how to connect your home server to a domain with cloudflare


this tutorial is very extend for has various points:

  1. Add site
  2. Auto update your dynamic ip 
  3. Add sub-domains to domain
  4. Select to type of encryption
  5. Configuration encryption pem and key with nginx


well cloudflare is a server dns that allows you to manage our dns for free for the domains we use and create sub-domains, although it has more cloudflare tools, we will use some of them


after you register:

1. Add the site











select plan to use: 





when you finalize the purchase for 0$ you can see that:

press to button continue


now you must change dns nameserver in your domain 



for example in my domain  https://my.freenom.com/




change to Name-servers



to







check the name-servers is working






2. Auto update your dynamic ip

if you have a dynamic ip, you need send the new ip to cloudflare for this use a small script bash for run with crontab in Gnu/Linux the best system :)

well for this we looking 3 elements
 a) api key
 b) id zone dns (for domain)


 c) id domain in zone dns
now we use curl and api for get the id domain 
https://api.cloudflare.com/

list dns records
https://api.cloudflare.com/#dns-records-for-a-zone-list-dns-records

get the attribute id and use after dns_record at url

Terminal:
curl -X GET "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/dns_records?type=A&name=YOUR_DOMAIN" -H "X-Auth-Email: YOUR_EMAIL" -H "X-Auth-Key: YOUR_API_KEY" -H "Content-Type: application/json"

you remember get the id of your domain example ramdontest.ml, the others are sub-domain and we interest update only the domain because the sub-domain has the same ip, because use dns type CNAME 


update the ip

Terminal:
curl -X PUT "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/dns_records/YOUR_ID_DOMAIN" \
     -H "X-Auth-Email: user@example.com" \
     -H "X-Auth-Key: YOUR_API_KEY" \
     -H "Content-Type: application/json" \
     --data '{"type":"A","name":"example.com","content":"127.0.0.1","ttl":1,"proxied":false}'
the word or number with red is because you change 1 to 120 or true - false, for balance with cloudflare or without balance


script bash

Terminal:
#!/bin/sh
ipNow=$(/sbin/ifconfig enp2s0 | grep -i 'Direc. inet' | cut -d ":" -f 2 | cut -d " " -f 1)
ipOld=""
UBICATION_LOGS="/opt/logs/"
ejecutarCodigo() {
 {
  echo "From: Server Update IP <server@YOUR-DOMAIN.COM>"
  echo "Sender: YOUR-MAIL@GMAIL.COM"
  echo "To: YOUR-MAIL@GMAIL.COM"
  echo "Subject: The server change ip"
  echo
  echo "The server change ip "$ipOld" to "$ipNow
 } | /usr/sbin/ssmtp YOUR-MAIL@gmail.com #enviar email
}
while read line; do
 ipOld=$line 
done <$UBICATION_LOGS"ipOld.js"
echo $ipOld"  -  "$ipNow
if [ $ipOld != $ipNow ]; then
 #loadwebs.tk
 curl -X PUT "https://api.cloudflare.com/client/v4/zones/YOUR_ID_ZONE/dns_records/YOUR_ID_DOMAIN" \
  -H "X-Auth-Email: YOUR-MAIL@gmail.com" \
  -H "X-Auth-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  --data '{"type":"A","name":"YOUR_DOMAIN","content":'\"$ipNow\"',"ttl":1,"proxied":false}' 
 ejecutarCodigo
else
 echo "NO"
fi




3. Add sub-domains to domain

Add the sub-domain


this is very important, change the domain to dns only, this is you can connect for ssh with domain or you can a sub-domain change to dns only and connect to ssh


Example:
4. Select to type of encryption

These options are listed from least (Off) to most secure (Full SSL (Strict)). All options are available in all customer plans.

Off: No secure connection between your visitor and Cloudflare, and no secure connection between Cloudflare and your web server either. This means that visitors can only view your website over HTTP, and any visitor attempting to connect via HTTPS will receive a HTTP 301 Redirect to the plain HTTP version of your website.


Flexible SSL: A Secure connection between your visitor and Cloudflare, but no secure connection between Cloudflare and your web server. You don't need to have an SSL certificate on your web server, but your visitors still see the site as being HTTPS enabled. This option is not recommended if you have any sensitive information on your website. This setting will only work for port 443->80, not for the other ports we support like 2053. It should only be used as a last resort if you are not able to setup SSL on your own web server. Be aware it can cause issues when you decide to switch away from it: How do I fix the infinite redirect loop...


Full SSL: A secure connection between your visitor and Cloudflare, plus a secure connection (but not authenticated) between Cloudflare and your web server. You will need to have your server configured to answer HTTPS connections, with at least a self-signed certificate. The authenticity of the certificate is not verified: from Cloudflare’s point of view (when we connect to your origin web server), it’s the equivalent of bypassing this error message. But as long as the address of your origin web server is correct in your DNS settings, you know that we’re connecting to your web server, and not someone else’s.

Full SSL (Strict): A secure connection between your visitor and Cloudflare, plus a secure and authenticated connection between Cloudflare and your web server. You will need to have your server configured to answer HTTPS connections, with a valid SSL certificate. This certificate must be signed by a certificate authority that is trusted by Cloudflare, have an expiration date in the future, and respond for the request domain name (hostname). If you've added a CNAME record for the hostname on Cloudflare, the certificate's Common Name or SAN may also match the CNAME target.

Strict (SSL-Only Origin Pull): Enterprise only This mode has the same certificate requirements as Full (Strict) and will also upgrade all connections between Cloudflare and the origin from HTTP to HTTPS, even if the original content requested is over HTTP.

Origin CA certificates, generated by Cloudflare, can be used with either the Full or Full(strict) options as they are trusted by Cloudflare. You can find more information about Origin CA certificates below:



if you want use Flexible SSL dont need config more, whole is ready.


now configuration with full mode

select to full mode




create certificate





copy the code pem and code key and paste in your server

you should have this










5. Configuration encryption pem and key with nginx



Terminal:
server {
 listen 443 ssl;
 server_name first.ramdontest.ml;
 root /var/www;
 index index.php index.html index.htm index.nginx-debian.html;
 ssl_certificate        /opt/ssl/ramdontest.pem;
 ssl_certificate_key    /opt/ssl/ramdontest.key;
 access_log /opt/logs/ramdontest.ml.access_log.js;
 error_log /opt/logs/ramdontest.ml.error_log.js;
 rewrite_log on;
 location / {
  proxy_pass http://localhost:3202;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection 'upgrade';  
 }
}


links: https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-

cirelramos

1 comentario :

  1. Arthur Moore28 de septiembre de 2024, 3:08

    To connect your home server to a domain with Cloudflare, configure HostingRaja your domain's DNS settings in Cloudflare by adding an "A" record pointing to your home server's public IP address.






    ResponderEliminar

Suscribirse a: Enviar comentarios ( Atom )