What is Railgun Railgun is defined by Cloudflare as a software that “accelerates and secures delivery of dynamic content, through compression and WAN network optimization of communication between Cloudflare data centers and an origin server, speeding up requests that can’t be served directly from Cloudflare cache.” It’s a very interesting technology that helps cache content by only serving bytes of changed page versions, creating a single persistent connection, and caching dynamic content.

SSL Elliptic curve cryptography, as defined by Wikipedia “is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC requires smaller keys compared to non-ECC cryptography (based on plain Galois fields) to provide equivalent security.” The following instructions will allow NGINX to serve a self signed key from the origin to Cloudflare. On the box, alter /etc/nginx/nginx.conf to include references to the following:

Requirements The first step to any deployment is to find out the requirements. As this deployment will focus around Cloudflare’s Railgun, it is wise to work with that as a base. Railgun’s requirements can be found here, but it can be boiled down to the following: Dual core processor 4GB RAM 64-bit Architecture Memcache >= 1.4 with at least 512MB of storage (>1GB recommended) One of the following operating systems:

Instructions Build up an Apache or Nginx web server to serve a simple landing page or site through CloudFlare (location of origin doesn’t matter Digital Ocean, AWS, GoGrid, etc) Make the origin server only available over IPv6 Setup Railgun and confirm Railgun is working correctly (hint, you can use rg-diag which is installed with the railgun package) Documentation Generate a self-signed elliptic curve cert and use it on your origin server, then force all requests to your origin over SSL with page rules and HSTS.

Author’s note: this was originally written by me, but then optimized by Distil Networks’ excellent marketing team. However, Distil did not publish it. I am not currently affliated with Distil Networks. GPG and Encryption At Distil, we take security and privacy very seriously. Prior to joining Distil, I did not have a very hands on understanding of GPG keys. However, we use keys extensively to ensure that there are no breaches of confidentiality.