Learn about Centmin Mod LEMP Stack today
Register Now

Install Trying to use Cloudflare HTTPS with Centminmod

Discussion in 'Install & Upgrades or Pre-Install Questions' started by Cervent, Nov 25, 2017.

  1. Cervent

    Cervent New Member

    20
    3
    3
    Jul 21, 2016
    Ratings:
    +3
    Local Time:
    4:19 AM
    N/A
    MariaDB 10
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.11.10
    • PHP Version Installed: 7.1.12
    • MariaDB MySQL Version Installed: i.e. 10.0.21 or 10.1.21
    • When was last time updated Centmin Mod code base ? : New install today
    Just setup a Linode instance and installed the beta version of Centminmod via this command:

    Code:
    yum -y update; curl -O https://centminmod.com/betainstaller.sh && chmod 0700 betainstaller.sh && bash betainstaller.sh
    After which I installed Wordpress using option 22. Once everything is completed and I confirmed I could access my new server using it's domain name I changed the nameservers on the domain to use Cloudflare.

    DNS has updated and I'm able to access the site just fine but now I'd like to use HTTPS via Cloudflare.

    In cloudflare SSL is set to full but when I type in https://domainnamehere.com I get a "This site can’t be reached" error in my browser.

    Is there any other settings I need to configure in Cloudflare and/or Centminmod to enable the use of HTTPS?
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,960
    6,918
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,419
    Local Time:
    7:19 PM
    Nginx 1.13.x
    MariaDB 5.5
    If you use a reverse proxy like Cloudflare, Sucuri, or Incapsula in front of Centmin Mod Nginx, you need to setup nginx realip to be passed onto Nginx.

    See Getting Started Guide step 5 and setting correct real ip via nginx module config at http://centminmod.com/nginx_configure_cloudflare.html.

    If using Centmin Mod 123.09beta01 and newer, there's an added tools/csfcf.sh script to aid in this. Details at:
    You just need to setup a cronjob to run
    Code (Text):
    /usr/local/src/centminmod/tools/csfcf.sh auto

    and ensure your nginx.conf http{} context has the include file /usr/local/nginx/conf/cloudflare.conf and/or your individual nginx vhost's server contexts has the same include file
    Code (Text):
    http {
    map_hash_bucket_size 128;
    map_hash_max_size 2048;
    server_names_hash_bucket_size 128;
    server_names_hash_max_size 2048;
    
    limit_req_zone $binary_remote_addr zone=xwplogin:16m rate=40r/m;
    #limit_conn_zone $binary_remote_addr zone=xwpconlimit:16m;
    
    more_set_headers "Server: nginx centminmod";
    more_set_headers "X-Powered-By: centminmod";
    
    include /usr/local/nginx/conf/cloudflare.conf;
    include /usr/local/nginx/conf/maintenance.conf;
    include /usr/local/nginx/conf/vts_http.conf;
    include /usr/local/nginx/conf/geoip.conf;
    #include /usr/local/nginx/conf/pagespeedadmin.conf;
    include /usr/local/nginx/conf/fastcgi_param_https_map.conf;

    Then restart nginx server via command shortcut
    Code (Text):
    ngxrestart

    or
    Code (Text):
    service nginx restart
     
  3. Cervent

    Cervent New Member

    20
    3
    3
    Jul 21, 2016
    Ratings:
    +3
    Local Time:
    4:19 AM
    N/A
    MariaDB 10
    Hey @eva2000 I've ran the following command:
    Code:
    /usr/local/src/centminmod/tools/csfcf.sh auto
    Then uncommented the following lines in my nginx.conf file as the others you mentioned above was already uncommented:
    Code:
    include /usr/local/nginx/conf/cloudflare.conf;
    include /usr/local/nginx/conf/vts_http.conf;
    After restarting NGINX and trying https://mydomain.com/ - I'm getting an "Error 502 Bad Gateway" from Cloudflare.

    At least I'm getting a bit closer but not there yet :(

    502-gateway.png
     
  4. JarylW

    JarylW Active Member

    216
    40
    28
    Jun 19, 2014
    Singapore
    Ratings:
    +102
    Local Time:
    5:19 PM
    Sounds like this is the problem. When using the menu option #22, did you choose create a self signed cert and/or provision LetsEncrypt? If your origin (i.e. your linode VPS that has centminmod installed) is not HTTPS, you can't select full ssl, you should be selecting flexible ssl in Cloudflare.

