-
Notifications
You must be signed in to change notification settings - Fork 5
Home
Timothy Schneider edited this page May 12, 2025
·
19 revisions
Automated SSL configuration with 30 day renewal with Let's Encrypt for Nginx with Cloudflare DNS validation
- Automatic SSL Certificates: Uses Let's Encrypt via Cloudflare DNS validation
-
Modern Security Configuration:
- TLS 1.2/1.3 only
- Strong cipher suites
- OCSP stapling
- HTTP/2 support
- WebSocket Ready: Built-in proxy configuration for WebSocket support
- Automatic Redirects: Forces HTTPS and handles port redirection
- Cloudflare Integration: Securely stores API credentials
- Firewall Configuration: Automatic UFW setup (if installed)
- Webhook Alerts: Get alerts to Discord, Slack, or Google Chat
This script automates the complex process of:
- Setting up proper SSL configuration with Nginx
- Cloudflare API integration for DNS validation
- Configuring modern security protocols
- Creating production-ready reverse proxy setup
- Implementing best practices for web server security
- Proxmox LXC container (or any Debian/Ubuntu server)
- Root access
- Domain name with DNS managed through Cloudflare
- Download the script and make it executable:
curl -LO https://raw.githubusercontent.com/taslabs-net/CloudflareNginx/main/cfnginx.sh && chmod +x cfnginx.sh
- Run with parameters:
sudo ./cfnginx.sh \
--domain your-domain.com \
--email [email protected] \
--key your-cloudflare-api-key
| Parameter | Flag | Description | Required |
|---|---|---|---|
| Domain | -d, --domain |
Your domain name | Yes |
| Port | -p, --port |
Application port (default: 3000) | No |
-e, --email |
Cloudflare account email | Yes | |
| API Key | -k, --key |
Cloudflare Global API key | Yes |
| Webhook URL | -w, --webhook |
Notification webhook URL | No |
| Webhook Mode | -m, --webhook-mode |
S=Success, F=Failure, B=Both (default: B) | No |
| Webhook Type | -t, --webhook-type |
D=Discord, S=Slack, G=Google Chat (default: D) | No |
| Quiet Mode | -q, --quiet |
Minimal console output | No |
| Help | -h, --help |
Show help information | No |
sudo ./cfnginx.sh --domain example.com --email [email protected] --key abc123def456
sudo ./cfnginx.sh --domain example.com --port 8080 --email [email protected] --key abc123def456
sudo ./cfnginx.sh --domain example.com --email [email protected] --key abc123def456 --webhook "https://discord.com/api/webhooks/your-webhook-url"
sudo ./cfnginx.sh --domain example.com --email [email protected] --key abc123def456 --quiet
-
System Preparation:
- Updates packages
- Installs requirements (Nginx, Certbot, Cloudflare plugin)
-
SSL Configuration:
- Creates secure Cloudflare credential file
- Generates Let's Encrypt certificate using DNS challenge
-
Nginx Setup:
- Creates optimized SSL configuration
- Sets up HTTPS redirect
- Configures reverse proxy with WebSocket support
-
Security Hardening:
- Configures UFW firewall (if present)
- Sets proper file permissions
- Implements modern TLS settings
-
Firewall:
- Ensure Proxmox host firewall allows ports 80/443
- Script automatically configures container firewall if UFW is present
-
Credential Storage:
- Cloudflare API keys stored in
/etc/letsencrypt/cloudflare.ini - File permissions set to
600
- Cloudflare API keys stored in
Common Issues:
-
SSL Certificate Errors:
certbot certificates # Check certificate status systemctl status nginx # Verify Nginx running
-
Port Conflicts:
ss -tulpn | grep ':443'
- Remove Nginx configuration:
rm /etc/nginx/sites-enabled/yourdomain.com- Remove certificates:
certbot delete --cert-name yourdomain.com- Remove Cloudflare credentials:
rm /etc/letsencrypt/cloudflare.iniLogs and Configuration Files
Log file: /var/log/cloudflarenginx-install.log Configuration: /etc/cloudflarenginx.conf Nginx config: /etc/nginx/sites-available/your-domain.com SSL certificates: /etc/letsencrypt/live/your-domain.com/
For detailed troubleshooting, check the logs at /var/log/cloudflarenginx-install.log