Flarum+Cloudflare Full SSL - Nginx Configuration

BajpanGosh · Jun 19, 2017

Enable full SSL in CloudFlare
https://www.cloudflare.com/a/crypto/

Generate SSL keys for vps

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/example.com.key -out /etc/nginx/ssl/example.com.crt

Clear default config & add above config

sudo nano /etc/nginx/sites-available/default

save it.

Restart Server
sudo service nginx reload

HTTPS Server

server {

listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
root /var/www/html;
index index.html index.htm index.php;
server_name example.com;

ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_dhparam  /etc/nginx/ssl/dhparam.pem;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 180m;
resolver 8.8.8.8 8.8.4.4;
add_header Strict-Transport-Security "max-age=31536000;

#includeSubDomains" always;

#Log Files

access_log  /var/log/nginx/flarum.access.log;
error_log   /var/log/nginx/flarum.error.log;



location / { 
    try_files $uri $uri/ /index.php?$query_string; 
}
location /api { 
    try_files $uri $uri/ /api.php?$query_string; 
}

location /admin { 
    try_files $uri $uri/ /admin.php?$query_string; 
}

location /flarum {
    deny all;
    return 404;
}

location ~* \.html$ {
    expires -1;
}

location ~* \.(css|js|gif|jpe?g|png)$ {
    expires 1M;
    add_header Pragma public;
    add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}

#PHP 7 Conf

location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location ~ /\.ht {
deny all;
}
}

HTTP Server

server {

listen         80;
listen    [::]:80;
server_name    example.com;
return         301 https://$server_name$request_uri;

}

here is the config file :- https://goo.gl/FBGvnT

clarkwinkelmann · Jun 19, 2017

Or even better, enable Strict SSL and generate a Cloudflare Origin Certificate instead of creating a self-signed one. This way nobody can MitM the connection between Cloudflare and your Origin server ?

Procedure is the same, but you generate & download a private key from Cloudflare's UI and set it up instead of the locally generated one.

Chope · Jun 21, 2017

clarkwinkelmann
Is it available to the subscribers of the free plan on Cloudflare?

clarkwinkelmann · Jun 21, 2017

Chope Is it available to the subscribers of the free plan on Cloudflare?

It sure is ? Don't have any paid plan myself yet

tankerkiller125 · Jun 21, 2017

I would also recommend rewriting the IP addresses from the CloudFlare ones to the users real IP for logging purposes. I usually make a file called cloudflare_ips in the /etc/nginx directory and then input the following

set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

# use any of the following two
real_ip_header CF-Connecting-IP;

then I use include cloudflare_ips; inside the server brackets.

BajpanGosh · Oct 3, 2018

clarkwinkelmann redirect rule not working

server {

    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;
    return 301 https://$server_name$request_uri;

}

server {

    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.com www.example.com;

AAlkir · Mar 8, 2019

And how to implement it on a hosting? Apache server using xampp

clarkwinkelmann · Mar 8, 2019

Alkir what are you referring to ? This discussion is about nginx.

Are you talking about Cloudflare Origin certificates ? It's no different than manually installing any certificate on your server. I believe even Cloudflare gives you the instructions right when you create the Origin certificate.

jordanjay29 · Mar 8, 2019

Alkir Apache server using xampp

Cloudflare only works on web servers hosted online as well, not local servers. Once you have a web host that uses nginx, you can use the prescribed method.

AAlkir · Mar 9, 2019

No, I mean, how to install full ssl on hosting, not on vps

[deleted] · Apr 16, 2021

This seems too hard for me, let me know it will be ok if I set up from here and proxied my ip with Cloudflare then it is ok or not

Or I will have to set up like above.....

I am really sorry about the silly question

luceos · Apr 16, 2021

[deleted] use flexible if your site on your server has no SSL, this will allow CF to upgrade your connection making the non https a https connection when serving the content.

[deleted] · Apr 16, 2021

Alkir No, I mean, how to install full ssl on hosting, not on vps

If you go the "Strict SSL" route, you will need the CF root CA installed on your shared hosting, as well as the certificate they issue you. It won't work without it.

Flexible is "ok", but not really recommended as this simply encapsulates the session with forced SSL, but does not provide any real security at the shared hosting level.

clarkwinkelmann · Apr 16, 2021

[deleted] you will need the CF root CA installed on your shared hosting

Do you really need that? I've always used origin certificates directly with the "custom certificate" settings on my managed hostings. Though I've never tried on shared hostings, just managed VPSs

[deleted] · Apr 16, 2021

clarkwinkelmann Sadly, on shared hosting, I've always needed this. Usually always on cPanel