August 16, 2020

Use Cloudflare Certificate with Nginx + V2Ray + Websocket +TLS + CDN

Use Cloudflare Certificate with Nginx + V2Ray + Websocket +TLS + CDN

[Recommended] If you would like to try the latest VLESS+TCP+XTLS, please refer to the link below:

Coexistence of Web Applications and VLESS+TCP+XTLS
1. IntroXray-core is a superset of v2ray-core, with better overall performance and aseries of enhancements such as XTLS, and is fully compatible with the functionsand configurations of v2ray-core. * There is only one executable file, including ctl function, “run” is the default command. * T…
TrapnestHenry

When configuring V2Ray + Websocket + TLS + CDN(Cloudflare), you may want to use Cloudflare Origin CA certificates. This article will help you go smooth with it.

1. Deploy V2Ray

Please refer to Update in my previous post
Here assume you set ws on port 12345, and path name is /nameofpath.

2. Configure Cloudflare Certificate

2.1 Obtain Cloudflare Origin Certificate and Private Key

Go to your Cloudflare site dashboard. SSL/TLS -> Origin Server -> Create Certificate
IMPORTANT: If you or your site visitors intend to use Chrome/Safari or any other major web browser, please select Certificate Validity equal or less than 1 year. This is because TLS server certificates issued on or after 2020-09-01 00:00:00 UTC will be required to have a validity period of 398 days or less. Certificate Lifetimes
After creation, copy the whole Origin Certificate content, save as yourdomain_cert.pem; copy the whole Private Key content, save as youdomain_key.pem.

2.2 Obtain Cloudflare Origin CA root certificates

Go to Cloudflare official docs Managing Cloudflare Origin CA certificates
Copy the content of either Cloudflare Origin CA — RSA Root, or Cloudflare Origin CA — ECC Root. (Generally ECC is safer) Save as cloudflare_origin_rsa.pem or cloudflare_origin_ecc.pem. You can also download them directly.

2.3 Upload certificates to your server

Upload yourdomain_cert.pem, yourdomain_key.pem, and cloudflare_origin_ecc.pem(or cloudflare_origin_rsa.pem) to any folder on your server. By default, you can put them at /etc/ssl/, but the location doesn’t matter.

2.4 Concatenate the primary and intermediate certificates

In the folder where you have already uploaded the 3 .pem file, concatenate the files. Run the following command

cat yourdomain_cert.pem cloudflare_origin_ecc.pem >> yourdomain_cert.pem

(Yes, it has nothing to do with your private key)

3. Configure Nginx

3.1 Install Nginx

sudo apt install nginx

3.2 Remove the default file in enabled sites of Nginx

rm /etc/nginx/sites-enabled/default

3.3 Create Nginx config file in available sites

nano /etc/nginx/sites-available/yourdomain.com

Edit config file (This is a complete sample config file. Please modify the details according your running service)

server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com; #Replace with your own domain name
    return 302 https://$server_name$request_uri;
}

server {
  listen 443 ssl;
  listen [::]:443 ssl;

  ssl_certificate       /etc/ssl/yourdomain_cert.pem;
  ssl_certificate_key   /etc/ssl/youdomain_key.pem;
#Authenticated Origin Pull is optional. Please refer to https://developers.cloudflare.com/ssl/origin/authenticated-origin-pull/
#ssl_client_certificate  /etc/ssl/origin-pull-ca.pem;
#ssl_verify_client on;
  ssl_session_timeout 1d;
  ssl_session_cache shared:MozSSL:10m;
  ssl_session_tickets off;

  ssl_protocols         TLSv1.2 TLSv1.3;
  ssl_ciphers           ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  ssl_prefer_server_ciphers off;

  server_name           example.com www.example.com; #Replace with your own domain name
  location /nameofpath { #Replace with your own path name
    if ($http_upgrade != "websocket") {
        return 404;
    }
    proxy_redirect off;
    proxy_pass http://127.0.0.1:12345; #Here port 12345 is for websocket purpose. Replace 12345 with your own port.
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
  location / {
    proxy_redirect off;
    proxy_pass http://127.0.0.1:3000; #Here port 3000 is for normal web service, such as Wordpress. For example, you can set port forwarding like 127.0.0.1:3000:80, in Wordpress docker-compose.yml
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}

3.4 Link config files

ln -s /etc/nginx/sites-available/yourdomain.com /etc/nginx/sites-enabled/yourdomain.com

3.5 Check syntax and restart Nginx

sudo nginx -t
sudo systemctl restart nginx

4. Ready to go

By now, you can either:
(1) Visit your normal service on https://example.com
(2) Connect websocket via example.com:443/nameofpath