Join the community today
Register Now

Cloudflare Proxy issue

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Alexandre Faustino, Dec 16, 2021.

  1. Alexandre Faustino

    Alexandre Faustino New Member

    4
    0
    1
    Dec 16, 2021
    Ratings:
    +0
    Local Time:
    1:29 PM
    Hi,


    Lately, when Cloudflare proxy is enabled for my domain, in the DNS settings, in some periods of the day the website is not accessible. If I turn Cloudflare off it works, but of course it has an invalid certificate.

    Any help?
     
  2. eva2000

    eva2000 Administrator Staff Member

    47,837
    10,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,948
    Local Time:
    11:29 PM
    Nginx 1.21.x
    MariaDB 10.x
    If you use a reverse proxy like Cloudflare, Sucuri, or Incapsula in front of Centmin Mod Nginx, you need to setup nginx realip to be passed onto Nginx.

    See Getting Started Guide step 5 and setting correct real ip via nginx module config at http://centminmod.com/nginx_configure_cloudflare.html. The tools/csfcf.sh cronjob mentioned below helps maintain the whitelisted CSF Firewall IPs, but you still need to setup nginx realip in your nginx vhost.

    If using Centmin Mod 123.09beta01 and newer, there's an added tools/csfcf.sh script to aid in this. Details at:
    You just need to setup a cronjob to run
    Code (Text):
    /usr/local/src/centminmod/tools/csfcf.sh auto

    which should already exist with Centmin Mod 123.09beta01 and newer
     
  3. Alexandre Faustino

    Alexandre Faustino New Member

    4
    0
    1
    Dec 16, 2021
    Ratings:
    +0
    Local Time:
    1:29 PM
    Hi,

    I'm using version 123.09beta01 and the cronjob is already in place. I assume it was added after update Centmin a few weeks ago.
     
  4. eva2000

    eva2000 Administrator Staff Member

    47,837
    10,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,948
    Local Time:
    11:29 PM
    Nginx 1.21.x
    MariaDB 10.x
    With Cloudflare proxy enabled, what does Let's Debug report and with Cloudflare proxy disabled, what does Let's Debug report?

    Are you using Cloudflare Full SSL or Flexible SSL mode?

    Sounds like Letsencrypt is following your domain's non-https domain's 301/302 redirect to https based domain to validate the domain. But https based domain's SSL certificate expired.

    What you can do is sort of partial manual steps from Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates in that you temporarily disable your /usr/local/nginx/conf/conf.d/domain.com.ssl.conf nginx vhost and recreate the non-https nginx vhost /usr/local/nginx/conf/conf.d/domain.com.conf using the official Nginx vhost generator at Generate Centmin Mod Nginx Vhost - CentminMod.com LEMP Nginx web stack for CentOS (which is step 1 of guide at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates).

    Then follow manual steps 2, 3, 4, 5 and 6 of guide at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates where step 6 you can re-enable your https /usr/local/nginx/conf/conf.d/domain.com.ssl.conf nginx vhost and disable your non-https nginx vhost /usr/local/nginx/conf/conf.d/domain.com.conf again.

    Then you can test your domain at Let's Debug to ensure future renewals work.

    Once you have working Letsencrypt SSL certificate on origin Centmin Mod Nginx with Cloudflare Proxy disabled, then you can re-enable Cloudflare Proxy but set SSL mode to Full SSL instead of Flexible SSL mode.
     
  5. Alexandre Faustino

    Alexandre Faustino New Member

    4
    0
    1
    Dec 16, 2021
    Ratings:
    +0
    Local Time:
    1:29 PM
    Hi,

    Trace with proxy enabled:

    [​IMG]

    Code:
    Request to: www.mydomain.com/172.67.152.9, Result: [Address=172.67.152.9,Address Type=IPv4,Server=cloudflare,HTTP Status=301,Number of Redirects=1,Final HTTP Status=404], Issue:
    Trace:
    @0ms: Making a request to http://www.mydomain.com/.well-known/acme-challenge/letsdebug-test (using initial IP 172.67.152.9)
    @0ms: Dialing 172.67.152.9
    @20ms: Server response: HTTP 301 Moved Permanently
    @20ms: Received redirect to https://www.mydomain.com/.well-known/acme-challenge/letsdebug-test
    @20ms: Dialing 172.67.152.9
    @353ms: Server response: HTTP 404 Not Found
    
