Join the community today
Become a Member

Error: Setting Up Cloudflare Authenticated Origin Pulls

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Mrbo, Feb 27, 2019.

  1. Kuro

    Kuro Member

    95
    12
    8
    Feb 8, 2018
    Ratings:
    +23
    Local Time:
    11:04 PM
    1.15.10
    10.3
    Code:
    [02:16][root@D-145 ~]# ping6 -c4 www.google.com
    connect: Network is unreachable
    
    :ROFLMAO:
    So if my server has IPV6 I will need to add it to CF like this (@,www+ipv6) then run centmin.sh menu option 2, 22 ?

    upload_2019-4-1_10-32-45.png

     
  2. eva2000

    eva2000 Administrator Staff Member

    51,987
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    2:04 AM
    Nginx 1.25.x
    MariaDB 10.x
    no that network is unreachable means your vps/server's network connectivity for IPv6 is broken or not supported so need to contact web host to fix it if it's something on their end as to why IPv6 isn't working so nothing to do with cloudflare dns.

    or you can disable IPv6 on your server and choose not to use IPv6

    to disable ipv6 plenty of centos guides http://lmgtfy.com/?q=how+tp+disable+ipv6+on+centos :)

    like
    Or let Centmin Mod 123.09beta01 or newer versions disable IPv6 system wide by setting in persistent config file /etc/centminmod/custom_config.inc
    Code (Text):
    DISABLE_IPVSIX='y'
    

    then running centmin.sh once and exiting
     
  3. Kuro

    Kuro Member

    95
    12
    8
    Feb 8, 2018
    Ratings:
    +23
    Local Time:
    11:04 PM
    1.15.10
    10.3
    Okay I will try a server with IPV6 (Digital Ocean) if there are any errors. :ROFLMAO::ROFLMAO:
     
  4. Kuro

    Kuro Member

    95
    12
    8
    Feb 8, 2018
    Ratings:
    +23
    Local Time:
    11:04 PM
    1.15.10
    10.3
    Code:
    ZSTD_LOGROTATE_NGINX='y'
    ZSTD_LOGROTATE_PHPFPM='y'
    NGINX_LIBBROTLI='y'
    NGXDYNAMIC_BROTLI='y'
    PHP_PGO='y'
    PHP_BROTLI='y'
    PHP_LZFOUR='y'
    PHP_LZF='y'
    PHP_ZSTD='y'
    KEYLENGTH='ec-256'
    LETSENCRYPT_DETECT='y'
    DUALCERTS='y'
    
    Code:
    PING domain.com(2606:4700:30::681c:1e94 (2606:4700:30::681c:1e94)) 56 data bytes
    64 bytes from 2606:4700:30::681c:1e94 (2606:4700:30::681c:1e94): icmp_seq=1 ttl=62 time=0.692 ms
    64 bytes from 2606:4700:30::681c:1e94 (2606:4700:30::681c:1e94): icmp_seq=2 ttl=62 time=0.741 ms
    64 bytes from 2606:4700:30::681c:1e94 (2606:4700:30::681c:1e94): icmp_seq=3 ttl=62 time=0.592 ms
    64 bytes from 2606:4700:30::681c:1e94 (2606:4700:30::681c:1e94): icmp_seq=4 ttl=62 time=0.875 ms
    
    Log: https://pastebin.com/iein2dYx
    misssing origin.crt (Cloudflare)
    upload_2019-4-1_15-32-21.png

    upload_2019-4-1_15-35-41.png

    upload_2019-4-1_15-33-38.png
     
  5. eva2000

    eva2000 Administrator Staff Member

    51,987
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    2:04 AM
    Nginx 1.25.x
    MariaDB 10.x
  6. Kuro

    Kuro Member

    95
    12
    8
    Feb 8, 2018
    Ratings:
    +23
    Local Time:
    11:04 PM
    1.15.10
    10.3
    Yes, I'm talking about why Cloudflare's ssl is empty (.CRT)
    If I use letsencrypt, will it be empty?
    I thought it would be created automatically.
    upload_2019-4-1_18-52-51.png
     
  7. eva2000

    eva2000 Administrator Staff Member

    51,987
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    2:04 AM
    Nginx 1.25.x
    MariaDB 10.x
    it should be created but will have to investigate
     
  8. eva2000

    eva2000 Administrator Staff Member

    51,987
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    2:04 AM
    Nginx 1.25.x
    MariaDB 10.x
    believe i just found the bug and fixed it in latest 123.09beta01 update, so run = cmupdate command to update your local code for the fix :)
     
  9. Kuro

    Kuro Member

    95
    12
    8
    Feb 8, 2018
    Ratings:
    +23
    Local Time:
    11:04 PM
    1.15.10
    10.3
    I bet many people have to do it manually before. :ROFLMAO::ROFLMAO::ROFLMAO:
     
  10. eva2000

    eva2000 Administrator Staff Member

    51,987
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    2:04 AM
    Nginx 1.25.x
    MariaDB 10.x
    well it's commented out in nginx vhosts by default so many folks won't notice unless they uncomment the referenced cloudlfare origin pull cert so probably why
     
