Cloudflare Integration

Configure Nginx with Cloudflare CDN for real IP restoration, SSL modes, and performance optimization.

Table of Contents

Overview

When using Cloudflare or any reverse proxy (AWS CloudFront, Incapsula, Varnish cache, etc.) in front of Nginx, you need to configure Nginx to see the real visitor IP address instead of the proxy's IP address.

Centmin Mod compiles Nginx with the ngx_http_realip_module by default, which provides the set_real_ip_from and real_ip_header directives needed for proper IP restoration.

To prevent IP leaks when using Cloudflare, you should also enable Cloudflare Authenticated Origin Pull certificates on your Cloudflare Full SSL enabled sites.

This guide covers Cloudflare-specific configuration including ECDSA SSL certificates for Cloudflare (set SELFSIGNEDSSL_ECDSA='y' in /etc/centminmod/custom_config.inc for ECDHE-ECDSA P-256 cipher support), Authenticated Origin Pulls (mTLS), SSL modes, and real IP restoration. The same principles apply to AWS CloudFront, Incapsula, and other reverse proxies -- simply use their respective IP ranges and headers.

Real IP Restoration

Nginx's ngx_http_realip_module uses two key directives to restore visitor IPs behind a reverse proxy:

  • set_real_ip_from -- Defines trusted proxy IP ranges (one directive per CIDR block)
  • real_ip_header -- Specifies which HTTP header contains the real client IP (e.g., CF-Connecting-IP for Cloudflare, X-Forwarded-For for most other proxies)

Where to Add the Configuration

You can add the real IP directives in two locations:

Global (all sites)

Add to the http {} block in:

/usr/local/nginx/conf/nginx.conf

Per-site

Add to the server {} block in:

/usr/local/nginx/conf/conf.d/domain.com.conf

Automated Setup (Recommended)

Centmin Mod 123.09beta01 and newer generates Nginx vhosts with an include file that is automatically populated with Cloudflare IPs via the csfcf.sh automation script.

Uncomment the Cloudflare include in your vhost configuration:

# uncomment cloudflare.conf include if using cloudflare for
# server and/or vhost site
include /usr/local/nginx/conf/cloudflare.conf;

Set up a cron job to keep Cloudflare IPs updated automatically:

23 */36 * * * /usr/local/src/centminmod/tools/csfcf.sh auto >/dev/null 2>&1

Cloudflare IP Ranges

Cloudflare maintains an updated list of IP addresses. Below are the IP ranges formatted as Nginx directives.

These IP ranges change periodically. Use the automated csfcf.sh cron job (described above) to keep them current, or check Cloudflare's official IP page regularly.

IPv4 Addresses

# Cloudflare IPv4
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
real_ip_header CF-Connecting-IP;

IPv6 Addresses

# Cloudflare IPv6
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
real_ip_header CF-Connecting-IP;

Using an Include File

For easier management, place the directives in a separate include file and reference it from your Nginx configuration:

# In nginx.conf http{} block or vhost server{} block:
include /usr/local/nginx/conf/cloudflare.conf;

After making changes, restart Nginx:

# Restart Nginx
service nginx restart

# Or use the Centmin Mod shortcut
ngxrestart

Full nginx.conf Context Example

Here is an example showing where the Cloudflare directives fit within the full nginx.conf structure:

user              nginx nginx;
worker_processes  1;
worker_rlimit_nofile 51200;
error_log         logs/error.log;
pid               logs/nginx.pid;

events {
    worker_connections  32768;
    use epoll;
}

http {
    # Cloudflare real IP restoration
    include /usr/local/nginx/conf/cloudflare.conf;

    index  index.php index.html index.htm;
    include       mime.types;
    default_type  application/octet-stream;
    # ... rest of config
}

SSL Modes

Cloudflare offers several SSL/TLS encryption modes that determine how traffic is encrypted between visitors, Cloudflare, and your origin Nginx server.

1

Flexible SSL

Encrypts traffic between visitors and Cloudflare only. Traffic between Cloudflare and your origin server is unencrypted (HTTP).

Not recommended -- Leaves origin traffic vulnerable. May cause redirect loops if your server forces HTTPS.

2

Full SSL

Encrypts traffic end-to-end. Cloudflare connects to your origin via HTTPS but does not validate the SSL certificate (self-signed certificates are accepted).

Acceptable -- Better than Flexible, but does not verify origin certificate authenticity.