    Request to: www.mydomain.com/104.21.41.217, Result: [Address=104.21.41.217,Address Type=IPv4,Server=cloudflare,HTTP Status=301,Number of Redirects=1,Final HTTP Status=404], Issue:
    Trace:
    @0ms: Making a request to http://www.mydomain.com/.well-known/acme-challenge/letsdebug-test (using initial IP 104.21.41.217)
    @0ms: Dialing 104.21.41.217
    @25ms: Server response: HTTP 301 Moved Permanently
    @25ms: Received redirect to https://www.mydomain.com/.well-known/acme-challenge/letsdebug-test
    @25ms: Dialing 104.21.41.217
    @329ms: Server response: HTTP 404 Not Found 
    Trace with proxy disabled:

    [​IMG]

    Code:
    Request to: www.mydomain.com/{MY_SERVER_IP}, Result: [Address={MY_SERVER_IP},Address Type=IPv4,Server=nginx centminmod,HTTP Status=301,Number of Redirects=1,Final HTTP Status=404], Issue:
    Trace:
    @0ms: Making a request to http://www.mydomain.com/.well-known/acme-challenge/letsdebug-test (using initial IP {MY_SERVER_IP})
    @0ms: Dialing {MY_SERVER_IP}
    @208ms: Server response: HTTP 301 Moved Permanently
    @208ms: Received redirect to https://www.mydomain.com/.well-known/acme-challenge/letsdebug-test
    @208ms: Dialing {MY_SERVER_IP}
    @478ms: Server response: HTTP 404 Not Found 

    I'm using Full SSL (without strict, which doesn't work).
     
  6. eva2000

    eva2000 Administrator Staff Member

    47,837
    10,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,948
    Local Time:
    11:29 PM
    Nginx 1.21.x
    MariaDB 10.x
    Those traces suggest 404 not found error with or without Cloudflare Proxy, so problem is your site on origin Centmin Mod Nginx.

    First thing is to make sure you setup your Cloudflare DNS A record for your domain non-www and www records to point to your Centmin Mod Nginx server's real IP address provided by your server's web host.

    Also make sure you're setup Nginx vhost for your site correctly. When you install Centmin Mod it's setup a main hostname nginx vhost host for server which is where Nginx default install index page is shown. Accessing server via IP address will show that page and it's correct and should be left as is as the main hostname site is also used for statistics pages outlined here. When you create a new Nginx vhost site via centmin.sh menu option 2, 22 or nv commands, you have a separate Nginx vhost directory structure. The differences are outlined on official Config file page and at Getting Started Guide step 1 and bottom of that page here.
    What does your /usr/local/nginx/conf/conf.d/virtual.conf and /usr/local/nginx/conf/conf.d/yourdomain.com.conf contents look like ? Make sure virtual.conf main hostname's server_name isn't same as any added nginx vhost site's domain name as per Getting Started Guide step 1, the main hostname needs to be unique.

    You can check via recursive grep filter of your domain name in vhost directory at /usr/local/nginx/conf/conf.d
    Code (Text):
    grep -rnw 'yourdomain.com' /usr/local/nginx/conf/conf.d
    

    Also check DNS is correct use dig to check DNS for domain
    Code (Text):
    dig +short A @8.8.8.8 yourdomain.com
    dig +short A @8.8.8.8 www.yourdomain.com
    dig +short A @8.8.8.8 hostname.yourdomain.com
    

    check HTTP headers via curl for both HTTP (and HTTPS if you have HTTPS/SSL)
    Code (Text):
    curl -I http://yourdomain.com
    curl -I http://www.yourdomain.com
    curl -I https://yourdomain.com
    curl -I https://www.yourdomain.com
    curl -I http://hostname.yourdomain.com