Join the community today
Register Now

Cloudflare Setting Up Cloudflare Authenticated Origin Pulls Protecting IP Leaks

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Jan 26, 2018.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    33,664
    7,453
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,458
    Local Time:
    6:30 AM
    Nginx 1.13.x
    MariaDB 5.5
    For folks using Cloudflare to prevent IP leaks of your backend origin server's IP, it's best to setup and enable Cloudflare Authenticated Origin Pulls as outlined in Cloudflare blog here.

    Cloudflare Authenticated Origin Pull Info


    Note as per article,

    Cloudflare Authenticated Origin Pull Setup For Centmin Mod Nginx



    To be able to use Cloudflare Authenticated Origin Pull feature, you need to have a Cloudflare Full SSL (not Flexible SSL) certificate enabled site which means Centmin Mod Nginx origin backend server needs to be HTTPS SSL enabled via either paid SSL certificate or Letsencrypt SSL certificate i.e. using Centmin Mod 123.09beta01 and higher addons/acmetool.sh or via these 2 guides below:
    1. Official Centmin Mod guide for fresh Centmin Mod Nginx HTTP/2 based HTTPS vhost site creation with free Letsencrypt SSL certificates Using Centmin Mod acmetool.sh addon for Nginx HTTP/2 based HTTPS with free Letsencrypt SSL certificates.
    2. Alternative to the guide for existing Centmin Mod Nginx HTTP users wishing to migrate from HTTP to HTTPS at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates

    You will need to setup the Cloudflare Origin certificate before enabling in Crypto tab the Cloudflare Authenticated Origin Pull button.

    upload_2018-1-26_3-5-0.png

    Obtaining the Cloudflare Authenticated Origin Pull certificate and setting up your domain's Nginx HTTPS vhost config file i.e. /usr/local/nginx/conf/conf.d/domain.com.ssl.conf can be done using these SSH commands below to:
    1. Read prompt will ask you for Nginx HTTPS vhost domain name you have with Cloudflare and created on Centmin Mod based server i.e. domain.com
    2. Make the directory to save the Cloudflare Authenticated Origin Pull certificate to /usr/local/nginx/conf/ssl/cloudflare/$vhostname where $vhostname is variable that is assigned your answered domain name from prompt question. Do not replace $vhostname variable, leave as is when typing below commands.
    3. CD - change into that directory
    4. wget download the Cloudflare Authenticated Origin Pull certificate and save as origin.cert
    5. Then last command outputs the syntax you need to copy and paste into your Nginx HTTPS vhost config file i.e. /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
    Code (Text):
    read -ep "enter vhost domain name you want to setup cloudflare origin pull for: " vhostname ;
    mkdir -p /usr/local/nginx/conf/ssl/cloudflare/$vhostname ;
    cd /usr/local/nginx/conf/ssl/cloudflare/$vhostname ;
    wget https://support.cloudflare.com/hc/en-us/article_attachments/201243967/origin-pull-ca.pem -O origin.crt ;
    echo -e "ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/$vhostname/origin.crt;\nssl_verify_client on;" ;
    

    The last command will output something like below if you entered at prompt domain = domain.com
    Code (Text):
    ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain.com/origin.crt;
    ssl_verify_client on;
    

    Copy and paste these 2 lines into your /usr/local/nginx/conf/conf.d/domain.com.ssl.conf. You can place them above these lines
    Code (Text):
      http2_max_field_size 16k;
      http2_max_header_size 32k;
    

    so it becomes
    Code (Text):
      ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain.com/origin.crt;
      ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
    

    Restart nginx server
    Code (Text):
    ngxrestart
    

    Then go to your Cloudflare dashboard for your domain's Crypto tab and enable Cloudflare Authenticated Origin Pull button so it's green. When you access your domain, it will give 400 Bad Request error and give SSL certificate error. Then wait a few minutes and it should resolve itself and should be able to access your site.
     
  2. eva2000

    eva2000 Administrator Staff Member

    33,664
    7,453
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,458
    Local Time:
    6:30 AM
    Nginx 1.13.x
    MariaDB 5.5

    Cloudflare Authenticated Origin Pull Certificate Expiry Date



    Also it's important to note that Cloudflare Authenticated Origin Pull certificates have an expiry date as well so they will need to be renewed - download and replaced eventually. For instance current Cloudflare Authenticated Origin Pull certificate have a 5yr validity period from Jan 13, 2015 issuance date. Meaning this certificate expires on Jan 12, 2020.
    Code (Text):
    openssl x509 -startdate -enddate -noout -in origin.crt
    notBefore=Jan 13 02:47:53 2015 GMT
    notAfter=Jan 12 02:52:53 2020 GMT
    
     
  3. eva2000

    eva2000 Administrator Staff Member

    33,664
    7,453
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,458
    Local Time:
    6:30 AM
    Nginx 1.13.x
    MariaDB 5.5
    Updated Centmin Mod 123.09beta01 and higher to include native support in all Nginx vhost auto generation routines to also download Cloudflare Authenticated Origin Pull certificates for HTTPS SSL nginx vhosts and add the 2 lines required but commented out by default Beta Branch - update nginx vhost routines cloudflare authenticated origin pull certificates support.

    This means for new 123.09beta01 installs or existing 123.09beta01 and higher installs updated to latest code after Jan 27, 2018, to enable Cloudflare Authenticated Origin Pull certs on Centmin Mod generated Nginx vhosts just requires uncommenting 2 lines below by removing hash in front.
    Code (Text):
     # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/yourdomain.com/origin.crt;
      #ssl_verify_client on;
    

    to become
    Code (Text):
     # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/yourdomain.com/origin.crt;
      ssl_verify_client on;
    
     
    • Like Like x 2
    • Winner Winner x 2
..
Thread Status:
Not open for further replies.