Learn about Centmin Mod LEMP Stack today
Become a Member

Cloudflare Setting Up Cloudflare Authenticated Origin Pulls Protecting Your Origins

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Jan 26, 2018.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    For folks using Cloudflare to further secure your backend origin server's access, it's best to setup and enable Cloudflare Authenticated Origin Pulls as outlined in Cloudflare blog here. Once Cloudflare Authenticated Origin Pull certificates are setup and enabled, only Cloudflare will be able to connect to your origin Centmin Mod Nginx server. If someone other than Cloudflare tries to directly connect to your Centmin Mod Nginx server, they will get a 400 Bad Request error message. Also may want to check out how do custom Cloudflare Nginx logging as well.

    Cloudflare & Centmin Mod Nginx



    Be sure you setup nginx to passed Visitors real ip onto Nginx. See Getting Started Guide step 5 and setting correct real ip via nginx module config at http://centminmod.com/nginx_configure_cloudflare.html.

    If using Centmin Mod 123.09beta01 and newer, there's an added tools/csfcf.sh script to aid in this. Details at:
    You just need to setup a cronjob to run
    Code (Text):
    /usr/local/src/centminmod/tools/csfcf.sh auto


    Cloudflare Authenticated Origin Pull Info


    Note as per article,

    Cloudflare Authenticated Origin Pull Setup For Centmin Mod Nginx



    To be able to use Cloudflare Authenticated Origin Pull feature, you need to have a Cloudflare Full SSL (not Flexible SSL) certificate enabled site which means Centmin Mod Nginx origin backend server needs to be HTTPS SSL enabled via either paid SSL certificate or Letsencrypt SSL certificate i.e. using Centmin Mod 123.09beta01 and higher addons/acmetool.sh or via these 2 guides below:
    1. Official Centmin Mod guide for fresh Centmin Mod Nginx HTTP/2 based HTTPS vhost site creation with free Letsencrypt SSL certificates Using Centmin Mod acmetool.sh addon for Nginx HTTP/2 based HTTPS with free Letsencrypt SSL certificates.
    2. Alternative to the guide for existing Centmin Mod Nginx HTTP users wishing to migrate from HTTP to HTTPS at Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates

    You will need to setup the Cloudflare Origin certificate before enabling in Crypto tab the Cloudflare Authenticated Origin Pull button.

    upload_2018-1-26_3-5-0.png

    Obtaining the Cloudflare Authenticated Origin Pull certificate and setting up your domain's Nginx HTTPS vhost config file i.e. /usr/local/nginx/conf/conf.d/domain.com.ssl.conf can be done using these SSH commands below to:
    1. Read prompt will ask you for Nginx HTTPS vhost domain name you have with Cloudflare and created on Centmin Mod based server i.e. domain.com
    2. Make the directory to save the Cloudflare Authenticated Origin Pull certificate to /usr/local/nginx/conf/ssl/cloudflare/$vhostname where $vhostname is variable that is assigned your answered domain name from prompt question. Do not replace $vhostname variable, leave as is when typing below commands.
    3. CD - change into that directory
    4. wget download the Cloudflare Authenticated Origin Pull certificate and save as origin.cert
    5. Then last command outputs the syntax you need to copy and paste into your Nginx HTTPS vhost config file i.e. /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
    Code (Text):
    read -ep "enter vhost domain name you want to setup cloudflare origin pull for: " vhostname ;
    mkdir -p /usr/local/nginx/conf/ssl/cloudflare/$vhostname ;
    cd /usr/local/nginx/conf/ssl/cloudflare/$vhostname ;
    wget https://gist.githubusercontent.com/centminmod/020e3580eb03f1c36ced83b94fe4e1c5/raw/origin.crt -O origin.crt ;
    echo -e "ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/$vhostname/origin.crt;\nssl_verify_client on;" ;
    

    The last command will output something like below if you entered at prompt domain = domain.com
    Code (Text):
    ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain.com/origin.crt;
    ssl_verify_client on;
    

    Copy and paste these 2 lines into your /usr/local/nginx/conf/conf.d/domain.com.ssl.conf. So it becomes
    Code (Text):
      ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain.com/origin.crt;
      ssl_verify_client on;
    

    Restart nginx server
    Code (Text):
    ngxrestart
    

    Then go to your Cloudflare dashboard for your domain's Crypto tab and enable Cloudflare Authenticated Origin Pull button so it's green. When you access your domain, it will give 400 Bad Request error and give SSL certificate error. Then wait a few minutes and it should resolve itself and should be able to access your site.

     
    Last edited: Mar 8, 2022
  2. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Cloudflare Authenticated Origin Pull Certificate Expiry Date



    Also it's important to note that Cloudflare Authenticated Origin Pull certificates have an expiry date as well so they will need to be renewed - download and replaced eventually. For instance current Cloudflare Authenticated Origin Pull certificate have a 5yr validity period from Jan 13, 2015 issuance date. Meaning this certificate expires on Jan 12, 2020.
    Code (Text):
    openssl x509 -startdate -enddate -noout -in origin.crt
    notBefore=Jan 13 02:47:53 2015 GMT
    notAfter=Jan 12 02:52:53 2020 GMT
    

    So set yourself a reminder

    Screenshot_20180519-083556~01~01.png
     
    Last edited: May 19, 2018
  3. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Updated Centmin Mod 123.09beta01 and higher to include native support in all Nginx vhost auto generation routines to also download Cloudflare Authenticated Origin Pull certificates for HTTPS SSL nginx vhosts and add the 2 lines required but commented out by default Beta Branch - update nginx vhost routines cloudflare authenticated origin pull certificates support.

    This means for new 123.09beta01 installs or existing 123.09beta01 and higher installs updated to latest code after Jan 27, 2018, to enable Cloudflare Authenticated Origin Pull certs on Centmin Mod generated Nginx vhosts just requires uncommenting 2 lines below by removing hash in front.
    Code (Text):
     # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/yourdomain.com/origin.crt;
      #ssl_verify_client on;
    

    to become
    Code (Text):
     # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/yourdomain.com/origin.crt;
      ssl_verify_client on;
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Centmin Mod 123.09beta01 updated to add a tool and cronjob to handle Cloudflare Authenticated Origin Pull certificates expiry and renewal updates. Details at https://community.centminmod.com/th...cated-origin-pull-cert-in-123-09beta01.18881/

    To update run cmupdate and run centmin.sh menu once and exit menu.

    Example
    Code (Text):
    /usr/local/src/centminmod/tools/cf-authenticated-origin-cert-update.sh update
    ------------------------------
    domain.com cloudflare authenticated origin cert expires in 23 days on 12 Jan 2020
    updating domain.com cloudflare authenticated origin cert
    at /usr/local/nginx/conf/ssl/cloudflare/domain.com/origin.crt
    succesfully updated /usr/local/nginx/conf/ssl/cloudflare/domain.com/origin.crt
    domain.com cloudflare authenticated origin cert now expires in 3604 days on 1 Nov 2029
    

    If using Cloudflare, you may get an email reminding your of expiry of which above updated cronjob tool will take care of
     
    Last edited: Dec 19, 2019
Thread Status:
Not open for further replies.