Join the community today
Become a Member

CDN Cloudflare Cloudflare Flexible SSL, Nginx & XenForo

Discussion in 'Domains, DNS, Email & SSL Certificates' started by BamaStangGuy, Oct 1, 2014.

  1. BamaStangGuy

    BamaStangGuy Active Member

    668
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    7:11 PM
    I have several sites now on Cloudflare to test the service before I move my larger ones. All are XenForo and all are on Nginx. What I would like to document here for others is what needs to be setup on Cloudflare, Nginx and XenForo to insure the following:

    XenForo sees the visitors actual IP Address and not Cloudflare's.
    Nginx redirects properly to https when Cloudflare gets around to issuing my SSL certificates for the site.


    I have found the following information so far:

    How do I redirect HTTPS traffic with Flexible SSL and Apache? – CloudFlare Support

    The above is for Apache. What needs to be done for Nginx to accomplish the above?

    How do I restore original visitor IP with XenForo? – CloudFlare Support

    Is the above needed? I have already added Cloudflare's IP addresses to nginx.conf and restarted. This post seems to say the above is a bad idea: Cloudflare and their new SSL for free users | XenForo Community

    What I want to do is make sure I get this right before I move larger sites with more traffic to Cloudflare with Full SSL (Strict).

    Thanks for any input!
     
  2. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    10:11 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    The Nginx http to https redirect is same as mentioned at Nginx HTTPS / SSL Google SPDY configuration

    Update 2 - October 17th, 2014: took 2+ weeks for Cloudflare to activate my FlexibleSSL domain. For http to https redirect, need 2 page rules
    Update: actually this might be incorrect - re-reading Cloudflare's guide you need to redirect based on their custom CF-Visitor header being scheme:http only. Looking into this. Cloudflare tech support confirmed what I recommended was correct for Nginx http to https redirects.
    Code:
    server {
      server_name domain.com www.domain.com;
      return 301 https://$server_name$request_uri;
    }
    
     
    Last edited: Oct 17, 2014
  3. BamaStangGuy

    BamaStangGuy Active Member

    668
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    7:11 PM
    Thanks for clearing that up.
     
  4. palPalani

    palPalani Member

    30
    12
    8
    May 30, 2014
    Chennai, IN
    Ratings:
    +20
    Local Time:
    5:41 AM
    Nginx 1.7
    MariaDB 5.5
    Hi,

    I have enabled Flexible SSL and just updated redirect solution on .conf file, but it not working, says redirect loop.

    Not: I have enabled only SSL on cloudflare not my domain.
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    10:11 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    it takes Cloudflare at least 24-48+ hours for SSL to work, so for that time you will have invalid ssl certicate, so I wouldn't do the redirect in nginx until https is working.
     
  6. palPalani

    palPalani Member

    30
    12
    8
    May 30, 2014
    Chennai, IN
    Ratings:
    +20
    Local Time:
    5:41 AM
    Nginx 1.7
    MariaDB 5.5
    I have enabled Cloudflare free SSL and it is working fine, except it is not automatically redirecting from http to https.

    If i add above line, then it goes to redirect loop.
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    10:11 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    make sure it's working the SSL certificate by checking in browser and clicking the padlock to make sure it doesn't say invalid, unprotected or does not match url messages

    cloudflare_freessl_available_03.png
     
  8. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    10:11 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Update: the above listed 301 redirect for http to https maybe incorrect - re-reading Cloudflare's guide you need to redirect based on their custom CF-Visitor header being scheme:http only ?. Cloudflare tech support confirmed what I recommended was correct for Nginx http to https redirects.

    There might be another way using Cloudflare's Page Rules - free plans get 3 page rules. More info on Cloudflare Page Rules. You will need to use 2 of them:
    1. First page rule, for a http domain redirect to https
    2. Second page rule, for wildcard match for domain.com/* to https://domain.com/$1. I can not confirm if this works yet as my Cloudflare Flexible SSL enabled domain isn't activated/working yet.

    cloudflare_pagerule_https_redirect_00.png
    cloudflare_pagerule_https_redirect_01.png
    cloudflare_pagerule_https_redirect_02.png

    hmm looks like page rules only work for https redirect for non-free Cloudflare paid Pro plans according to Cloudlfare support

     
    Last edited: Oct 3, 2014
  9. palPalani

    palPalani Member

    30
    12
    8
    May 30, 2014
    Chennai, IN
    Ratings:
    +20
    Local Time:
    5:41 AM
    Nginx 1.7
    MariaDB 5.5
    Thanks
     
  10. BamaStangGuy

    BamaStangGuy Active Member

    668
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    7:11 PM
    It says it only takes 5 minutes for Pro users to get an SSL certificate. Sitting here almost at 30 minutes now and it isn't done issuing.

    https://www.aspiescentral.com
     
  11. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    10:11 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah mine on free plan still hasn't be actived either. Clearly, they're overwhelmed with the Universal SSL activations right now heh.

    Also updated my reply above as Cloudflare tech support confirmed what I recommended was correct for Nginx http to https redirects :)
     
  12. BamaStangGuy

    BamaStangGuy Active Member

    668
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    7:11 PM
  13. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    10:11 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    mine says SSL issuing status heh
     
  14. BamaStangGuy

    BamaStangGuy Active Member

    668
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    7:11 PM
    Ugh this is annoying. Now I am paying and not getting anywhere near what they said I would as far as time to issue.
     
  15. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    10:11 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    I can imagine, I'm just doing Cloudflare Flexible SSL tests on a test domain project I have on Cloudflare so no real visitor traffic right now so not as urgent :)
     
  16. BamaStangGuy

    BamaStangGuy Active Member

    668
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    7:11 PM
  17. BamaStangGuy

    BamaStangGuy Active Member

    668
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    7:11 PM
  18. BamaStangGuy

    BamaStangGuy Active Member

    668
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    7:11 PM
  19. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    10:11 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    looks good on my end in my browser.. maybe clear browser cache and restart browser ?
     
  20. BamaStangGuy

    BamaStangGuy Active Member

    668
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    7:11 PM
    Had to restart my router.