/ Register

Discover Centmin Mod today
Register Now

SSL Cloudflare SSL questions..

Discussion in 'Domains, DNS, Email & SSL Certificates' started by modder, Jan 10, 2020.

Previous Thread Next Thread
Loading...
  1. Jan 10, 2020 #1
    modder

    modder Member

    127
    16
    18
    Dec 6, 2019
    Ratings:
    +27
    Local Time:
    9:23 PM
    For SSL, it works but I have some questions which I can't really find a definite answer after searching on the net and reading the CentminMOD docs and posts.

    I'm using free Cloudflare proxied DNS (orange cloud) and vurtr CENTOS 7.

    I roughly list the follow things (not really a complete list) I've done in case some people are interested.

    1) I installed the SSL vhost in centmin menu 2.

    2) I got http forwarded to https by the setting in Cloudflare and also uncommented the following line in the myserver.ssl.conf (I renamed myserver.conf to myserver.conf-disabled):

    Code (Text):
     server {
       listen   80;
       server_name myserver.com www.myserver.com;
       return 301 https://$server_name$request_uri;
 }


    3) I use FULL (strict) SSL in Cloudflare, so I generate the free crt and key files from their website. Then I cat them to the respective crt and key files in /usr/local/ngnix/conf/ssl/myserver/

    It works.

    My questions:

    1) What's the file dhparam.pem in /usr/local/ngnix/conf/ssl/myserver/ for? I found that I could actually delete it and also deleted the corresponding line in myserver.ssl.conf. Then ngxrestart, it still works.

    2) Why can't I get a pretty green encryption lock for my website? I understand it means I got a mixed kind of website - SSL and non-SSL. But I've forwarded all the http to https. The website content is the default one. How do I get a green lock?

    3) Now my SSL cert is issued by Cloudflare and issued to sni.cloudflaressl.com which I guess is shared by many other websites.

    So if I want to have it issued to myserver.com, I need to purchase a cert from "trusted CA" ($5/month for Cloudflare) or get a cert from Letsencrypt for free.


    2020-01-10_11-10-22.jpg

    Other than aesthetic reasons, does it really make a difference in security sense between these two types of encryption methods?

    4) For the case above, what happens when the cert expires in Oct? Will CloudFlare renew it automatically?

    5) What is the purpose of using letsencrypt SSL instead of a paid Cloudflare SSL? It's only the price difference or there is some other advantages?

    6) I remember it's mentioned to use only the DNS of Cloudflare insterad of the proxied one (orange cloud). Why?

    Sorry for all these questions. Obviously I'm not really a very experienced system admin. But I'm eager to learn.

    Thanks a lot.
     
  2. Jan 10, 2020 #2
    eva2000

    eva2000 Administrator Staff Member

    58,895
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    11:23 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    For security as nginx internally uses 1024bit for DH. So generating more stronger 2048bit DH file is needed. See https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters

    Chrome and alot of browsers have removed green padlock for positive indicators in favour of negative indicators i.e. insecure red indicator for non-HTTPS Say goodbye to that green 'Secure' lock on Google Chrome
    yes for $5/month get dedicated domain SSL cert from Cloudflare. There is no 'or get from letsencrypt' if you use Cloudflare choice is either shared CF cert or dedicated $5/month SSL cert

    No difference whatever SSL cert you use other than for better performance, you want smaller sized SSL certificates which dedicated SSL certs would provide as shared Cloudflare SSL cert has more shared domains listed in SSL cert so size of SSL cert is larger. Performance difference isn't much but I prefer centminmod.com to have it's own cert behind Cloudflare.
    yup

    No difference, just Cloudflare SSL will perform better as it has 200+ datacenters around the world to back your server's visitor requests.

    That is if folks do not want to use Cloudflare as a CDN/cache proxy and only for DNS.
     
  3. Jan 10, 2020 #3
    modder

    modder Member

    127
    16
    18
    Dec 6, 2019
    Ratings:
    +27
    Local Time:
    9:23 PM
    Thanks eva2000. I feel touched to have got your answers. My mind is so clear now... kind of. :D

    SSL is so confusing.. So am I all good now regarding the SSL functionality part and can move on to next step?

    I notice there's a cloudflare.conf I think it's related to reveal the true IPs of visitors (I'm not using it now)? If I don't configure/use it, I only get the IPs from cloudflare in the server logs, right? ///NO. I just checked the access.log, it actually shows my IP, not the IP of cloudflare...

    And what's Authenticated Origin Pulls now? Do I need to use it?
     
  4. Jan 11, 2020 #4
    eva2000

    eva2000 Administrator Staff Member

    58,895
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    11:23 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    You can test your HTTPS/SSL enabled site in SSLLab tester to make sure SSL Server Test (Powered by Qualys SSL Labs)

    If you use a reverse proxy like Cloudflare, Sucuri, or Incapsula in front of Centmin Mod Nginx, you need to setup nginx realip to be passed onto Nginx.

    See Getting Started Guide step 5 and setting correct real ip via nginx module config at http://centminmod.com/nginx_configure_cloudflare.html. The tools/csfcf.sh cronjob mentioned below helps maintain the whitelisted CSF Firewall IPs, but you still need to setup nginx realip in your nginx vhost.

    If using Centmin Mod 123.09beta01 and newer, there's an added tools/csfcf.sh script to aid in this. Details at:
    You just need to setup a cronjob to run
    Code (Text):
    /usr/local/src/centminmod/tools/csfcf.sh auto


    If you are not using Cloudflare then do not need to do this.

    see https://community.centminmod.com/th...d-origin-pulls-protecting-your-origins.13847/
     
Previous Thread Next Thread
Loading...

.