Nginx Proxy Manager - SSL Certificates with Cloudflare API and Let's Encrypt

Prerequisites

• A domain managed by Cloudflare with API access.

• Nginx Proxy Manager installed and accessible.

• A Cloudflare API key.

Step 1: Obtain Your Cloudflare API Key

1. Log in to Cloudflare: Access your Cloudflare dashboard.

2. Profile Settings: Navigate to your profile settings by clicking on your profile in the top right corner.

3. API Tokens: Go to the "API Tokens" section.

1. Create Token: Create a API token with permissions to edit DNS settings for your zone/domain. Note down the generated API token.

Step 2: Configure DNS API in Nginx Proxy Manager

Nginx Proxy Manager needs to be configured to use the Cloudflare API for DNS challenges when obtaining SSL certificates from Let's Encrypt:

1. Access Nginx Proxy Manager: Open the admin interface in a web browser.

2. SSL Certificates: Navigate to the "SSL Certificates" tab and choose to "Add SSL Certificate".

3. Request a New SSL Certificate:

   • Choose to request a new SSL certificate with Let's Encrypt.

   • Enable the option for a wildcard certificate if needed by adding *.<yourdomain>.com.

   • Select "DNS Challenge" as the verification method.

   • Choose "Cloudflare" as the DNS provider.

Step 3: Enter Cloudflare API Details

1. API Token: Enter the Cloudflare API token you created earlier.

2. Email: Enter an email address

3. Domain: Specify the domain for which you're requesting the certificate (For securing internal services it's recommended opting for a wildcard certificate. Further details on this recommendation can be found at the end of this article)

4. Save: Complete the form and save your settings. Nginx Proxy Manager will now interact with Cloudflare's API to automatically verify domain ownership and issue SSL certificates via Let's Encrypt.

Step 4: Apply the SSL Certificate to Proxy Hosts

After obtaining the SSL certificate:

1. Edit Proxy Hosts: Go to the "Proxy Hosts" section and edit the settings for your domain or subdomains.

2. SSL Tab: In the SSL settings of your proxy host, select the newly obtained SSL certificate from the dropdown menu.

3. Force SSL: Optionally, enable "Force SSL" to ensure all connections are automatically upgraded to HTTPS.

Additional Security and Performance Recommendations:

1. Enable HSTS: Consider enabeling HTTP Strict Transport Security (HSTS) to enforce secure connections. This can prevent man-in-the-middle attacks.

2. Activate HTTP/2: It's also a good opportunity to enable HTTP/2, which can improve website loading speed and efficiency by supporting multiple simultaneous connections.

Step 5: Verify the Configuration

• Test the Setup: Access your domain or subdomains in a web browser to ensure the SSL certificate is correctly applied and the site is secure.

Warning: Considerations for Internal Services and Public Visibility

When securing your internal services with SSL certificates it's important to consider the visibility of your domain names. Requesting a certificate for a specific subdomain like myservice.mycompany.com involves the domain being publicly logged in the Certificate Transparency (CT) logs, which are searchable by anyone on the internet. This public visibility could expose details about your internal network structure and the services you run, potentially providing valuable information to attackers.

Use Wildcard Certificates for Enhanced Privacy

For internal services where you prefer to keep the specifics of your subdomains private, it's advisable to use wildcard SSL certificates. A wildcard certificate for *.mycompany.com can secure multiple subdomains without revealing their exact names in public logs, offering a layer of obscurity about your internal services.

Best Practices:

• Evaluate Your Needs: Carefully consider which services require publicly recognized SSL certificates and which can remain more obscured.

• Use Wildcard Certificates: Opt for wildcard certificates for internal services to avoid exposing specific subdomains through CT logs.

• Monitor Certificate Transparency Logs: Regularly review CT logs for your domains to stay informed about any certificates that have been issued, ensuring they align with your expectations and security policies.