How to Save up to $750 in SSL fees for free

In this post I’m going to show you how to set up your site so that you will have an absolutly free fully SSL secured site that automatically redirects non secure HTTP traffic to your secure HTTPS URL.  A basic SSL certificates commonly cost $45 – $75 per year.  I’m going to show you how to create and install an SSL cert that’s good for the next 10 years and cost you absolutely nothing.  Google now gives SSL secured site a boost in it’s search algorithm.  Implementing the solution outlined in this post has both SEO as well as security benefits.  For this tutorial I’m using Ubuntu 14.04 if your using another distribution the steps will be pretty much the same but the paths to the config files may be different.

What you will need

• root or sudo user Access to your Linux VPS (Virtual Private Server) or dedicated server
• An existing web site on an Nginx web server ( you’ll have to improvise if you’re on Apache  in this post I’m only covering Nginx)
• A 100% free CloudFlare.com account (No BS It really is 100% free they don’t ask for a credit card. I’m sure that they would like you to sign up for one of their premium packages but they’re not forcing it down your throat)

 

If your in the need of a good, low cost reliable VPS provide I personally recommend and use both Linode and DigitalOcean with my preference between the two being Linode. This site is hosted on a Linode VPS behind CloudFlare’s reverse proxy service. If you sign up to either Linode or DigitalOcean using links on this page I’ll get a free month of hosting.  In addition DigitalOcean will add a $10 credit to your account.

If you’re not already using Nginx to host your site I’ve created another tutorial of how to easily configure Nginx on a VPS right here. This tutorial begins with the assumption that you already have a site up and running and that you are using Nginx as your web server.

The 4 basic steps

1. Set up CloudFlare
2. Create an self signed SSL cert using OpenSSL
3. Configure our website to use our new SSL cert and redirect everything to HTTPPS;
4. Flip the switch on CloudFlare to enable full SSL.

Basic step #1 Set up CloudFlare

What is CloudFlare and what do they do?

CloudFlare runs DNS based content distribution network that also has some pretty nifty analytic and security features. If you’re using their service and someone goes to www.your-site.com they send the request to the nearest server on their network which tries to serve the cached content if it already exist and they are able to do that or forwards the request to your server. This is whats more commonly knows as a reverse proxy. All of this ends up taking milliseconds and results in your server being put under less stress and your pages loading faster for your users. In addition to that they’re able to filter out malicious bots and mitigate denial of service attacks.  At the end of September 2014 they announced that they were going to give this service away for free and they were also going to provide a free SSL cert. They explain it a bit better in their Universal SSL blog post. We can set up SSL with CloudFrare in two different ways either they can access your non secure site and then proxy it to to port 443 on their servers or they can access your secure site and then proxy it to their server. The second option is more secure and what we will be implementing in this post. If you you would like to give the first method a try all you need is to set your domain up on CloudFlare.

I think their service is awesome I’m using it for free on this site and I would recommend that pretty much everyone else use it as well.

Sign Up

Head over to CloudFlare and sign up for their service. It’s fairly painless and easy. They don’t ask for any billing information or require a credit card. All you need is an email address.

Add your domain name

After you’ve signed up your going to enter your domain name.  CloudFlare will then pull down the DNS records for the domain you’ve entered.

Verify your DNS records

CloudFlare is pretty good about pulling everything down but if you have any special txt records like sfp records it’s possible that they could miss them.  You should open up your dns records with your current dns host. Enter anything that’s missing or incorrect before moving onto the next step.

Update your name servers

Once all of your DNS records are correctly entered into CloudFlare you will need to update your existing name servers with your domain name register (godaddy, namescheap, networksolutions etc..). You will need to check the documentation provided by your domain name register on how to do this. You’ll replace the old name servers with the name servers that CloudFlare has provided you.  For me they were “sri.ns.cloudflare.com” and “vera.ns.cloudflare.com” but you should use what is provided by CloudFlare for your domain.  Once you’ve updated your name server it can take up to 48 hours before all of the DNS servers on the internet update their information and know that they should be requesting DNS information about your domain from CloudFlare.

Usually the update happens within an hour or two. Cloudflare will dispaly a green icon next to your domain name in their control panel letting you know when everything has updated.

At this point you can move on to step #2 but don’t start step #3 until after cloudflare is handleing your DNS 2 – 48 hours from now. You might want to bookmark this page and come back.

