How to generate keys from Cloudflare to make free SSL in Nginx

https://serverfault.com/a/654018

https://saravanastar.medium.com/ssl-encryption-for-website-using-cloudflare-5529ef9d6cd4

In photo above we will show how to generate Private Key and Origin Certificate from CloudFlare step by step, so let’s get started.

1. Go to CloudFlare web
   (Let’s say that we already registered site in Cloudflare)

“Create Certificate”

2. Copy “Cert” and “Key” and save to
- cloudflare-cert.pem
- cloudflare-key.pem

Copy “cert” and “key”

3. Enable Authenticated Origin Pulls and Full (stric)

4. Select DNS|Records and add record for mapping.
- Type A = IP v4 (or CNAME for IP v6)
- Name = Subdomain (or @ for root)
- IP v4 (or IP v6)
- Press Save to be done.

Mapping of domain name and IP

5. Done for setting in Cloudflare and below photo is result of setting.

Result of DNS Records

6. Last step we can configure bothcloudflare-cert.pem and cloudflare-key.pem in our project.

• default.conf

upstream work_server {
    server django:8000;
}

server {
    listen 80;
    listen [::]:80;
    server_name _;
    return 301 https://$host$request_uri;
}

server {
    listen                  443     ssl;
    ssl_certificate         /etc/nginx/cloudflare-cert.pem;
    ssl_certificate_key     /etc/nginx/cloudflare-key.pem;
    server_name             _;

    error_page 403 http://$host/page-not-found?permission=true/;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-AAA';
    ssl_prefer_server_ciphers on;

    if ($host !~* "love\.grassrootengineer\.com") {
        return 444;
    }

    location / {
        add_header Cache-Control 'no-cache, no-store, must-re-validate';
        add_header X-XSS-Protection "1; mode=block";
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
        add_header Content-Security-Policy "default-src 'self' 'unsafe-eval' 'unsafe-inline' www.gstatic.com";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        expires 0;
        alias /tmp/frontend/dist/;
        try_files $uri $uri/ /index.html;
    }

and docker-compose.yml to mapping between

• local ./nginx/cloudflare-cert.pemand docker container /etc/nginx/cloudflare-cert.pem
• local ./nginx/cloudflare-key.pemand docker container /etc/nginx/cloudflare-key.pem

version: "3.8"

services:
  nginx:
    image: grassrootengineer.com/products/grassroot-poc/nginx:latest
    ports:
      - 192.168.52.110:80:80
      - 192.168.52.110:443:443
    volumes:
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf
      - ./nginx/default.conf:/etc/nginx/conf.d/default.conf
      - ./nginx/snippets:/etc/nginx/conf.d/snippets

      - ./nginx/cloudflare-cert.pem:/etc/nginx/cloudflare-cert.pem
      - ./nginx/cloudflare-key.pem:/etc/nginx/cloudflare-key.pem

      - ./.docker_volumes/frontend:/tmp/frontend
      - ./.docker_volumes/django/static:/tmp/backend/static
      - ./.docker_volumes/django/media:/tmp/backend/media
    restart: always

If you think it’s useful for you, just clap your hands 👏 to be encouraged me.

GRASSROOT ENGINEER 😘

Ref:

https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-subdomain/

https://saravanastar.medium.com/ssl-encryption-for-website-using-cloudflare-5529ef9d6cd4

https://www.digitalocean.com/community/tutorials/how-to-host-a-website-using-cloudflare-and-nginx-on-ubuntu-20-04