Secure Website Hosting with Cloudflare and Nginx
This guide explains how to publish securely by integrating Nginx web server running on Ubuntu 22.04 with Cloudflare.
The goal is to ensure that all traffic goes through Cloudflare and prevents direct access to the origin server.
What Will You Learn in This Guide?
- Creating a Cloudflare Origin CA certificate
- HTTPS configuration on Nginx
- Using Cloudflare Full (Strict) SSL
- Prevent direct access with Authenticated Origin Pulls
Prerequisites
- Server with Ubuntu 22.04 installed
- user with sudo privilege
- Nginx must be installed and configured
- Cloudflare account and attached domain
- The domain name must be directed to the Nginx server
Step 1: Creating a Cloudflare Origin CA Certificate
Cloudflare Origin CA encrypts traffic between Cloudflare and your server.
This certificate is only trusted by Cloudflare.
Creating the Certificate
- Log in to Cloudflare panel
- Choose your domain name
- Follow the path SSL/TLS → Origin Server
- Click the Create Certificate button
Continue without changing the default settings.
Saving the Certificate to the Server
sudo nano /etc/ssl/cert.pem
- This file holds the Origin CA certificate.
sudo nano /etc/ssl/key.pem
- This file holds the private key.
Note: There should be no blank lines in the files.
Step 2: HTTPS Configuration on Nginx
- Update the Firewall
sudo ufw allow 'Nginx Full'
- This command allows HTTP and HTTPS traffic.
sudo ufw reload
- Editing Nginx Server Block
sudo nano /etc/nginx/sites-available/your_domain
- Redirecting HTTP requests to HTTPS:
server {
listen 80;
server_name your_domain www.your_domain;
return 302 https://$server_name$request_uri;
}
- HTTPS configuration:
server {
listen 443 ssl http2;
server_name your_domain www.your_domain;
ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;
root /var/www/your_domain/html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
- Testing Nginx Configuration
sudo nginx -t
- This command checks for configuration errors.
sudo systemctl restart nginx
Step 3: Setting Cloudflare SSL Mode
1. In the Cloudflare panel:
- Select SSL/TLS → Overview → Full (Strict).
This setting makes the connection between Cloudflare and the server mandatory HTTPS.
Step 4: Installing Authenticated Origin Pulls
- This step ensures that the server only responds to requests from Cloudflare.
1. Adding Cloudflare Certificate to Server
sudo nano /etc/ssl/cloudflare.crt
- This file holds the Cloudflare client CA certificate.
2. Updating Nginx Configuration
sudo nano /etc/nginx/sites-available/your_domain
3. Add the following lines to the SSL block:
ssl_client_certificate /etc/ssl/cloudflare.crt;
ssl_verify_client on;
4. Restarting Nginx
sudo nginx -t
sudo systemctl restart nginx
5. Activation in Cloudflare Panel
- In the Cloudflare panel:
SSL/TLS → Origin Server → Activate the Authenticated Origin Pulls feature.
Step 6. Testing and Verification
If the site opens normally, the configuration is correct. If the site gives an error when the feature is turned off, security is active.
Frequently Asked Questions (FAQ)
1. What does the Origin CA certificate do? It encrypts the traffic between Cloudflare and the server.
2. What does Authenticated Origin Pulls provide? It completely blocks direct access to the server.
3. Why use Full (Strict) SSL? Provides the highest level of Cloudflare security.
4. What happens if Cloudflare goes down? The Origin CA certificate is deemed invalid.
Result
With this guide, you have secured your website hosted on Nginx with Cloudflare. Now your server is only accessible via Cloudflare.
You can try this configuration immediately on the GenixNode infrastructure.