Setting up SSL/TLS security is a must when hosting applications on a public server. Recently, I needed to secure my Elasticsearch and Kibana services running on an Nginx reverse proxy using Cloudflare Origin CA certificates.
At first, it seemed complicated, but once I broke it down, the process was straightforward. Here’s how I did it.
Prerequisites
Before getting started, I ensured my setup met the following requirements:
✅ A Linux Server: I used Debian, but Ubuntu would also work.
✅ Nginx installed: This acted as my reverse proxy.
✅ Cloudflare account: To generate the Origin CA certificate.
✅ Domain added to Cloudflare: This allowed me to manage my DNS settings.
✅ A subdomain pointing to my server: This ensured my services were accessible via Cloudflare.
With these in place, I proceeded to generate the SSL certificate.
Generating a Cloudflare Origin CA TLS Certificate
To get started, I logged into my Cloudflare dashboard and:
- Selected my domain from the list.
- Navigated to SSL/TLS > Origin Server.
- Clicked Create Certificate.
- Chose “Generate private key and CSR with Cloudflare”.
- Selected RSA as the private key type.
- Removed the default hostnames and added my own:
elastic.karthik.com(for Elasticsearch)kibana.karthik.com(for Kibana)
7. Set the certificate validity to 90 days (you can choose a longer duration if needed) and Clicked Create.
8. Cloudflare provided me with two important pieces of information
✔️ Origin Certificate
✔️ Private Key
I copied and saved both files securely because the Private Key would not be accessible again after exiting the screen.
Storing the Certificate on My Server
To store the certificate on my Nginx server, I created a dedicated directory
sudo mkdir -p /etc/ssl/elk
cd /etc/ssl/elkThen, I saved the Origin Certificate
sudo nano fullchain.pem(Pasted the certificate content here and saved the file.)
Next, I saved the Private Key
sudo nano privkey.pem(Pasted the private key content here and saved the file.)
Now, my Nginx server had the necessary files to establish a secure connection with Cloudflare.
Adding Cloudflare’s Root CA Certificate
To ensure full trust between my server and Cloudflare, I downloaded the Cloudflare Origin CA Root Certificate:
- Visited Cloudflare’s Origin CA Certificates page.
- Downloaded Cloudflare Origin RSA PEM.
- Opened the downloaded file, copied its contents, and stored it on my server
sudo mkdir -p /etc/ssl/cloudflare
cd /etc/ssl/cloudflare
sudo nano origin_ca_rsa_root.crt(Pasted the root certificate content here and saved the file.)
Now, I was ready to configure Nginx.
Configuring Nginx for Cloudflare SSL
First, I removed the default Nginx configuration
sudo rm /etc/nginx/sites-enabled/defaultThen, I created a new configuration file
sudo nano /etc/nginx/sites-available/elkAnd added the following content
server {
listen 80;
server_name kibana.karthik.com elastic.karthik.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/elk/fullchain.pem;
ssl_certificate_key /etc/ssl/elk/privkey.pem;
ssl_trusted_certificate /etc/ssl/cloudflare/origin_ca_rsa_root.crt;
server_name kibana.karthik.com;
location / {
proxy_pass http://localhost:5601;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/elk/fullchain.pem;
ssl_certificate_key /etc/ssl/elk/privkey.pem;
ssl_trusted_certificate /etc/ssl/cloudflare/origin_ca_rsa_root.crt;
server_name elastic.karthik.com;
location / {
proxy_pass https://localhost:9200;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}Then, I enabled the new configuration
sudo ln -s /etc/nginx/sites-available/elk /etc/nginx/sites-enabledBefore restarting Nginx, I always test the configuration
sudo nginx -tIf everything was okay, I restarted Nginx
sudo systemctl restart nginxUpdating Cloudflare SSL Settings
Once the certificate was installed on my server, I logged into Cloudflare and updated the SSL/TLS settings:
- Set SSL/TLS encryption mode to “Full (strict)”
- In Cloudflare, I navigated to SSL/TLS > Overview
- Changed the encryption mode to Full (strict)
2. Enabled Authenticated Origin Pulls
- In Cloudflare, I navigated to SSL/TLS > Origin Server
- Toggled Authenticated Origin Pulls to ON
Verifying the Setup
Now, it was time to test my configuration!
I visited
🔹 https://kibana.karthik.com
🔹 https://elastic.karthik.com
🎉 Success! My website loaded securely with Cloudflare’s Origin CA SSL. The browser displayed a lock icon, confirming a secure connection.
Final Thoughts
Setting up Cloudflare Origin CA certificates with Nginx was a great learning experience. By using Cloudflare’s certificates, I secured the communication between Cloudflare and my server without needing a public CA like Let’s Encrypt.
🔹 Key Takeaways:
✔️ Always store your Private Key securely — you won’t be able to see it again.
✔️ Set SSL mode to Full (strict) in Cloudflare to ensure end-to-end encryption.
✔️ Use Authenticated Origin Pulls for additional security.
If you’re hosting services behind Nginx and using Cloudflare, this method is a secure and efficient way to implement SSL!
🚀 Have you set up Cloudflare SSL on your server before? Let me know in the comments!
