CD
Cloudflare Developers2y ago
Akama Aka

Cloudflare and NGINX Proxy forwarding

Hello, I currently have the problem that if I use the A record with my IP for my Domain everything works if its not also proxied with nginx but as soon as I also proxy to another service like a nodejs Webserver or so the connection timeouts. The weird thing is if I use Cloudflare Tunnel it works then. Does someone know why this weird error happnes? There are not errors or connections logged everywhere.
nginx configuration
NodeJS Server
15 Replies
Akama Aka
Akama AkaOP2y ago
Chaika
Chaika2y ago
Your nginx config has the proxy pass within the listen on 80, probably not what you want, you should want it in a server block listening on 443 with ssl configured, or use Tunnels like you are. Keep in mind with Flexible or Insecure (Not recommended!!!) Cloudflare will connect to the origin over http/port 80. With Full (Strict) (Recommended!!!) Cloudflare will only try connecting to 443/https. If you need a certificate, use a Cloudflare Origin one The tunnel estalishes a secure outbound connection to Cloudflare, and then connects locally to your web server, so it's fine if it's only http as long as it's same lan as the cloudflared connector, no one can mitm/etc
Akama Aka
Akama AkaOP2y ago
That means I need to create a SSL Certificate for the local conneciton?
Chaika
Chaika2y ago
For what local connection? Using tunnels, from cloudflared -> nginx reverse proxy? No, you're fine using just http for that Without tunnels, from Cloudflare's Edge -> Nginx Reverse Proxy? That's not a local connection, yes you'd want to secure that with an ssl cert and full (strict)/https
Akama Aka
Akama AkaOP2y ago
Ah okay thanks
Akama Aka
Akama AkaOP2y ago
@chaika.me I've added the Cloudflare Origin Certificate on NGINX and the fastify Server and I get now this error:
Akama Aka
Akama AkaOP2y ago
Thats what I get when I connect directly to the fastify Server
Chaika
Chaika2y ago
You're connecting to the fastify server and getting served the cert? You should have configured it in nginx, if you are using it as the reverse proxy to your fastify server
Akama Aka
Akama AkaOP2y ago
I tried just with nginx and then nginx and fastify both the ssl error And cloudflare should change the Documentation because this is outdated the program doesnt work anymore like that https://www.digicert.com/kb/csr-ssl-installation/nginx-openssl.htm
Chaika
Chaika2y ago
yea you don't need to mess with the csr stuff, it should be as simple as the config they detail below, something like 
listen   443;

ssl    on;
ssl_certificate    /etc/ssl/your_domain_name.pem; (or bundle.crt)
ssl_certificate_key    /etc/ssl/your_domain_name.key;
listen   443;

ssl    on;
ssl_certificate    /etc/ssl/your_domain_name.pem; (or bundle.crt)
ssl_certificate_key    /etc/ssl/your_domain_name.key;
in your server block
Akama Aka
Akama AkaOP2y ago
I get this then:; nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/sites-enabled/api.satowa-network.dev.conf:4 nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Chaika
Chaika2y ago
ok that looks fine so far, and then you nginx reloaded/restarted?
Akama Aka
Akama AkaOP2y ago
But it works now yea thanks <:SA_lovePanda:893097280293457950>
Chaika
Chaika2y ago
nice! If you want that warning to go away, I believe you'd just need to change it to listen 443 ssl; ssl_certificate /etc/ssl/your_domain_name.pem; (or bundle.crt) ssl_certificate_key /etc/ssl/your_domain_name.key;
Akama Aka
Akama AkaOP2y ago
Okay thanks
Want results from more Discord servers?
Add your server