/ Register

Join the community today
Become a Member

SSL SSL thing set up. It works. But is it really secure? Or I miss something important?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by modder, Mar 3, 2020.

Previous Thread Next Thread
Loading...
  1. Mar 3, 2020 #1
    modder

    modder Member

    123
    16
    18
    Dec 6, 2019
    Ratings:
    +27
    Local Time:
    11:25 AM
    I just followed the information here piece by piece. And it actually works even though most of the time I have no idea I'm doing.

    The problem is.. there are much more information that I couldn't follow because I was kind of lost.

    Software: CentOS 7. latest beta CentminMOD.

    DNS: Cloudflare Full (strict), HTTPS only, Auto HTTPS rewrites, TLS 1.3 enabled, Origin Cert created (CRT and KEY codes) using ECDSA, Authenticated Origin Pulls enabled

    My server:
    1) vhost created, SSL applied
    2) /usr/local/nginx/conf/conf.d/mydomain.com.conf renamed to mydomain.com.conf-disabled
    3) uncommented the following lines in mydomain.com.ssl.conf
    server {
    listen 80;
    server_name mydomain.com www.mydomain.com;
    return 301 https://$server_name$request_uri;
    }

    Show real IP of visitors instead of those from Cloudflare:

    i. Uncomment the following line in /usr/local/nginx/conf/nginx.conf
    include /usr/local/nginx/conf/cloudflare.conf;
    ii. Run the following command:
    /usr/local/src/centminmod/tools/csfcf.sh auto

    Configure Cloudflare Authenticated Origin Pull:

    Run the comments:

    a) read -ep "enter vhost domain name you want to setup cloudflare origin pull for: " vhostname ;
    b) mkdir -p /usr/local/nginx/conf/ssl/cloudflare/$vhostname ;
    c) cd /usr/local/nginx/conf/ssl/cloudflare/$vhostname ;
    d) wget https://support.cloudflare.com/hc/en-us/article_attachments/360044928032/origin-pull-ca.pem -O origin.crt ;
    e) echo -e "ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/$vhostname/origin.crt;\nssl_verify_client on;" ;

    Uncommented the following lines in /usr/local/nginx/conf/conf.d/mydomain.com.ssl.conf:

    ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/mydomain.com/origin.crt;
    ssl_verify_client on;

    replace the content of 2 files mydomain.com.crt and mydomain.com.key in directory /usr/local/nginx/conf/ssl/mydomain.com with the CRT and KEY codes generated above (see DNS above).

    Lastly, ngxrestart. The website shows SSL protected with the cert like below:

    upload_2020-3-3_11-47-48.png

    Cloudflare showing this:

    upload_2020-3-3_11-48-37.png

    So am I doing the best I can? Or is there something else I can do for better security and performance?

    Thank you!
     
  2. Mar 4, 2020 #2
    eva2000

    eva2000 Administrator Staff Member

    55,245
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,833
    Local Time:
    1:25 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Looks good to me.

    As to CF reported None not secure would be reporting any DNS record pointed sites which do not have orange cloud proxy enabled (grey cloud) AFAIK. But your domain on Cloudflare would be sure HTTPS protocol wise
     
Previous Thread Next Thread
Loading...

.