Use Cloudflare Certificate with Nginx + V2Ray + Websocket +TLS + CDN

[Recommended] If you would like to try the latest VLESS+TCP+XTLS, please refer to the link below:

When configuring V2Ray + Websocket + TLS + CDN(Cloudflare), you may want to use Cloudflare Origin CA certificates. This article will help you go smooth with it.
1. Deploy V2Ray
Please refer to Update in my previous post
Here assume you set ws on port 12345, and path name is /nameofpath.
2. Configure Cloudflare Certificate
2.1 Obtain Cloudflare Origin Certificate and Private Key
Go to your Cloudflare site dashboard. SSL/TLS -> Origin Server -> Create Certificate
IMPORTANT: If you or your site visitors intend to use Chrome/Safari or any other major web browser, please select Certificate Validity equal or less than 1 year. This is because TLS server certificates issued on or after 2020-09-01 00:00:00 UTC will be required to have a validity period of 398 days or less. Certificate Lifetimes
After creation, copy the whole Origin Certificate content, save as yourdomain_cert.pem; copy the whole Private Key content, save as youdomain_key.pem.
2.2 Obtain Cloudflare Origin CA root certificates
Go to Cloudflare official docs Managing Cloudflare Origin CA certificates
Copy the content of either Cloudflare Origin CA — RSA Root, or Cloudflare Origin CA — ECC Root. (Generally ECC is safer) Save as cloudflare_origin_rsa.pem or cloudflare_origin_ecc.pem. You can also download them directly.
2.3 Upload certificates to your server
Upload yourdomain_cert.pem, yourdomain_key.pem, and cloudflare_origin_ecc.pem(or cloudflare_origin_rsa.pem) to any folder on your server. By default, you can put them at /etc/ssl/, but the location doesn’t matter.
2.4 Concatenate the primary and intermediate certificates
In the folder where you have already uploaded the 3 .pem file, concatenate the files. Run the following command
cat yourdomain_cert.pem cloudflare_origin_ecc.pem >> yourdomain_cert.pem
(Yes, it has nothing to do with your private key)
3. Configure Nginx
3.1 Install Nginx
sudo apt install nginx
3.2 Remove the default file in enabled sites of Nginx
rm /etc/nginx/sites-enabled/default
3.3 Create Nginx config file in available sites
nano /etc/nginx/sites-available/yourdomain.com
Edit config file (This is a complete sample config file. Please modify the details according your running service)
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com; #Replace with your own domain name
return 302 https://$server_name$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/ssl/yourdomain_cert.pem;
ssl_certificate_key /etc/ssl/youdomain_key.pem;
#Authenticated Origin Pull is optional. Please refer to https://developers.cloudflare.com/ssl/origin/authenticated-origin-pull/
#ssl_client_certificate /etc/ssl/origin-pull-ca.pem;
#ssl_verify_client on;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
server_name example.com www.example.com; #Replace with your own domain name
location /nameofpath { #Replace with your own path name
if ($http_upgrade != "websocket") {
return 404;
}
proxy_redirect off;
proxy_pass http://127.0.0.1:12345; #Here port 12345 is for websocket purpose. Replace 12345 with your own port.
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
proxy_redirect off;
proxy_pass http://127.0.0.1:3000; #Here port 3000 is for normal web service, such as Wordpress. For example, you can set port forwarding like 127.0.0.1:3000:80, in Wordpress docker-compose.yml
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
3.4 Link config files
ln -s /etc/nginx/sites-available/yourdomain.com /etc/nginx/sites-enabled/yourdomain.com
3.5 Check syntax and restart Nginx
sudo nginx -t
sudo systemctl restart nginx
4. Ready to go
By now, you can either:
(1) Visit your normal service on https://example.com
(2) Connect websocket via example.com:443/nameofpath
Copyright statement: Unless otherwise stated, all articles on this blog adopt the CC BY-NC-SA 4.0 license agreement. For non-commercial reprints and citations, please indicate the author: Henry, and original article URL. For commercial reprints, please contact the author for authorization.