    See: https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean
     
  5. eva2000

    eva2000 Administrator Staff Member

    30,960
    6,918
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,419
    Local Time:
    7:19 PM
    Nginx 1.13.x
    MariaDB 5.5
    uncomment the one in your nginx vhost domain.com.conf and domain.com.ssl.conf not nginx.conf

    but 502 errors are related cloudflare saying their can't connect to backend (centmin mod) because it's down or unavailable

    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

    what is output of these commands in ssh
    Code (Text):
    curl -Iv https://domain.com
    

    Code (Text):
    curl -Iv https://www.domain.com
    

    Code (Text):
    curl -Iv http://domain.com
    

    Code (Text):
    curl -Iv http://www.domain.com
    

    wrap output in CODE tags

    then to check output bypassing cloudflare with your real ip replacing 123.123.123.123 with your real server IP (you can mask it for public posting here though)

    Code (Text):
    curl -sIvk https://123.123.123.123 --header "Host: domain.com"
    

    Code (Text):
    curl -sIvk https://123.123.123.123 --header "Host: www.domain.com"
    

    Code (Text):
    curl -sIvk http://123.123.123.123 --header "Host: domain.com"
    

    Code (Text):
    curl -sIvk http://123.123.123.123 --header "Host: www.domain.com"
    
     
  6. Cervent

    Cervent New Member

    20
    3
    3
    Jul 21, 2016
    Ratings:
    +3
    Local Time:
    4:19 AM
    N/A
    MariaDB 10
    No I did not create a self-signed cert since I was planning on using Cloudflare.

    Changing the cloudflare settings from Full to Flexible allows the site to load but the green padlock is missing in the browser.

    ----

    @eva2000 here is the output of everything I think you've asked for.

    usr/local/nginx/conf/conf.d/MYDOMAIN.com.conf

    Code:
    # must read http://centminmod.com/getstarted.html
    # redirect from non-www to www
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    #server {
    #listen   80;
    #server_name MYDOMAIN.com;
    #return 301 $scheme://www.MYDOMAIN.com$request_uri;
    #}
    server {server_name MYDOMAIN.com www.MYDOMAIN.com;
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;#add_header X-Frame-Options SAMEORIGIN;#add_header X-Xss-Protection "1; mode=block" always;#add_header X-Content-Type-Options "nosniff" always;# limit_conn limit_per_ip 16;# ssi  on;access_log /home/nginx/domains/MYDOMAIN.com/log/access.log combined buffer=256k flush=5m;error_log /home/nginx/domains/MYDOMAIN.com/log/error.log;include /usr/local/nginx/conf/autoprotect/MYDOMAIN.com/autoprotect-MYDOMAIN.com.conf;root /home/nginx/domains/MYDOMAIN.com/public;# uncomment cloudflare.conf include if using cloudflare for# server and/or vhost site#include /usr/local/nginx/conf/cloudflare.conf;include /usr/local/nginx/conf/503include-main.conf;#include /usr/local/nginx/conf/wpincludes/MYDOMAIN.com/wpcacheenabler_MYDOMAIN.com.conf;include /usr/local/nginx/conf/wpincludes/MYDOMAIN.com/wpsupercache_MYDOMAIN.com.conf;[ Read 96 lines ]
    ^G Get Help^O WriteOut^R Read File^Y Prev Page^K Cut Text^C Cur Pos
    ^X Exit^J Justify^W Where Is^V Next Page^U UnCut Text^T To Spell
    # https://community.centminmod.com/posts/18828/#include /usr/local/nginx/conf/wpincludes/MYDOMAIN.com/rediscache_MYDOMAIN.com.conf;location / {include /usr/local/nginx/conf/503include-only.conf;# Enables directory listings when index file not found#autoindex  on;# for wordpress super cache plugintry_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;# for wp cache enabler plugin#try_files $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;# Wordpress Permalinks#try_files $uri $uri/ /index.php?q=$uri&$args;# Nginx level redis Wordpress# https://community.centminmod.com/posts/18828/
      #try_files $uri $uri/ /index.php?$args;}
    location ~* /(wp-login\.php) {limit_req zone=xwplogin burst=1 nodelay;#limit_conn xwpconlimit 30;auth_basic "Private";auth_basic_user_file /home/nginx/domains/MYDOMAIN.com/htpasswd_wplogin;include /usr/local/nginx/conf/php-wpsc.conf;# https://community.centminmod.com/posts/18828/#include /usr/local/nginx/conf/php-rediscache.conf;
    }
    location ~* /(xmlrpc\.php) {limit_req zone=xwprpc burst=45 nodelay;#limit_conn xwpconlimit 30;include /usr/local/nginx/conf/php-wpsc.conf;# https://community.centminmod.com/posts/18828/
    }
    location ~* /(wp-login\.php) {limit_req zone=xwplogin burst=1 nodelay;#limit_conn xwpconlimit 30;  auth_basic "Private";  auth_basic_user_file /home/nginx/domains/MYDOMAIN.com/htpasswd_wplogin;include /usr/local/nginx/conf/php-wpsc.conf;
        # https://community.centminmod.com/posts/18828/#include /usr/local/nginx/conf/php-rediscache.conf;
    }
    location ~* /(xmlrpc\.php) {  limit_req zone=xwprpc burst=45 nodelay;#limit_conn xwpconlimit 30;include /usr/local/nginx/conf/php-wpsc.conf;# https://community.centminmod.com/posts/18828/#include /usr/local/nginx/conf/php-rediscache.conf;
    } include /usr/local/nginx/conf/wpincludes/MYDOMAIN.com/wpsecure_MYDOMAIN.com.conf;include /usr/local/nginx/conf/php-wpsc.conf;
    include /usr/local/nginx/conf/php-rediscache.conf;include /usr/local/nginx/conf/staticfiles.conf;include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;include /usr/local/nginx/conf/vts_server.conf;
    
