In this article I am going to explain how you can use Cloudflare to have Full (Strict) SSL communication for free with your website and using a load balancer. This will be a higher level article for those just looking for the steps for setting up SSL. I will post follow up articles on how to do each pre-requisite step at a later time. For the initial setup you will need to have a few things already.
- Home Network
- Forwarding rule set for port 443 pointing to the VIP address on the load balancer
- KEMP load balancer
- Webserver on your internal network
- Firewalld set to allow port 443
- Cloudflare account
- DNS A record pointing to your public IP address and set to proxy mode
Cloudflare Setup
Edge Certificate
Log into your account and go to the domain in question. Once there we need to go to the SSL/TLS section and choose Edge Certificate. You will want to locate and turn on the Always use HTTPS option. The remaining settings by default are generally good as they are, however, you can adjust as needed. I would recommend starting with the default first to ensure everything works.
Now we can go to the overview section. There it defaults to secured and set to Flexible. For what we are going to do this needs to be changed to Full (strict). By doing so you will need a few extra certificates in order to maintain encryption between Cloudflare and your load balancer.
KEMP Load balancer setup
On the load balancer you will need to login to the portal and navigate to Certificate and security > Generate CSR. Fill in the requested information and select Create CSR. For the FQDN put in your domain name, and for the SAN/UCC name use the wildcard such as *.therootuser.com. This will give you the CSR and KEY certificates.
Cloudflare Origin Certificate
Going back to Cloudflare we want to navigate to Origin Server and choose Create Certificate, then you’ll pick use my CSR and Key. Copy the CSR that was made from the load balancer and paste it into the CSR field in Cloudflare and click create. This will then provide your with a PEM which you will copy and save to a location on your computer, such as therootuser.pem. Then back on your load balancer copy the key portion and save it as therootuser.key
KEMP Load Balancer SSL Setup
Returning to the load balancer navigate to SSL Certificates and choose import certificate. Select your PEM and KEY certificate files as requested and for the certificate identifier put cloudflareorigin and then save. You then need the Cloudflare intermediate certificate, the Cloud Flare ECC PEM which I have linked. Download this file and then under SSL Certificates on your load balancer choose Add Intermediate, select the file you just downloaded and name it cloudflareroot.
Final setup on load balancer
Finally, we need to modify the Virtual Service on the load balancer. Navigate to Virtual Services > View/Modify Services, and then select Modify on your VIP. Once there go to SSL Properties and Enable SSL Acceleration. Move your origin certificate from Available certificates to Assigned certificates and also select the re-encrypt box. You can also choose which protocols you want to allow. I have mine to just accept TLS1.3 for security purposes.
Wrap up and testing
You now have secure SSL communication between Cloudflare and your webserver. I hope you found this article helpful in getting you setup with SSL to your webserver while using a KEMP load balancer. As I mentioned at the start of this article, I will post future articles on how to setup port forwarding on your router, how to configure the KEMP load balancer, and how to build a virtual server with word press.
