How do you secure a website using CloudFlare Secure SSL?

wordsrack-customized-solutions-wordpress-migration-antihack-cleanup

As Cloudflare states:

You can generate a signed certificate directly in the Cloudflare dashboard.

Some people will get stuck after that. So it’s actually pretty easy (but not exactly intuitive or without a lot of trial and error).  Go to the “Crypto” tab in the CF dashboard and generate (Create Origin Certificate) the 2 files needed to put on your server in a .pem format (I use NGINX) so you define a path to the 2 files, one is cert.pem and the other is privkey.pem. You can make those files in an easy to find directory on your machine, I just make them /A1ssl in the root in a folder for the specific site, like /A1ssl/thissiteorthatsite. In the empty .pem files directly paste (or into notepad for safekeeping or temp hold) EXACTLY including the first hypen to the last one.

i.e. —–BEGIN CERTIFICATE REQUEST—–
MIIB9TCCAWACAQAwgbgxGTAXBgNVBAoMEFF1b1ZhZGlzIExpbWl0ZWQxHDAaBgNV
BAsME0RvY3VtZW50IERlcGFydG1lbnQxOTA3BgNVBAMMMFdoeSBhcmUgeW91IGRl
Y29kaW5nIG1lPyAgVGhpcyBpcyBvbmx5IGEgdGVzdCEhITERMA8GA1UEBwwISGFt
aWx0b24xETAPBgNVBAgMCFBlbWJyb2tlMQswCQYDVQQGEwJCTTEPMA0GCSqGSIb3
DQEJARYAMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJ9WRanG/fUvcfKiGl
EL4aRLjGt537mZ28UU9/3eiJeJznNSOuNLnF+hmabAu7H0LT4K7EdqfF+XUZW/2j
RKRYcvOUDGF9A7OjW7UfKk1In3+6QDCi7X34RE161jqoaJjrm/T18TOKcgkkhRzE
apQnIDm0Ea/HVzX/PiSOGuertwIDAQABMAsGCSqGSIb3DQEBBQOBgQBzMJdAV4QP
Awel8LzGx5uMOshezF/KfP67wJ93UW+N7zXY6AwPgoLj4Kjw+WtU684JL8Dtr9FX
ozakE+8p06BpxegR4BR3FMHf6p+0jQxUEAkAyb/mVgm66TyghDGC6/YkiKoZptXQ
98TwDIK/39WEB/V607As+KoYazQG8drorw==
—–END CERTIFICATE REQUEST—–

Cloudflare doesn’t tell you the path so for my purposes in /etc/nginx/conf.d my sites files each have their own site.conf file which is standard and looks like:

server {
listen *:443 ssl;
ssl_certificate /a1ssl/thisitethatsite/cert.pem;
ssl_certificate_key /a1ssl/thisitethatsite/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

server_name thisitethatsite.com;

access_log /var/log/nginx/thisitethatsite.access.log;
error_log /var/log/nginx/thisitethatsite.error.log;

root /a1rootsrv/thisitethatsite;
index index.html index.htm index.php;

#moredirectives
include /etc/nginx.wp/restrictions.conf;
include /etc/nginx.wp/wordpress.conf;

location ~ [^/]\.php(/|$) {

fastcgi_index index.php;
include fcgi.conf;
fastcgi_pass unix:/var/run/ajenti-v-php7.0-fcgi-thisitethatsite-php7.0-fcgi-0.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

}

}

After you’ve created the keys they are what does the handshaking all the way from your host machine (Origin) to the browser or api that’s making the request. Again Cloudflare is not worried about your setup or the file path, they are using their powerful brokering power to authenticate all this for free.

NB: In the crypto section you see a dropdown for “Off, Flexible, Full & Full/Strict”. The guide I’ve just written here works at the highest setting (full/strict) which is the desirable choice over other options. Rest assured you can host a full blown ecommerce site like this, it may not be the coveted EV cert but those are pricey as heck anyway. Enjoy !!

wordsrack-customized-solutions-wordpress-Email-Premium-Forms-Upgrade

By |2018-10-18T21:30:10+00:00October 18th, 2018|Cyber Security, User Guides|

Leave A Comment

%d bloggers like this: