Setup ECC SSL for Nginx to satisfty Cloudflare Full SSL mode

Cloudflare's Full SSL mode encrypts the connection between your website visitors and CloudFlare also from CloudFlare to your server. This mode requires SSL certificate on your server. In this tutorial will show how to create SSL certificate on server and configure Nginx for SSL.

The following procedures are tested on my Linode server running Centos 7 64-bit Linux distribution.

  1. Create folders where your keys and certificates stored:

      
    mkdir -p /etc/ssl/private/sites/
    mkdir -p /etc/ssl/certs/sites/
      
    
  2. Generate keys and certificates using openssl:

      
    openssl ecparam -genkey -name prime256v1 -out /etc/ssl/private/sites/yoursite.com.key
    openssl req -new -key /etc/ssl/private/sites/yoursite.com.key -out /etc/ssl/private/sites/yoursite.com-csr.pem
    openssl req -x509 -days 365000 -key /etc/ssl/private/sites/yoursite.com.key -in /etc/ssl/private/sites/yoursite.com-csr.pem -out /etc/ssl/certs/sites/yoursite.com-cert.pem
      
    
  3. Configure Nginx:

      
    http {
      ...
      
      ## Use Cloudflare's ssl_ciphers https://github.com/cloudflare/sslconfig/blob/master/conf
      ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    
      server {
        ## Change the XXX.XXX.XXX.XXX with your server's IPv4 address
        listen XXX.XXX.XXX.XXX:443 ssl;
        ## Change the XXXX:XXXX::XXXX:XXXX:XXXX:XXXX with your server's IPv6 address
        listen [XXXX:XXXX::XXXX:XXXX:XXXX:XXXX]:443 ssl;
        
        ## Change the yoursite.com with your site's domain
        server_name yoursite.com www.yoursite.com;
    
        ## Keep alive timeout set to a greater value for SSL/TLS.
        keepalive_timeout 75 75;
    
        ## Server certificate and key.
        ssl_certificate /etc/ssl/certs/sites/yoursite.com-cert.pem;
        ssl_certificate_key /etc/ssl/private/sites/yoursite.com.key;
    
        # Disable SSL v3 protocol to prevent POODLE bug.
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        
        ...
      }
    }
      
    
  4. Restart Nginx:

      
    systemctl restart  nginx.service
      
    
  5. If your Nginx is a reverse proxy to Apache, you will need to change Apache's SSL port number:

      
    vi /etc/httpd/conf.d/ssl.conf
      
    

    Change to:

      
    Listen 8443 https
      
    
  6. Restart Apache:

      
    systemctl restart  httpd.service
      
    
  7. You can now enable the Full SSL mode at your Cloudflare settings.
  8. For Drupal site, don't forget to edit "settings.php" to avoid Mixed Content Error Message:

      
    $base_url = 'https://yoursite.com';
      
    

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.