings:
    +24
    Local Time:
    12:37 AM
    1.11.10
    10.1.21
    Dang that is a TON of steps... its working now. Is there any... faster way of going about this? lol

    I just want to thank you again :) always there to help and more importantly teach.
     
    Last edited: Feb 12, 2017
  17. eva2000

    eva2000 Administrator Staff Member

    28,968
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    3:37 PM
    Nginx 1.13.x
    MariaDB 5.5
    You could of it done it automated way for existing Centmin Mod Nginx vhosts via addon/acmetool.sh but it's beta testing so need to do test server as some folks have issues with either their interpretation of the steps/order of commands or there's some bugs with the setup or acmetool.sh.

    If you are looking at a fresh Nginx HTTPS vhost site creation with Letsencrypt SSL certificates, check out the alternate guide here which is easier and more trouble free using addon/acmetool.sh tool for new Nginx HTTPS sites not already having HTTP version on server.
     
    • Like Like x 1
  18. denellum

    denellum Member Premium Member

    79
    19
    8
    May 11, 2016
    Dallas
    Ratings:
    +24
    Local Time:
    12:37 AM
    1.11.10
    10.1.21
    Last question, with the method you told me to do... will that auto-update the letsencrypt certs before they expire?

    As they do with the option 2 > Get Letsencrypt SSL certificate Nginx vhost? [y/n]:
     
  19. eva2000

    eva2000 Administrator Staff Member

    28,968
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    3:37 PM
    Nginx 1.13.x
    MariaDB 5.5
    yup whenever you use acme.sh or acmetool.sh to issue a cert, auto renew happens as there is a cronjob set for renew at 60 days into 90 day expiry

    if you type
    Code (Text):
    /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    you will see your SSL certs expiry day. Good idea to add a calendar remind to your phone 10 days before expiry so you can double check

    my mysqlmymon.sh site was created with addons/acmetool.sh and just auto renewed recently - https://mysqlmymon.com/

    EDIT: correction it auto renews 10 days before expiry it seems
     
    Last edited: Feb 12, 2017
  20. denellum

    denellum Member Premium Member

    79
    19
    8
    May 11, 2016
    Dallas
    Ratings:
    +24
    Local Time:
    12:37 AM
    1.11.10
    10.1.21
    Perfect! One last question... I honestly dont know where to ask this...and I'm hoping I can resolve this locally... for some reason with cloudflare enabled I am having all traffic from a newly set up site forward to the first site I set up. The moment the user clears their cache this quits. I've verified nothing crazy is happening in my vhosts or cloudflare setting...but the moment the cache is cleared locally on the end users computer is resolves correctly. Any idea why this is happening?