In the first part of this series, I discussed how I added my domains to Cloudflare and configured the necessary DNS records. Now, it’s time for securing by enabling SSL encryption. While my website currently doesn’t have any sensitive data, SSL is still crucial for protecting users, and even search engines now prioritize it.
If you're using Cloudflare's proxied DNS configuration, enabling SSL between Cloudflare and your users is straightforward. However, this setup alone doesn’t provide complete security since the connection between Cloudflare and the your application server remains unencrypted. In this post, we'll install an SSL certificate on the application server to ensure encryption end-to-end.
Generating an Origin Certificate
To secure the connection between Cloudflare and application server, you need to generate an Origin Certificate through the Cloudflare dashboard. This certificate will be used to encrypt the traffic.
1. Generating the Certificate
Navigate to Cloudflare Dashboard > SSL/TLS > Origin Server > Origin Certificates > Create to generate your certificate. I left the default options as-is, allowing the certificate to be valid for both the root domain and its subdomains. Cloudflare also generates a private key for you during this step.
2. Retrieving the Certificate and Private Key
After generating the certificate, you can export it in various formats. I opted for the PEM format, which is easy to convert to other formats if needed. At this point, Cloudflare will also provide your private key—but pay attention! Once you leave the page, you won’t be able to retrieve the private key again. If you lose it, you’ll have to revoke the certificate and create a new one.
Equally important is safeguarding your private key—if it’s compromised, anyone who possesses it can decrypt your connection.
Configuring Your Application Server to Use the Certificate
Once the certificate and private key are generated, they must be configured on your application server. You may need to convert the certificate to a format which is compatible with it.
1. Converting the Certificate
Since I’m running my website with Spring Boot embedded application server, I needed to convert the PEM-formatted certificate into PKCS12 format, which combines the certificate and private key into a single file. The following OpenSSL command accomplishes the conversion:
openssl pkcs12 -export -in mycert.pem -inkey mykey.key -out mykeystore.p12 -name myapp -CAfile mycert.pem -caname root
During the process, you will be prompted twice to create an export password, which will later be used in the server configuration.
2. Uploading the Certificate
Ensure the security of your certificate and key when transferring them to your host machine. Since I'm in the and I have physical access, I was able to transfer the file securely. However, even on the host, it’s crucial to limit file access to prevent unauthorized reads.
3. Configuring the Server
To configure the embedded server in my Spring Boot application to use the SSL certificate, I made the following changes in the application.properties file:
server.port=8443
server.ssl.key-store=file:/path/to/mykeystore.p12
server.ssl.key-store-password=your-password
server.ssl.key-store-type=PKCS12
server.ssl.key-alias=myapp
This configuration sets up the Spring Boot application to use the SSL certificate, enabling secure HTTPS communication on port 8443.
Here’s an improved version of the added section, ensuring it's clear, professional, and consistent with the rest of your post:
4. Configuring Firewall Rules on My Home Router
Previously, my application was running on port 80 (the default for HTTP), and I had configured my router to forward traffic from port 80 to my host machine. Now that I’ve set up SSL and enabled HTTPS, I needed to update the router’s firewall rules to allow traffic on port 443, which is the standard port for HTTPS connections.
Enabling End-to-End Encryption in Cloudflare
With the certificate installed on the application server, the last step is configuring Cloudflare to enforce SSL on the connection between Cloudflare and the origin server.
In the Cloudflare dashboard, navigate to SSL/TLS > Overview and set the SSL mode to Full (Strict). This option ensures that Cloudflare uses SSL for both the client-to-Cloudflare connection and the Cloudflare-to-origin connection, and it also validates the origin certificate.
Conclusion
Thanks to Cloudflare, establishing end-to-end encryption for my home-hosted website was straightforward and involved only minimal configuration. With SSL encryption enabled on both the client-side and the origin-side, my site is now secured, providing both privacy and integrity to users.
Cloudflare offers a range of additional features, such as performance optimizations, security enhancements, and analytics, that I’m eager to explore. Let's see if I can get to that point.