3

Full (Strict) SSL

Encrypts traffic end-to-end and validates the origin SSL certificate. Requires a valid certificate from a trusted CA (such as Let's Encrypt) or a Cloudflare Origin CA certificate.

Recommended -- Maximum security. Use with Let's Encrypt certificates for the best setup.

Let's Encrypt SSL with Cloudflare DNS API

For the most secure configuration, combine Cloudflare Full (Strict) mode with a Let's Encrypt SSL certificate on your origin Nginx server. When your domain is behind Cloudflare's orange cloud proxy, use Cloudflare DNS API validation to issue Let's Encrypt SSL certificates.

Cloudflare DNS API Configuration

Add these settings to /etc/centminmod/custom_config.inc:

CF_DNSAPI='y' CF_Token='your_cloudflare_api_token' CF_Account_ID='your_cloudflare_account_id'

Then issue the SSL certificate using DNS validation:

/usr/local/src/centminmod/addons/acmetool.sh issue yourdomain.com lived --dns dns_cf

For full details on Cloudflare DNS API validation and all available options, see the Let's Encrypt DNS Validation documentation.

Full (Strict) SSL Mode

For the most secure configuration, combine Cloudflare Full (Strict) mode with the Let's Encrypt certificate on your origin Nginx server.

Setup Steps

  1. Install a Let's Encrypt certificate on your origin server using Centmin Mod's built-in addons/acmetool.sh integration.
  2. Configure your Nginx vhost for HTTPS/SSL with the Let's Encrypt certificate.
  3. In your Cloudflare dashboard, navigate to SSL/TLS and set the encryption mode to Full (Strict).
  4. Enable Authenticated Origin Pulls in Cloudflare to verify that requests to your origin come from Cloudflare.
  5. Ensure your origin server's set_real_ip_from directives include the current Cloudflare IP ranges.

Let's Encrypt certificates renew automatically every 60-90 days when using Centmin Mod's acmetool.sh. Cloudflare Full (Strict) mode will continue working as long as the certificate is valid and trusted.

Page Rules & Caching

Cloudflare Page Rules allow you to customize caching behavior, security settings, and URL redirects on a per-URL basis. Here are recommended configurations for Centmin Mod sites.

Recommended Cache Settings

URL Pattern Setting Purpose
*domain.com/wp-admin/* Cache Level: Bypass Never cache admin areas
*domain.com/wp-login.php* Cache Level: Bypass Never cache login pages
*domain.com/*.css Cache Level: Cache Everything, Edge TTL: 1 month Aggressively cache static CSS
*domain.com/*.js Cache Level: Cache Everything, Edge TTL: 1 month Aggressively cache static JS

Performance Optimization Tips

  • Enable Auto Minify for HTML, CSS, and JavaScript in Cloudflare's Speed settings.
  • Enable Brotli compression in Cloudflare (works alongside Nginx's built-in Brotli in Centmin Mod).
  • Use Always Online to serve cached pages even when your origin is temporarily unavailable.
  • Consider enabling Argo Smart Routing for reduced latency on dynamic content.
  • Enable HTTP/2 and HTTP/3 (QUIC) in Cloudflare's Network settings for faster connections.

Firewall Integration

When using Cloudflare with CSF Firewall, you need to whitelist Cloudflare's IP addresses in the firewall to ensure traffic can reach your origin server.

Automated CSF + Cloudflare Setup

Centmin Mod includes the csfcf.sh script that automates both Cloudflare IP whitelisting in CSF and Nginx real IP configuration:

# Run the automated setup
/usr/local/src/centminmod/tools/csfcf.sh auto

# Set up a cron job to keep IPs updated
23 */36 * * * /usr/local/src/centminmod/tools/csfcf.sh auto >/dev/null 2>&1

This script handles:

  • Downloading the latest Cloudflare IP ranges
  • Adding Cloudflare IPs to CSF Firewall's allow list (csf.allow)
  • Updating the Nginx cloudflare.conf include file with current IP ranges
  • Restarting CSF and Nginx to apply changes

If you restrict origin access to Cloudflare IPs only (recommended for preventing IP leaks), ensure the cron job is running reliably. Outdated IP lists could block legitimate Cloudflare traffic.

Authenticated Origin Pulls (mTLS)

Cloudflare Authenticated Origin Pulls use mutual TLS (mTLS) to verify that requests to your origin server are coming from Cloudflare, not directly from the internet. This prevents attackers from bypassing Cloudflare by connecting directly to your server’s IP address.

