Cloudflare: running emoncms over SSL

I've just started using Cloudflare to provide a secure SSL conection for visitors to my Raspberry Pi server, and it seems to work very well, so I thought I'd share the process.

Setup Cloudflare
Firstly visit cloudflare.com & sign up for an account.

Then follow the easy guides to add your website, this will take a couple of minutes as Cloudflare will automatically scan your DNS records, and create the necessary Cloudflare settings. You will then be asked to select a free or paid plan (free is more than adequate for most users).Cloudflare will then ask you to change your 'domain' nameservers, to Cloudflare's nameservers, which is done by editing your domain registrar's settings, such as 1&1, GoDaddy, 123-Reg, etc.

There is no site downtime when you do this, and once this change becomes active, visitors to your domain name will be directed to Cloudflare's servers, who will then request the data from your server, so Cloudflare sits between you and your site visitors.

At this stage, you will be accessing your site as always via http, as it takes a day or so for Cloudflare to get you your free SSL certificate. Once it has been obtained (check it's status in the 'Crypto' tab) visitors can also access your site via https, and they should see the familiar green padlock showing in the browser confirming a secure connection.

Keeping the http access route open is probably not a good idea, but this can easily be changed by going to the 'Page Rules' tab, and create a rule to direct all http traffic to https, so for example, the URL pattern should be http://*mydomain.co.uk/* to capture both www and non-www visitors, and add the rule 'Always use https'.

Also you may find (as I did) that emoncms's javascript does not work well with Cloudflaire's 'Rocket-Loader' (see under the 'speed' tab), which is activated by default, so needs switching off, otherwise you may find it difficult to log in to emoncms.

Automatically update IP address
If your internet provider gives you a dynamically assigned IP address, which changes your public IP address frequently, you will need some process to update Cloudflair with your current IP address, so it knows where to find you.

There are many ways to do this, but I've found this well written script works very well and is easy to set up.

Once installed it can be run as a cron job or as I have done, via node-red using a quick and easy node-red flow (attached) to run it.

Summary
You will note that the only changes that are made to your Pi is running the script to update your Cloudflair account with your IP address, everything else is done 'in the cloud', so if you don't like it you only have to stop running the script and reset your domain nameservers.

There is however one issue with Cloudflare, in that it does not support websockets (yet), so you will not be able to access node-red via your https connection, and only via your local IP (localhost). However, that doesn't cause me any concern because I don't open up the node-red port for external access anyway.

Hope this is of interest

 

Paul

stuart's picture

Re: Cloudflare: running emoncms over SSL

Good article, but just a point to note - although Cloudflare provides encryption over HTTPS - it terminates at the cloudflare servers, so the connection from them to your PI is NOT encrypted.

If you want end to end encryption take a look at the https://letsencrypt.org/ project for free SSL certs.

 

Paul Reed's picture

Re: Cloudflare: running emoncms over SSL

Letsencrypt is very good, and is used by the oem website, but is more difficult to set up, and as the certificates only last 3 months they need constant renewing, although that can be automated via their api.

I agree that end to end encryption is definitely the most secure option, but I'm putting Cloudflare forward as a quick & easy option for those who don't want to make too many changes to their Pi, and leave the certificate renewals etc for Cloudflare to manage. Also although Cloudflare is not end-to-end, it does provide numerous other security measures as standard, such as their Firewall, page rules, etc, see this link for details.

Paul

 

glyn.hudson's picture

Re: Cloudflare: running emoncms over SSL

Thanks, good write up. I wonder if cloud flare would be suitable for Emoncms.org? We have recently used LetsEncrypts which worked well to easily enable SSL

stuart's picture

Re: Cloudflare: running emoncms over SSL

Just another point if you are following this Cloudflare is that you also need to lock down your PI/Home router to only accept traffic from Cloudflare - otherwise you can just by-pass Cloudflare and jump to the original home IP which wouldn't give you any benefit

Paul Reed's picture

Re: Cloudflare: running emoncms over SSL

Stuart, but how could someone find my IP address to bypass Cloudflare, it doesn't show in route trace as its blocked by Cloudflares firewall. For example, can you locate my home IP, from the domain digitalnut.co.uk (my public IP's last three digits are 121).

Paul

Bill Thomson's picture

Re: Cloudflare: running emoncms over SSL

I wonder if cloud flare would be suitable for Emoncms.org?

Hi Glyn,

We use the free version of CF at aluminumalloyboats.com. Typical bandwidth served by CF runs between 30 and 40%

Analytics show that it helps keep out the "bad guys" i.e. spammers and such.

I haven't set up SSL yet. We changed hosts a couple of weeks ago, and I haven't gotten round to implementing it yet. Overall, it seems to be a great deal for the price. ;-)

stuart's picture

Re: Cloudflare: running emoncms over SSL

I'm thinking more of the random drive by scanners - you've probably seen how many times your home IP address gets hit by a random scanner.

Additionally, folks may run their own email server (or SSH) and update DNS to point to that, as Cloudflare doesn't mask the MX records in DNS, that can also "point home".

For instance, your domain appears to be using 1and1.co.uk based on the DNS records.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.