Solution for letsencrypt + reverse proxy + cloudflare

Certbot LetsEncrypt certificate for NGINX reverse proxy (load balancer / reverse proxy) under Cloudflare

Example Setup

INTERNET CLOUDFLARE NGINX PROXY NGINX WEB SERVER

Configuration

  1. Configure Cloudflare CNAME / A record to poin to your server and proxy it (orange cloud)

A test.domain.com YOUR NGINX PROXY PUBLIC IP

  1. Configure your virtual host on NGINX PROXY like this

    server {
    listen 80;
    server_name test.domain.com;
    return 301 https://$host$request_uri;
    }

    server {

         listen 443 ssl;
         server_name test.domain.com;
    
                 location /.well-known {
                        alias /var/www/html/.well-known; # this do the magic. Instruct the webroot only plugin to use NGINX PROXY LOCAL FOLDER for file verification instead pass it to proxy
                 }
    
                 location / {
    
    
                 #backend
                 proxy_pass http://NGINX-WEB-SERVER;
    
    
                 proxy_set_header Host $host;
                 proxy_set_header X-Real-IP $remote_addr;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_set_header X-Forwarded-Proto $scheme;
                 }
     		ssl_certificate /etc/letsencrypt/live/test.domain.com.com/fullchain.pem; # managed by Certbot
     		ssl_certificate_key /etc/letsencrypt/live/test.domain.com/privkey.pem; # managed by Certbot
                 include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
                 ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    

    }

Remember to reload nginx

sudo service nginx reload

User certbot in this way:

sudo letsencrypt certonly --webroot --webroot-path /var/www/html --renew-by-default --email [email protected] --text --agree-tos -d test.domain.com

1 Like

Thank you @user77512 for the tutorial.
Once you have successfully setup an origin certificate, don’t forget to select Full or Full (Strict) mode in your SSL dashboard. This will encrypt and secure traffic between client and server end-to-end.