How to set up HTTPS for your website using Cloudflare’s SSL certificate and Nginx.

In this case, I'll use my website as an example.

Step 1: Set Up Cloudflare

1. Sign Up/Login to Cloudflare:

   • Go to the Cloudflare website.
   • Sign up for a new account or log in to your existing account.

2. Add Your Site:

   • After logging in, click on the “Add a Site” button.
   • Enter your domain name (e.g., fudongs.com) and click “Add Site”.

3. Choose a Plan:

   • Select a plan. You can start with the free plan which provides basic SSL/TLS and CDN features.
   • Click “Continue”.

4. Update DNS Settings:

   • Cloudflare will scan your DNS records. Review and confirm that all records are correct.
   • Click “Continue”.
   • Cloudflare will provide you with nameservers. You need to update your domain’s nameservers to these Cloudflare nameservers.
   • Log in to your domain registrar (e.g., GoDaddy, Namecheap) and update the nameservers to the ones provided by Cloudflare.
   • Once done, go back to Cloudflare and click “Continue”.

Step 2: Enable SSL/TLS in Cloudflare

1. Navigate to SSL/TLS:

   • In the Cloudflare dashboard, go to the “SSL/TLS” section.

2. Choose SSL/TLS Mode:

   • Select the SSL/TLS mode. The recommended option is “Full” or “Full (Strict)” if you already have an SSL certificate on your origin server.
     • Flexible: Encrypts traffic between the browser and Cloudflare.
     • Full: Encrypts traffic between the browser and Cloudflare, and between Cloudflare and your origin server using a self-signed certificate.
     • Full (Strict): Encrypts traffic between the browser and Cloudflare, and between Cloudflare and your origin server using a valid SSL certificate.

Step 3: Create a Cloudflare Origin Certificate

1. Create Certificate:

   • In the Cloudflare dashboard, navigate to SSL/TLS -> Origin Server.
   • Click on "Create Certificate".
   • Choose "Let Cloudflare generate a private key and a CSR".
   • Select the domain you want to secure (e.g., fudongs.com and *.fudongs.com for the wildcard).
   • Click “Next”.

2. Save the Certificate and Private Key:

   • Copy the Origin Certificate and Private Key provided by Cloudflare and save them to your server.

Step 4: Configure Nginx to Use Cloudflare’s Certificate

1. Save the Certificate and Private Key:

   • Save the Origin Certificate to a file on your server, e.g., /etc/ssl/certs/cloudflare_origin.pem.
   • Save the Private Key to a file on your server, e.g., /etc/ssl/private/cloudflare_origin.key.

2. Edit Nginx Configuration:

   • Open your Nginx configuration file for your site. This is usually found in /etc/nginx/sites-available/fudongs.com.

     sudo nano /etc/nginx/sites-available/fudongs.com
     

   • Update the configuration to include SSL settings:

     server {
         listen 80;
         server_name fudongs.com www.fudongs.com;
         return 301 https://$host$request_uri;
     }
     
     server {
         listen 443 ssl;
         server_name fudongs.com www.fudongs.com;
     
         ssl_certificate /etc/ssl/certs/cloudflare_origin.pem;
         ssl_certificate_key /etc/ssl/private/cloudflare_origin.key;
     
         ssl_protocols TLSv1.2 TLSv1.3;
         ssl_prefer_server_ciphers on;
         ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
     
         root /var/www/fudongs.com/html;
         index index.html index.htm index.nginx-debian.html;
     
         location / {
             try_files $uri $uri/ =404;
         }
     }
     

3. Test and Reload Nginx:

   • Test the configuration for syntax errors:

     sudo nginx -t
     

   • Reload Nginx to apply the changes:

     sudo systemctl reload nginx
     

Step 5: Verify HTTPS

1. Check in Browser:

   • Open your website in a browser and verify that it loads over HTTPS.

2. Verify Certificate:

   • Use a tool like SSL Labs to verify your SSL certificate and configuration.

Additional Security (Optional)

1. HTTP Strict Transport Security (HSTS):

   • Add HSTS to enforce HTTPS:

     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
     

2. Redirect All Traffic to HTTPS:

   • Ensure all HTTP traffic is redirected to HTTPS. This is already included in the configuration above with the return 301 https://$host$request_uri; directive in the port 80 server block.

By following these detailed steps, you should be able to successfully set up HTTPS on your website using Cloudflare’s SSL certificate and Nginx.