I use CloudFlare to secure and speed up every site I’m involved in, it’s a no-brainer as it’s free and provides security protection, caching and free SSL for all of your sites. I decided to turn on their Full SSL setting today after creating my own self signed SSL certificate, previously I had been using their Flexible SSL, which required no SSL on the host server as they provided the certificate and it never had to touch your server.
The problem with this is that the connection between the client and CloudFlare is secure, but the connection between CloudFlare and the host server isn’t. Enabling Full SSL secures it end to end, but you can use a self signed certificate in the process. There is also the Strict SSL setting, which requires a validated SSL certificate from a proper authority, but I’m not buying a wildcard certificate + certs for all the domains I host, so Full SSL + self signed SSL is fine for me. It seems to have improved the speed massively doing this, not sure if it’s due to it trying HTTPS at my server first and then falling back to HTTP, but it’s noticeably faster now.
Here’s what I did:
mkdir /etc/nginx/ssl && cd /etc/nginx/ssl openssl genrsa 2048 > edgs-wildcard.key openssl req -new -x509 -nodes -sha1 -days 3650 -key edgs-wildcard.key > edgs-wildcard.cert
Fill in the fields as required but make sure to set the Common Name as your wildcard domain, e.g. *.ed.gs, or just go the whole hog and use * on it’s own to allow any domain.
cat edgs-wildcard.cert edgs-wildcard.key > edgs-wildcard.pem chmod 644 edgs-wildcard.key edgs-wildcard.pem
Now you need to edit /etc/nginx/nginx.conf and add into the http{} block:
ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_certificate /etc/nginx/ssl/edgs-wildcard.pem; ssl_certificate_key /etc/nginx/ssl/edgs-wildcard.key; resolver 8.8.4.4 8.8.8.8 valid=300s; resolver_timeout 10s; ssl_session_cache shared:SSL:32m; ssl_buffer_size 8k; ssl_session_timeout 15m;
Now go into your sites-enabled file, e.g. edgs.conf, and add a new listening port for SSL:
listen 443 deferred ssl spdy;
Test nginx to make sure the config works ok:
nginx -t
If everything is working correctly then you can restart nginx:
/etc/init.d/nginx restart
You can now set Full SSL in Cloudflare and test it’s all working correctly.
The last bit you need to do to let WordPress accept self-signed certificates is create a plugin with the following and enable it, e.g. /var/www/wp-content/plugins/custom/custom.php:
It may be worth adding your primary domain to the /etc/hosts file also so it knows to check locally:
127.0.0.1 ed.gs
That should be it, now when you connect to your site you should notice it being faster, it should also fix any errors you have during the Upgrade WordPress task as it cycles through your sites to update them.
As usual give me a shout below if you need any help.