    curl -Iv https://domain.com
    Code:
    curl -sIvk https://50.116.140.46 --header "Host: www.MYDOMAIN.com"
    curl -sIvk http://50.116.140.46 --header "Host: MYDOMAIN.com"
    curl -sIvk http://50.116.140.46 --header "Host: www.MYDOMAIN.com"* About to connect() to 50.116.140.46 port 443 (#0)
    *   Trying 50.116.140.46...
    * Connection refused
    * Failed connect to 50.116.140.46:443; Connection refused
    * Closing connection 0
    curl -Iv https://www.domain.com
    Code:
    * About to connect() to 50.116.140.46 port 443 (#0)
    *   Trying 50.116.140.46...
    * Connection refused
    * Failed connect to 50.116.140.46:443; Connection refused
    * Closing connection 0
    curl -Iv http://domain.com
    Code:
    * About to connect() to 50.116.140.46 port 80 (#0)
    *   Trying 50.116.140.46...
    * Connected to 50.116.140.46 (50.116.140.46) port 80 (#0)
    > HEAD / HTTP/1.1
    
    > User-Agent: curl/7.29.0
    
    > Accept: */*
    
    > Host: MYDOMAIN.com
    
    >
    
    < HTTP/1.1 200 OK
    
    HTTP/1.1 200 OK
    
    < Date: Sat, 25 Nov 2017 01:38:25 GMT
    
    Date: Sat, 25 Nov 2017 01:38:25 GMT
    
    < Content-Type: text/html; charset=UTF-8
    
    Content-Type: text/html; charset=UTF-8
    
    < Connection: keep-alive
    
    Connection: keep-alive
    
    < Vary: Accept-Encoding
    
    Vary: Accept-Encoding
    
    < Link: <http://MYDOMAIN.com/wp-json/>; rel="https://api.w.org/"
    
    Link: <http://MYDOMAIN.com/wp-json/>; rel="https://api.w.org/"
    
    < Server: nginx centminmod
    
    Server: nginx centminmod
    
    < X-Powered-By: centminmod
    
    X-Powered-By: centminmod
    
    
    
    <
    
    * Connection #0 to host 50.116.140.46 left intact
    curl -Iv http://www.domain.com
    Code:
    * About to connect() to 50.116.140.46 port 80 (#0)
    *   Trying 50.116.140.46...
    * Connected to 50.116.140.46 (50.116.140.46) port 80 (#0)
    > HEAD / HTTP/1.1
    
    > User-Agent: curl/7.29.0
    
    > Accept: */*
    
    > Host: www.MYDOMAIN.com
    
    >
    
    < HTTP/1.1 301 Moved Permanently
    
    HTTP/1.1 301 Moved Permanently
    
    < Date: Sat, 25 Nov 2017 01:38:27 GMT
    
    Date: Sat, 25 Nov 2017 01:38:27 GMT
    
    < Content-Type: text/html; charset=UTF-8
    
    Content-Type: text/html; charset=UTF-8
    
    < Connection: keep-alive
    
    Connection: keep-alive
    
    < Location: http://MYDOMAIN.com/
    
    Location: http://MYDOMAIN.com/
    
    < Server: nginx centminmod
    
    Server: nginx centminmod
    
    < X-Powered-By: centminmod
    
    X-Powered-By: centminmod
    
    
    
