Cloudflare's Full SSL mode encrypts the connection between your website visitors and CloudFlare also from CloudFlare to your server. This mode requires SSL certificate on your server. In this tutorial will show how to create SSL certificate on server and configure Nginx for SSL.
The following procedures are tested on my Linode server running Centos 7 64-bit Linux distribution.
-
Create folders where your keys and certificates stored:
mkdir -p /etc/ssl/private/sites/ mkdir -p /etc/ssl/certs/sites/
-
Generate keys and certificates using openssl:
openssl ecparam -genkey -name prime256v1 -out /etc/ssl/private/sites/yoursite.com.key openssl req -new -key /etc/ssl/private/sites/yoursite.com.key -out /etc/ssl/private/sites/yoursite.com-csr.pem openssl req -x509 -days 365000 -key /etc/ssl/private/sites/yoursite.com.key -in /etc/ssl/private/sites/yoursite.com-csr.pem -out /etc/ssl/certs/sites/yoursite.com-cert.pem
-
Configure Nginx:
http { ... ## Use Cloudflare's ssl_ciphers https://github.com/cloudflare/sslconfig/blob/master/conf ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; server { ## Change the XXX.XXX.XXX.XXX with your server's IPv4 address listen XXX.XXX.XXX.XXX:443 ssl; ## Change the XXXX:XXXX::XXXX:XXXX:XXXX:XXXX with your server's IPv6 address listen [XXXX:XXXX::XXXX:XXXX:XXXX:XXXX]:443 ssl; ## Change the yoursite.com with your site's domain server_name yoursite.com www.yoursite.com; ## Keep alive timeout set to a greater value for SSL/TLS. keepalive_timeout 75 75; ## Server certificate and key. ssl_certificate /etc/ssl/certs/sites/yoursite.com-cert.pem; ssl_certificate_key /etc/ssl/private/sites/yoursite.com.key; # Disable SSL v3 protocol to prevent POODLE bug. ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ... } }
-
Restart Nginx:
systemctl restart nginx.service
-
If your Nginx is a reverse proxy to Apache, you will need to change Apache's SSL port number:
vi /etc/httpd/conf.d/ssl.conf
Change to:
Listen 8443 https
-
Restart Apache:
systemctl restart httpd.service
- You can now enable the Full SSL mode at your Cloudflare settings.
-
For Drupal site, don't forget to edit "settings.php" to avoid Mixed Content Error Message:
$base_url = 'https://yoursite.com';