  11. MaximilianKohler

    MaximilianKohler Member

    156
    2
    18
    Jun 23, 2023
    Ratings:
    +17
    Local Time:
    9:04 AM
    Eva, I'm not too clear on the directions here https://community.centminmod.com/th...ed-origin-pulls-protecting-your-origins.13847. I'm on the beta and removed the hash in front of the lines in the nginx config, and "/usr/local/nginx/conf/ssl/cloudflare/yourdomain.com/origin.crt" exists. On the cloudflare page it says I have no certificates:
    Code:
    SSL/TLS
    Origin Server
    
    Customize encryption of traffic between your origin server and Cloudflare.
    Origin server SSL/TLS documentation
    Advanced Certificate Manager
    
    Unlock more control and flexibility for your Certificates and SSL/TLS settings
    Activate
    Origin Certificates
    
    Generate a free TLS certificate signed by Cloudflare to install on your origin server.
    
    Origin Certificates are only valid for encryption between Cloudflare and your origin server.
    Hosts
        Expires On
      
    No Certificates.
    Do I need to create one and upload it to my server, or do I just need to turn on the "Authenticated Origin Pulls" button?

    Could you clarify that in the guide?

    EDIT: BTW, even with the CF option enabled, and the lines in the nginx config, I can still visit the IP address of the server and it loads -- both on my IP and another. That's not supposed to be possible right? Per:
     
    Last edited: Dec 4, 2023
  12. eva2000

    eva2000 Administrator Staff Member

    51,987
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    2:04 AM
    Nginx 1.25.x
    MariaDB 10.x
    Yes

    That is correct still
    Authenticated Origin Pull prevents direct IP access to your domain name not to the entire server. When a visitor visits your site via domain name, it passes to the receiving server the hostname it's trying to request access to. Then DNS resolves hostname to IP set in DNS to connect to your server and specific domain name site. So if a visitor tries to access HTTPS domain.com/index.html, the request will pass to Nginx hostname = domain.com defined in Nginx vhost /usr/local/nginx/conf/conf.d/domain.com.ssl.conf and URL for /home/nginx/domains/domain.com/public/index.html

    Authenticated Origin Pull prevents attackers from overriding the DNS locally to tell server that domain name points to real IP of the server by introducing a Cloudflare client SSL certificate which is send by Cloudflare edge servers with every visitor request and validated by Centmin Mod Nginx's setup Cloudflare Authenticated Origin certificate which verifies the Cloudflare client SSL certificate on each request. So if attacker tries to override DNS to tell domain to use your real IP address, it is missing that Cloudflare client SSL certificate and those Centmin Mod Nginx setup with Authenticated Origin certificate deems the request invalid and gives 400 Bad Request.

    Authenticated Origin certificate isn't to prevent direct IP access itself with absence of hostname in the request. When you access IP directly of server, there is no hostname passed on that request so Nginx won't direct that request to your domain name Nginx vhost site and will direct it to the main hostname's Nginx default index page as expected. So using the above example again, direct IP access for ipaddress/index.html hit's main hostname Nginx vhost at /usr/local/nginx/conf/conf.d/virtual.conf for URL /usr/local/nginx/html/index.html. Authenticated Origin certificate setup is to protect hostname = domain.com defined in Nginx vhost /usr/local/nginx/conf/conf.d/domain.com.ssl.conf and URL for /home/nginx/domains/domain.com/public/index.html
     
  13. MaximilianKohler

    MaximilianKohler Member

    156
    2
    18
    Jun 23, 2023
    Ratings:
    +17
    Local Time:
    9:04 AM
    Ok, I guess I don't understand how we're supposed to verify this or what this means:
    I don't get a 400 error when visiting main.domain.com https://centminmod.com/getstarted.html#1 either. So I guess it's not referring to that either.
     
  14. eva2000

    eva2000 Administrator Staff Member

    51,987
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    2:04 AM
    Nginx 1.25.x
    MariaDB 10.x
    No that is expected 400 Bad Request is only for requests to your domain.com with Authenticated Origin Pull where the request doesn't include Cloudflare client TLS certificate in the request.

    You can replicate that test by overriding your local computer's DNS and point your domain name to real server IP bypassing Cloudflare DNS and try to visit your domain name. For example, on Linux edit /etc/hosts or on Windows PC edit your windows HOSTS file at c:\Windows\System32\Drivers\etc\hosts (see guide at Modify your hosts file | Knowledge Center | Rackspace Hosting or install Hostman app HostsMan - abelhadigital.com which can manage the file too and allows easy dns flushing when you make changes to the hosts file.

    c:\Windows\System32\Drivers\etc\hosts contents to preview without DNS update where centminmodserver-ip-address if your server's real IP address
    Code (Text):
    centminmodserver-ip-address domain.com

    to disable preview comment it out and flush dns for your system

    Code (Text):
    #centminmodserver-ip-address domain.com

    Hostsman app to flush dns and edit the c:\Windows\System32\Drivers\etc\hosts file

    For MacOS users there's How to edit your Mac's Hosts file and why you would want to

    When you override DNS locally, attackers can bypass Cloudflare if they know the real server IP address and hit your domain.com site directly. Authenticated Origin Pull is a method of preventing such direct access to domain.com on known real server IP.
     
    Last edited: Dec 4, 2023