    <
    
    * Connection #0 to host 50.116.140.46 left intact
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,960
    6,918
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,419
    Local Time:
    7:19 PM
    Nginx 1.13.x
    MariaDB 5.5
    to get properly output use cat command for /usr/local/nginx/conf/conf.d/MYDOMAIN.com.conf
    Code (Text):
    cat /usr/local/nginx/conf/conf.d/MYDOMAIN.com.conf
    

    which outputs contents so you can highlight and copy and paste keeping the formatting in place
    if you didn't setup centmin mod nginx with HTTPS itself then cloudflare needs to set flexible ssl. You only set cloudflare full ssl if you have centmin mod nginx domain site with HTTPS via letsencrypt setup

    the curl header checks for HTTPS confirm the fact you do not have nginx domain with HTTPS as curl header checks for https version return connection refused

    so to get things to work with non-https nginx site, just leave cloudflare as flexible ssl and install cloudflare's official wordpress plugin from plugin directory

    As to padlock it's due to mixed content issue so need to adjust your web app and/or web site style itself see What Is Mixed Content? - KeyCDN Support
     
  8. Cervent

    Cervent New Member

    20
    3
    3
    Jul 21, 2016
    Ratings:
    +3
    Local Time:
    4:19 AM
    N/A
    MariaDB 10
    Okay all is good now, after redoing it with Lets Encrypt. The site is loading via HTTPS and I have a pretty green padlock.

    I'm hoping this is my last question... how do I redirect non-www to www.MYDOMAIN.com? I have edited my file: MYDOMAIN.ssl.conf under /usr/local/nginx/conf/conf.d/ and un-commented the first server {} so that it reads:
    Code:
    server_name MYDOMAIN.com www.MYDOMAIN.com
    return 302 https://www.$server_name$request_uri;
     
  9. eva2000

    eva2000 Administrator Staff Member

    30,960
    6,918
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,419
    Local Time:
    7:19 PM
    Nginx 1.13.x
    MariaDB 5.5
    Posted at centminmod.com/nginx_domain_dns_setup.html#httpsredirect

    key to testing is using 302 temp redirect first in a private incognito browser session otherwise the problems you can experience may end up being due to browser caching or 301 permanent redirects unless you clear browser cache and reboot local computer(s) and even then some web browsers don't let go of 301 permanent redirect browser cache that willingly :)

     
  10. Cervent

    Cervent New Member

    20
    3
    3
    Jul 21, 2016
    Ratings:
    +3
    Local Time:
    4:19 AM
    N/A
    MariaDB 10
    Hey @eva2000 do I need to add that code you mentioned to the top of my config file in addition to what is already at the top?

    Here is the top of my MYDOMAIN.com.ssl.conf
    Code:
    #x# HTTPS-DEFAULT
     server {
         server_name MYDOMAIN.com www.MYDOMAIN.com;
         return 302 https://MYDOMAIN.com$request_uri;
         include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    server {
        listen 443 ssl http2;
        server_name MYDOMAIN.com www.MYDOMAIN.com;
        include /usr/local/nginx/conf/ssl/MYDOMAIN.com/MYDOMAIN.com.crt.key.conf;
        include /usr/local/nginx/conf/ssl_include.conf;
        http2_max_field_size 16k;
        http2_max_header_size 32k;
    The only other files I have under conf.d folder is demodomain.com.conf and virtual.conf
     
  11. JarylW

    JarylW Active Member

    216
    40
    28
    Jun 19, 2014
    Singapore
    Ratings:
    +102
    Local Time:
    5:19 PM
    The code he gave you is to do 302 redirect from non-https to https. You can do it (optionally) if you wish to enforce https on your site.

    302 is for temporary redirect like @eva2000 suggetsed to use for testing purposes. Once you've confirmed it works you can do permanent 301 redirect.

    I do the same for some customer sites that are using cloudflare, except I do it at edge level using cloudflare page rules. If you are using cloudflare proxying (orange colour cloud in cloudflare panel) and wish to redirect http traffic to https, I recommend you do it too because it is more perfomant.

    Edit: sorry @eva2000 for hijacking your reply :p
     
  12. Cervent

    Cervent New Member

    20
    3
    3
    Jul 21, 2016
    Ratings:
    +3
    Local Time:
    4:19 AM
    N/A
    MariaDB 10
    Oh I'm sorry I wasn't clear. I'm not trying to force non-https to https. In fact that's already working and I was assuming it's because in Cloudflare I have enabled the option "Always use HTTPS".