Setup with Centmin Mod

Centmin Mod provides a dedicated tool to download and configure the Cloudflare origin pull certificate:

# Download and configure the Cloudflare origin pull certificate
/usr/local/src/centminmod/tools/cf-authenticated-origin-cert-update.sh

The certificate is stored at /usr/local/nginx/conf/ssl/cloudflare/${vhostname}/origin.crt.

Nginx Configuration

Add the following directives to your Nginx HTTPS vhost server block to enforce mTLS:

# Inside the HTTPS server block for yourdomain.com
ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/yourdomain.com/origin.crt;
ssl_verify_client on;

Auto-renewal: Set up a weekly cron job to run tools/cf-authenticated-origin-cert-update.sh to auto-renew the certificate before its 180-day expiry. This ensures uninterrupted protection.

Important: Enable “Authenticated Origin Pulls” in your Cloudflare dashboard under SSL/TLS → Origin Server before configuring your Nginx server. Direct (non-Cloudflare) connections will be rejected once ssl_verify_client on is enabled.

For more details, see the forum discussion.

ECDSA SSL Certificates for Cloudflare

ECDSA certificates offer faster TLS handshakes and smaller key sizes compared to RSA, improving performance for Cloudflare ↔ origin connections. For self-signed ECDSA certificates, set SELFSIGNEDSSL_ECDSA='y' in /etc/centminmod/custom_config.inc before creating the vhost. This enables ECDHE-ECDSA P-256 cipher support for Cloudflare Full (Strict) SSL mode.

Self-Signed ECDSA Certificates

To generate ECDSA self-signed certificates (useful for Cloudflare Full mode where the origin cert doesn’t need to be publicly trusted):

# Set in /etc/centminmod/custom_config.inc before creating vhost
SELFSIGNEDSSL_ECDSA='y'

Let’s Encrypt ECDSA Certificates

Centmin Mod’s acmetool.sh supports issuing ECDSA certificates from Let’s Encrypt. See the Let’s Encrypt ECDSA guide for setup instructions.

ECDSA Cipher Suite Priority

When using ECDSA certificates, ensure ECDSA cipher suites are prioritized in your Nginx SSL configuration. The key ciphers to prioritize:

# ECDSA cipher suites (should be listed before RSA ciphers)
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305

Performance benefit: ECDSA P-256 keys are 256 bits vs RSA 2048 bits, resulting in significantly faster TLS handshakes. This is especially beneficial for sites behind Cloudflare where the origin connection is re-established frequently.

For more details, see the forum discussion.

Troubleshooting

Nginx logs show Cloudflare IPs instead of visitor IPs

The set_real_ip_from directives are missing or incomplete.

Fix: Verify the Cloudflare include file exists at /usr/local/nginx/conf/cloudflare.conf and is included in your Nginx configuration. Run nginx -t to validate the configuration and ngxrestart to apply.

ERR_TOO_MANY_REDIRECTS (redirect loop)

Usually occurs when Cloudflare SSL mode is set to Flexible and Nginx is configured to redirect HTTP to HTTPS.

Fix: Change Cloudflare SSL mode to Full or Full (Strict) and ensure your origin server has a valid SSL certificate installed. See the Let's Encrypt Free SSL guide.

Cloudflare Error 521 (Web server is down)

Cloudflare cannot connect to your origin server. The origin Nginx server is down or CSF Firewall is blocking Cloudflare IPs.

Fix: Check that Nginx is running (systemctl status nginx) and verify Cloudflare IPs are whitelisted in CSF Firewall. Run /usr/local/src/centminmod/tools/csfcf.sh auto to update the whitelist.

Cloudflare Error 525 (SSL handshake failed)

Occurs when Cloudflare SSL mode is Full or Full (Strict) but the origin server's SSL certificate is invalid, expired, or misconfigured.

Fix: Verify your origin SSL certificate is valid with openssl s_client -connect yourdomain.com:443. Renew expired Let's Encrypt certificates using /usr/local/src/centminmod/addons/acmetool.sh.

Origin IP address leaking

Your origin server's real IP address is discoverable, bypassing Cloudflare's protection.

Fix: Enable Cloudflare Authenticated Origin Pulls. Also configure CSF Firewall to only allow incoming HTTP/HTTPS connections from Cloudflare IPs, blocking direct access to your origin.