Cloudflare Origin SSL

Hi,

  • I created a SSL certificate on Cloudflare for my Nginx server. Then I created a folder which is called /etc/Cloudflare-ssl

  • Copied .key and .pem files from Cloudflare via following commands.
    sudo nano /etc/Cloudflare-ssl/my-certificate.pem
    sudo nano /etc/Cloudflare-ssl/private.key

And then added necessary lines into nginx configuration. I set ‘‘Full (Strict) SLL’’ on Cloudflare.

Now everything looks good. I can access to my blog on HTTPS.

But I want to ask that, permissions of these .key and .pem files are 644 as default. Should I change it for security reason?

Do other people have access to your server? Generally only the user under which the webserver is running would need access to these files.

No only I can access my server.

In that case it might not be too much of an issue, but if you want to avoid any other application/user to access the files you could certainly lock it down. You just need to make sure the files are accessible to the webserver user.

1 Like

EDITED: So, There is no additional user and no issue for that.

Additionally, @sandro

I added below lines into my nginx configuration:

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

Do you recommend that?

By user I was referring to system users under which any other application might be running. It really comes down to how your machine is set up.

1 Like

I also activated Authenticated Origin Pulls for more security :slight_smile:

And you verify the client certificate on your side too?

1 Like

If you mean that, yes I implemented it for nginx. :slight_smile:

and also reloaded the nginx.

Thank you!

Alright, then you are set. Was just asking as there would be little point in making Cloudflare authenticate itself without checking that authentication.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.