Properly Configuring CloudFlare

Please forgive me as I’m new to working with VPS hosts.

I’m running CentOS 7.9 with WHM/cPanel. I’m trying to configure authenticated origin pulls with Cloudflare, and force all requests to go through CloudFlares network with .htaccess “Require ip”. I generated an origin server SSL certificate on Cloudflare and installed it on WHM and cPanel (not sure if I was supposed to only install it on just WHM, or just cPanel, or both). I downloaded the Cloudflare specific CA (authenticated_origin_pull_ca.pem) and put it in /etc/Cloudflare/authenticated_origin_pull_ca.pem. In WHM I added the following to Server Configuration > Apache Configuration > Include Editor > Pre Main Include (Global)

SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /etc/cloudflare/authenticated_origin_pull_ca.pem

After restarting Apache, I get 502 Bad Gateway. I tried adding the “Require zip XXX.XXX.XXX.XXX” rules to .htaccess and uploaded that to public_html on the cPanel FTP.

In Cloudflare I have SSL/TLS encryption mode set to “Full”, and Authenticated Origin Pulls enabled.

Any ideas on what I’m messing up here? Any help is greatly appreciated

I think that 502 error means your server was unable to validate Cloudflare’s client certificate. I think that means your server failed to read the SSLCACertificateFile.

First, make sure the path you specified is correct. In your explanation you have a capital C on Cloudflare but in your config it’s lowercase. Unix filesystems are case-sensitive so make sure that matches, and otherwise that the path is right.

If the path is right–did you do a full restart of Apache or just a config reload? Apache sometimes needs a full restart to pick up a new certificate.

Finally, and probably the correct answer, for the config you pasted in, what context is it in, in your httpd.conf? The SSLCACertificateFile directive must be either in the top-level server config, or at the top level of a virtual host config. It cannot be in a <Directory> or <Location> or in an .htaccess file.

1 Like

As for the capitalization thing - That was a typo when writing this post. The capitalization is correct in the config files. I tried adding the rules via WHM’s include editor for Apache. I tried Pre Main Include, Pre VirtualHost Include, and Post VirtualHost include. Alternatively, I tried editing /etc/apache2/conf/httpd.conf and adding the rules there. The file/directory is correct because WHM will return an error if the file cannot be found on the server when adding the rules. Finally, yes, I did restart Apache after adding the rules.

1 Like

Check your server’s error log (probably /var/log/apache2/error.log) at the time the error happens.

From what I can tell, there’s nothing of value in the error.log file. It’s only indicating the shutdowns in between me testing around with the httpd.conf, and rebuilding/restarting Apache. I took a few Cloudflare ray ID’s and tried to look them up in the WAF logs, but none match the logs. I’ve contacted my VPS host, and they have no clue.