    What I'm trying to force now is anytime anyone goes to https://mydomain.com it goes to https://WWW.mydomain.com

    Right now, now matter what I do users are always forced to https://mydomain.com and I'd like to have the www. added.
     
  13. JarylW

    JarylW Active Member

    216
    40
    28
    Jun 19, 2014
    Singapore
    Ratings:
    +102
    Local Time:
    5:19 PM
    Code:
      server_name newdomain.com www.newdomain.com;
       return 302 https://www.newdomain.com$request_uri;
    
    Essentially what this 2 lines do is listen for requests to newdomain.com/someurl and www.newdomain.com/someurl and redirects them to https://www.newdomain.com/someurl.

    I think that behaviour is because you installed wordpress on mydomain.com instead of www.mydomain.com

    Two ways you can do this 1. by logging into wordpress or 2. editing the wp-config.php file.

    1. Go to wp-admin > Settings > General
    This is permanent: It changes the value in the mysql tables.
    Edit WordPress Address (URL) and Site Address (URL) as follows:
    upload_2017-11-26_2-54-7.png


    2. In wp-config.php
    This is temporary: will be for as long as you have these defined in wp-config.php
    Code:
    define('WP_HOME','https://www.mydomain.com');
    define('WP_SITEURL','https://www.mydomain.com');
    
    If not, you can simply do a permanent redirect as mentioned before.

    If you already forced HTTPS in cloudflare, and would like to redirect mydomain.com to www.mydomain.com, I recommend you combine both into one page rule in cloudflare like I have done, then you don't need to use his code or mess with the conf file further. Furthermore, doing so at cloudflare is more efficient and performant :)

    upload_2017-11-26_2-45-16.png
     
    Last edited: Nov 26, 2017
    • Informative Informative x 2
  14. eva2000

    eva2000 Administrator Staff Member

    30,960
    6,918
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,419
    Local Time:
    7:19 PM
    Nginx 1.13.x
    MariaDB 5.5
    yes at top of vhost config file with one minor change the working server{} context's server_name should just list your preferred redirected target domain like this
    Code (Text):
    #x# HTTPS-DEFAULT
     server {
        server_name MYDOMAIN.com www.MYDOMAIN.com;
        return 302 https://MYDOMAIN.com$request_uri;
        include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    server {
       listen 443 ssl http2;
       server_name www.MYDOMAIN.com;
       include /usr/local/nginx/conf/ssl/MYDOMAIN.com/MYDOMAIN.com.crt.key.conf;
       include /usr/local/nginx/conf/ssl_include.conf;
       http2_max_field_size 16k;
    

    However, like @JarylW stated you can do the redirect at Cloudflare level via page rules too which is more performant
     
  15. Cervent

    Cervent New Member

    20
    3
    3
    Jul 21, 2016
    Ratings:
    +3
    Local Time:
    4:19 AM
    N/A
    MariaDB 10
    Thank you very much. I've opted for option 1 and changed both the wordpress and site url to add WWW to both. I then created a Cloudflare page rule based on your suggestion and now awaiting for those to take effect.
     
  16. Cervent

    Cervent New Member

    20
    3
    3
    Jul 21, 2016
    Ratings:
    +3
    Local Time:
    4:19 AM
    N/A
    MariaDB 10
    Well it's been a little over an hour and I've had some success and some not so much.

    Using the method mentioned above by @JarylW if I go to the default "Hello World" page - it is using WWW in the URL. If I access wp-admin it too is using WWW in the URL. However if I go to the home page https://mydomain.com it does not use WWW. Everything else seems to use WWW but the home page.

    I've even edited the ssl.conf file as @eva2000 suggested, so I guess in reality both suggestions are in place now and while all other pages are good - the homepage is the stubborn one.

    I have also tried opening the site in a different browser while in private mode as well.
     
  17. eva2000

    eva2000 Administrator Staff Member

    30,960
    6,918
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,419
    Local Time:
    7:19 PM
    Nginx 1.13.x
    MariaDB 5.5
    if you use cloudflare method, then you do not need to do the nginx vhost config method at all
     
  18. Cervent

    Cervent New Member

    20
    3
    3
    Jul 21, 2016
    Ratings:
    +3
    Local Time:
    4:19 AM
    N/A
    MariaDB 10
    Okay, I've gone and reverted the file to it's original state after I deployed centminmod.