Cloudflare
In this course, I have been initiated to Cloudflare. I learned about how Cloudflare works and how to protect a website behind a reverse proxy. Last update: 2022
Here are listed some advantages of using Cloudflare as reverse proxy.
IPs addresses of your servers are hidden.
Help to prevent against DoS attacks.
Multiple servers around the world that serve requests.
Caching of the web pages (save bandwith and resources on our web servers).
Cloudflare offers you free TLS certificate (between the reverse proxy and the end-user) when your website is behind a reverse proxy.
Delay in serving pages decreases if Reverse Proxy is located close to the client and already has cached resources.
The DNS management section of the Cloudflare portal is where we can add a A record where the domain is pointing to the IP of our origin server. The 159.x.x.x IP address is my Digital Ocean public IP address.
To set my website behind a Cloudflare proxy, I had to modify the by default GoDaddy nameservers for those owned by Cloudflare.
To verify that my web server is hidden behind a Cloudflare reverse proxy, I could nslookup
to my domain. In the image below, we can observe that my domain name does not have a direct link to my original web server IP (159.x.x.x).
Certificates
When using Cloudflare as a reverse proxy, two certificates can be used for the encrytion of TLS sessions. One certificate aim for the encryption of the session between the Cloudflare reverse proxy and the end-user client browser, and the second one, thus optional, can be implemented to encrypt the session between the origin web server and the reverse proxy. The use of two certificates is a mandatory if we want to use Cloudflare in full mode or full mode (strict).
Cloudflare modes
Flexible mode
Only the session between the client and the Cloudflare server is encrypted. Require only one certificate. Not the best choice from a security perspective since the TCP session between the Cloudflare server and the origin server is stayed unencrypted.
Full mode
The full mode is more secure than the flexible mode as both TCP sessions are encrypted. The first session ensure the communication between the Cloudflare server and the browser and the second session is established between the Cloudflare and the Origin server.
Thus, the full mode require that a certificate be implemented on the Origin server. A self-signed certificate, a certificate generated by Cloudlfare or by any other trusted CA can be used between the Cloudflare and the Origin server.
Full strict mode
The full strict mode is the more secure mode of all three. Like the full mode, the two TCP sessions established with the Cloudflare server are encrypted. However, unlike the full mode, the full strict mode verify the certificate that is issued to the Origin server is valid and signed. In this mode, the use of a self-signed certificate is not possible.
Origin certificate
In full strict mode, a TLS connection needs to be established between the webserver and Cloudflare. Cloudflare will verified that our certificate is signed so a self-signed certificate won't work here.
Step 1: Generating an Origin certificate using Cloudflare
We can create a signed Origin certificate directly from Cloudflare. As mentionned earlier, this certificate does not aim to encrypt data between Cloudflare and the end-user browser, but instead between the web server and Cloudflare.
Cloudflare offers different options to create our Origin certificate. I choosed:
Generate private key and CSR with Cloudflare".
PEM - Key format usually accepted by Apache and Nginx.
Cloudflare generates for us a private key and a certificate. At this step, it is very important to take note of the private key since it is the only page where the private key will be displayed to the user.
Step 2: Implementing TLS/SSL on the origin web server
Then, we can create the .PEM
and .KEY
files on the webserver with the key and the certificate we obtained. Usually, encryptions keys and certificates are located at /etc/ssl/
.
Finally, we have to make some changes in the Nginx config files located at:
Set the Server block
SSL_Certificate
andSSL_Certificate_Key
parameters to point to our certificate and key files.Enable SSL with the directive
listen
.
3. Restart nginx and set the SSL/TLS encryption mode to Full Strict.
Last updated