Get the most out of your Centmin Mod LEMP stack
Become a Member

SSL Cloudflare HTTPS with Cloudflare Flexible SSL Certificate: is it that simple?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Benjamin74, Jul 30, 2023.

  1. Benjamin74

    Benjamin74 Member

    76
    7
    8
    May 2, 2016
    Ratings:
    +18
    Local Time:
    2:43 AM
    Hello guys,

    I've been using CMM let's encrypt SSL certificate insuance for the past few years without any issue, I was using Cloudflare just for their DNS service.

    Now I would like to use Cloudflare Flexible SSL certificate.


    Can someone confirm that what I'm doing is correct? I'm a bit surprised that it is that simple:

    1) Create nginx vhost with CMM menu 2 or 22

    2) During vhost creation, don't select any option to create a self-signed or let's encrypt certificate

    3) In Cloudflare just select the Flexible SSL option and redirect everything to https option

    Could it be that simple or am I missing an important point?

    Thanks a lot!
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,384
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    11:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yes you can do that but that only provides HTTPS to visitors of your web site. Connection between Cloudflare edge servers and Centmin Mod Nginx origin server via CF Flexible SSL will not be secure as CF edge server would connect to Centmin Mod Nginx non-HTTPS.

    To be 100% you want Cloudflare Full or Full Strict SSL mode and opt for Letsencrypt SSL on Centmin Mod Nginx origin HTTPS. Ideally, you use CF DNS API for Letsencrypt SSL domain validation Letsencrypt Free SSL Certificates

    So you would setup in persistent config file at /etc/centminmod/custom_config.inc
    Code (Text):
    LETSENCRYPT_DETECT='y'
    CF_DNSAPI_GLOBAL='y'
    CF_Token="YOUR_CF_TOKEN"
    CF_Account_ID="YOUR_CF_ACCOUNT_ID"
    
     
  3. pthalmann

    pthalmann New Member

    3
    0
    1
    Jan 17, 2019
    Italy
    Ratings:
    +0
    Local Time:
    2:43 AM
    I am using a Pfsense with haproxy in Front of my CMM. Certificates get autogenerated trough the acme package with cloudflare as DNS and Cache Provider, works like a charm. on the CMM I use self signed certificate so the communication between haproxy and the CMM is also encrypted.
     
  4. Benjamin74

    Benjamin74 Member

    76
    7
    8
    May 2, 2016
    Ratings:
    +18
    Local Time:
    2:43 AM
    Hello guys,

    Since Eva recommended using Full I tried to set it up. It was really not that easy so here is the summary of the steps I used:

    NB: this is using cloudflare Full (not strict) mode and cloudflare API

    0) the vhost for the domain you want to add to your CMM server doesn't exist yet

    1) create CF API token as described here: Letsencrypt Free SSL Certificates and add the necessary token and account ID in the /etc/centminmod/custom_config.inc file

    IMPORTANT: I could not make it work if I entered a "Client IP Address Filtering", not exactly sure why but it's probably not such a deal to not restrict to a single IP.

    2) the /etc/centminmod/custom_config.inc should also have LETSENCRYPT_DETECT='y'

    3) in CF > DNS > Records, the domain you want to configure should have 2 A records (@ and www) pointing to your server with cloudflare PROXY enabled (orange cloud icon with an arrow going through it)

    4) in CF > SSL/TLS > Overview, the mode should be "Full - Encrypts end-to-end, using a self signed certificate on the server"

    5) in CF > SSL/TLS > Edge Certificates > Always use HTTPS should be DISABLED (cloudflare keeps on moving this "Always use HTTPS" option all the time so look around if not under this submenu...)

    6) run centmin

    7) choose option 2 (or 22 if wordpress) and confirm you want to continue with vhost creation

    8) enter the domain and confirm you want to continue then I used:
    Create a self-signed SSL certificate Nginx vhost? [y/n]: n
    Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y


    and confirm continue

    Then you'll get many rows (I got 4x2) indicating all IPv4 adresses as well as "behind cloudflare IPs" lists for ipV4 and ipV6

    9) Confirm you want to continue,

    and then I chose:
    4. issue live cert with HTTPS default (trusted)

    10) create FTP user as you want

    11) if it succeeds you should have some letsdebug success messages. When I tried with a token with IP address filtering that's where I got some errors like 'invalid domain' somewhere

    12) Exit centmin, then go to vhost folder: cd /usr/local/nginx/conf/conf.d && ls and edit your vhost file

    13) uncomment the line here to get real IP:
    #include /usr/local/nginx/conf/cloudflare.conf;

    Sidenote: this PHP script here from stackoverflow allow you to get the real IP without having to uncomment the line above, I use it for every custom script so I know it'll work even if I screwed up and forgot to uncomment the line...


    PHP:
    <?PHP

    function getUserIP()
    {
        
    // Get real visitor IP behind CloudFlare network
        
    if (isset($_SERVER["HTTP_CF_CONNECTING_IP"])) {
                  
    $_SERVER['REMOTE_ADDR'] = $_SERVER["HTTP_CF_CONNECTING_IP"];
                  
    $_SERVER['HTTP_CLIENT_IP'] = $_SERVER["HTTP_CF_CONNECTING_IP"];
        }
        
    $client  = @$_SERVER['HTTP_CLIENT_IP'];
        
    $forward = @$_SERVER['HTTP_X_FORWARDED_FOR'];
        
    $remote  $_SERVER['REMOTE_ADDR'];

        if(
    filter_var($clientFILTER_VALIDATE_IP))
        {
            
    $ip $client;
        }
        elseif(
    filter_var($forwardFILTER_VALIDATE_IP))
        {
            
    $ip $forward;
        }
        else
        {
            
    $ip $remote;
        }

        return 
    $ip;
    }


    $user_ip getUserIP();

    echo 
    $user_ip// Output IP address [Ex: 177.87.193.134]


    ?>
    14) restart nginx

    should be all good now, maybe just run a check on https://www.sslshopper.com/ssl-checker.html