Join the community today
Register Now

SSL Cloudflare SSL Issue Handshake Failure with CF behind centmin proxy server

Discussion in 'System Administration' started by aditbaco, Oct 31, 2021.

  1. aditbaco

    aditbaco New Member

    8
    0
    1
    Aug 29, 2021
    Ratings:
    +0
    Local Time:
    12:51 AM
    1.17.x
    10.0.x
    I currently have the following setup :

    Client > Cloudflare with authenticated origin pull active > Centminmod as reverse proxy server > backend server

    Within my centmin reverse proxy server I only add .conf manually with below config (WITHOUT centmin option 2):

    Code:
    #x# HTTPS-DEFAULT
     server {
       listen 80;
       server_name subdomain.domain.com www.subdomain.domain.com;
       include /usr/local/nginx/conf/cloudflare.conf;
    
    location / {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_pass http://192.168.2.10;
            proxy_read_timeout 90;
            proxy_buffering off;
            proxy_redirect http://192.168.2.10 http://subdomain.domain.com;
            }
     }
    
    
    server {
      listen 443 ssl http2;
      server_name subdomain.domain.com www.subdomain.domain.com;
      include /usr/local/nginx/conf/cloudflare.conf;
      location / {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_pass https://192.168.2.105;
            proxy_read_timeout 90;
            proxy_buffering off;
            proxy_redirect https://192.168.2.10 https://subdomain.domain.com;
            }
      }
    
    I succesfully setting my backend server to get visitor real ip from by following this thread.

    My problem is, eventhough I can reach my server via http, but the https failed with
    My vhost backend conf as below :
    Code:
    #x# HTTPS-DEFAULT
     server {
    
       server_name subdomain.domain.com www.subdomain.domain.com;
       return 302 https://subdomain.domain.com$request_uri;
       root /home/nginx/domains/subdomain.domain.com/public;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    
    server {
      listen 443 ssl http2;
      server_name subdomain.domain.com www.subdomain.domain.com;
    
      include /usr/local/nginx/conf/ssl/subdomain.domain.com/subdomain.domain.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/subdomain.domain.com/origin.crt;
      ssl_verify_client on;
    
    
    
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/subdomain.domain.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/subdomain.domain.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/subdomain.domain.com/autoprotect-subdomain.domain.com.conf;
      root /home/nginx/domains/subdomain.domain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
    
      include /usr/local/nginx/conf/php.conf;
    
      include /usr/local/nginx/conf/pre-staticfiles-local-subdomain.domain.com.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    And if I try to issue lets encrypt certificate on my backend server (via acmetools.sh > Issue SSL Cert Live HTTPS Default) it gives error :

    Could anyone point me to the right direction as why the https cannot be accessed?

    Thank you so much in advance.

     
  2. eva2000

    eva2000 Administrator Staff Member

    54,315
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what and where is backend server hosted? Is it a non-Centmin Mod Nginx backend server? Or is it a Centmin Mod Nginx vhost server for subdomain.domain.com that is on same server as Centmin Mod Nginx reverse proxy? or different server?

    I don't think you can use Cloudflare Authenticated Origin pull on nginx backend if Cloudflare isn't the direct communicating server/reverse proxy i.e. Cloudflare edge -> nginx backend OK but Cloudflare edge -> nginx reverse proxy -> nginx backend NOT OK as your nginx reverse proxy isn't passing the client TLS certificate for your backend to verify Cloudflared Authenticated Origin pull cert. So remove
    Code (Text):
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/subdomain.domain.com/origin.crt;
      ssl_verify_client on;
    
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,315
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    also your nginx reverse proxy vhost config needs SSL certificate and settings defined just like a normal SSL nginx vhost.
     
  4. aditbaco

    aditbaco New Member

    8
    0
    1
    Aug 29, 2021
    Ratings:
    +0
    Local Time:
    12:51 AM
    1.17.x
    10.0.x
    Yes, my backend server also use centminmod. It is a different server. It is hosted locally behind a mikrotik router with dedicated public IP. Here is the complete topology:

    INTERNET
    |
    Mikrotik Router (Public IP 12.34.56.78 - subnet 192.168.0.0/16)
    |
    Centmin Nginx Reverse Proxy (192.168.1.5)
    |
    Centmin Backend Server (192.168.3.5)

    Ok, I will try to remove those lines.

    So basically, I setup a vhost using centmin menu #2 on my reverse proxy server using the domains that supposed to belong to my backend server, and added the proxy redirect config right? And setting the reverse proxy server to use the cf authenticated origin pull cert? Ok, I will try this too.

    And what about the backend server? Because rightnow, im using vhost centmin #2 on my backend only. Do I need to generate SSL self signed and LE as well while at it?

    So, in short. You suggested that I create SSL LE via cenmin menu 2 on both reverse proxy and backend server thats pointing to the exact same subdomain.domain.com? does that even possible?

    or do I only need self-signed cert on my backend server and enable authenticated pull origin cert directive in my reverse proxy?
     
    Last edited: Nov 1, 2021
  5. eva2000

    eva2000 Administrator Staff Member

    54,315
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:51 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Need SSL certificate + authenicated origin pull cert on at least reverse proxy - the Cloudflare edge server will only see your reverse proxy as the origin server
     
  6. aditbaco

    aditbaco New Member

    8
    0
    1
    Aug 29, 2021
    Ratings:
    +0
    Local Time:
    12:51 AM
    1.17.x
    10.0.x
    Alright thank you for the advice Eva. I will try to set it up then I'll update you later. Cheers ;)