Cloudflare's Railgun - SSL Setup

tutorial

SSL

Elliptic curve cryptography, as defined by Wikipedia “is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC requires smaller keys compared to non-ECC cryptography (based on plain Galois fields) to provide equivalent security.” The following instructions will allow NGINX to serve a self signed key from the origin to Cloudflare.

On the box, alter /etc/nginx/nginx.conf to include references to the following:

ssl_certificate "/etc/pki/nginx/server.pem";
ssl_certificate_key "/etc/pki/nginx/private/server.key";

Some information should already be filled out for 443 traffic. I would encourage that you uncomment this information and possibly comment out 80 traffic, as all connections from the origin to Cloudflare should be encrypted.

Then create some of the certificate information:

cd /etc/pki/
mkdir nginx
mkdir nginx/private

First, create the server secret key: openssl ecparam -out server.key -name prime256v1 -genkey

Next, create a certificate signing request: openssl req -new -key server.key -out csr.pem

The CSR will ask for the following information:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:CA   
Locality Name (eg, city) [Default City]:San Francisco
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:thebrodeo.com
Email Address []:security@murraycolin.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Are you are presented that info, place the conent of csr.pem (obtained by cat /etc/pki/nginx/csr.pem) and place on Cloudflare by “Create Origin Certificate” and specifying “I have my own private key and CSR”. After that is created, you’ll be presented another key. Place this as your “server.pem” in /etc/pki/nginx/server.pem. After this is completed, restart the NGINX service by running sudo systemctl restart nginx.

Colin Murray avatar
About Colin Murray
I am a solutions engineer at Cloudflare. All opinions are my own.
comments powered by Disqus