Cloudflare's Railgun - SSL Setup
SSL
Elliptic curve cryptography, as defined by Wikipedia “is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC requires smaller keys compared to non-ECC cryptography (based on plain Galois fields) to provide equivalent security.” The following instructions will allow NGINX to serve a self signed key from the origin to Cloudflare.
On the box, alter /etc/nginx/nginx.conf to include references to the following:
ssl_certificate "/etc/pki/nginx/server.pem";
ssl_certificate_key "/etc/pki/nginx/private/server.key";
Some information should already be filled out for 443 traffic. I would encourage that you uncomment this information and possibly comment out 80 traffic, as all connections from the origin to Cloudflare should be encrypted.
Then create some of the certificate information:
cd /etc/pki/
mkdir nginx
mkdir nginx/private
First, create the server secret key:
openssl ecparam -out server.key -name prime256v1 -genkey
Next, create a certificate signing request:
openssl req -new -key server.key -out csr.pem
The CSR will ask for the following information:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:CA
Locality Name (eg, city) [Default City]:San Francisco
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:thebrodeo.com
Email Address []:security@murraycolin.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Are you are presented that info, place the conent of csr.pem (obtained by cat /etc/pki/nginx/csr.pem
) and place on Cloudflare by “Create Origin Certificate” and specifying “I have my own private key and CSR”. After that is created, you’ll be presented another key. Place this as your “server.pem” in /etc/pki/nginx/server.pem
. After this is completed, restart the NGINX service by running sudo systemctl restart nginx
.