There can be more that one scenario on how you are hosting your web application. They are:
Scenario 1: You serve your website directly through apache web server without using any proxy server.
Scenario 2: You serve your website through an NGINX based front-proxy server and on the back-end the application is running on apache web server.
In both cases, you have to install the certificate to the respective web servers.
Groundwork:
You have to first generate your origin certificate from cloudflare.com and download them to your computer. You are given two files, they are cloudflare.key and cloudflare.pem.
Copy these two files to your VPS and place them in a folder. For me, I have placed them inside the /etc/certificates/ folder.
Installing the certificates to NGINX:
Skip this step if you are not using NGINX as a proxy in front of your backend application server.
First thing you have to do is to update the NGINX configuration file to incorporate https specific server code block.
user nginx;
events {
worker_connections 1000;
}
http {
upstream backend {
server mynet-app-1:443;
server mynet-app-2:443;
}
server {
listen 80;
server_name www.mynewdomain.com;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass https://backend$uri;
}
}
server {
listen 443 ssl;
server_name www.mynewdomain.com;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
ssl_certificate /etc/certificates/cloudflare.pem;
ssl_certificate_key /etc/certificates/cloudflare.key;
location / {
proxy_pass https://backend$uri;
}
}
}Here, the first modification is I have updated the backend upstream servers to point to port 443 instead of port 80.
Next, I have incorporated ssl specific server code block which listens to the port 443. You have to make sure your apache web server docker instance is exposing the 443 port as well.
So, now all of the connections coming to this web server on port 443 are being forwarded to upstream backend server at port 443 as well. Next step is now to ensure the upstream backend server also have the ssl certificates installed on them.
Installing certificate on Apache
Similar to NGINX, on apache you have to first incorporate the https specific virtual host configuration on the site configuration file. Updated apache site configuration file will look like this –
<VirtualHost *:8080>
ServerName www.mynewdomain.com
ServerAlias mynewdomain.com
ServerAdmin demo@demo.com
DocumentRoot /var/www/html/www/public
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory "/var/www/html/www/public">
Allowoverride All
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName www.mynewdomain.com
ServerAlias mynewdomain.com
ServerAdmin demo@demo.com
DocumentRoot /var/www/html/www/public
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/certificates/cloudflare.pem
SSLCertificateKeyFile /etc/certificates/cloudflare.key
<Directory "/var/www/html/www/public">
Allowoverride All
</Directory>
</VirtualHost>Make sure you have mod-ssl enabled before restarting the apache server while testing this configuration. Also, check for other modules such as mod-rewrite is enabled or not if your application needs them.
Overview:
So, now your NGINX server is receiving all the traffic and then passing it on to the backend apache server on port 443 as well. So, you got end-to-end ssl certificate coverage on your request now.
Improvements:
You should enforce https redirect for all non-https requests and also use either non-www or www based hostname and not enable both of them as they will impact your SEO performance.
Faisal Ahmed 
Leave a comment