 

Once your DNS is on CloudFlare You should be able to enable basic SSL by going to your settings page.

On the settings page enable “Flexable SSL”

At this point you should be able to enter https://your-site.com into your browser.  You should see the lock icon next in the address bar to the left of your domain name. The SSL encrypted connection is between your browser and CloudFlare’s proxy server however the connection between CloudFlare and your server isn’t yet encrypted.  If we want to encrypt the connection between your server and CloudFlare and enable redirection to only the SSL secured version of your site you are going to need to install an SSL Cert on your server.  The good news is that you can use a self signed SSL cert that won’t cost you a penny and I’m going to show you how to do that.

Basic step #2 Create your SSL Cert

sudo mkdir /etc/nginx/ssl

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/nginx/ssl/server.key -out /etc/nginx/ssl/server.crt

So on the first line we’re creating a directory to store our SSL certs in. On the second link we’re telling OpenSSL to create a self signed SSL cert that expires ten years from now and put it in our newly created directory. You’re going to be asked a few questions about your location, company name, department, common name the only one of these that is important is common name it should match your site exactly if your site is www.your-site.com enter www.your-site.com if you plan on accessing your site without the www the it would be just your-site.com for example on this site I don’t use the www prefix so I would just use “odinsql.com” as the common name.  None of this is really all that important as CloudFlare won’t be using the information from this cert to your users. In fact I have several different web sites using CloudFlare using the the same self signed cert.

Basic step #3 Enable SSL on your site

Before you begin this step it’s important that your DNS is now being handled by CloudFlare if it’s not this next step is going to end up bringing your site down. So double check.  The icon next to your domain name should be green in CloudFlare.

Let’s move to the nginx config directory for your available web sites on Ubuntu we would do the following to get a list of the config files for the sites on your server.

cd /etc/nginx/sites-available

ls

sudo cp example.com.conf example.com.conf.bk

sudo nano example.com.conf

The command cd changes the directory in this case to the directory containing the config files for our web sites.

We should create a backup copy of your sites config and to do that we use the “cp” command. The first parameter of cp is the file that we want to make a copy of and the second is the name that we are going to give the copy.

Nano is a text editor replace “you-site.conf” with the the file name for your site.
Your config file should look something like this.

server {

server_name example.com www.example.com;

access_log /var/log/nginx/example.com.access.log rt_cache;
error_log /var/log/nginx/example.com.error.log;

root /var/www/example.com/htdocs;
index index.php index.htm index.html;
include common/locations.conf;

}

Were going to need to make a few changes so that it looks more like this.

# block #1 : redirect non secure traffic to your secure site
server {
listen 80;
listen [::]:80;
server_name wwwexample.com example.com;
return 301 https://example.com$request_uri;
}

#block # 2 :  redirect the www. version to the non www version
server {
listen 443;
listen [::]:443;
server_name www.example.com;
return 301 https://example.com$request_uri;

}

#block #3 :  This is what is where all of the parameters for serving your site are defined
server {
listen 443;
listen [::]:443;
access_log /var/log/nginx/example.com.access.log rt_cache;
error_log /var/log/nginx/example.com.error.log;

root /var/www/example.com/html;
index index.php index.htm index.html;

server_name example.com;

ssl on;

ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

#I use a set of includes for handling common items like PHP, WordPress, Common Locations,  Security
#If you host multiple sites, I would recommend that you do the same.
include common/locations.conf;

}

There are 3 server blocks in this file block.

In server block 1 we listen on port 80

“listen 80;” means that should handle requests on TCP port 80 for IPV4

listen [::]:80 listens of port 80 for IPv6

Port 80 is the standard port used by web servers to server non secure data.

“server_name” specifies which site names this block is corresponding to. Here we have it responding to the domain example.com and the sub-domain www.example.com.

“return 301 https://example.com$request_uri;” On this line we’re telling Nginx to return a 301 (permanent redirect) to the users browser that sends them to the secure version of example.com and to append the page that was requested with “$request_uri” if one was specified.

In server block 2 we listen on port 443

We have basically the same thing in server block 2 as we did in server block 2 execpt here were telling nginx to listen on port 443 which is the standart port used by browsers for SSL.

“server_name www.example.com;” This time were only redirecting the www version to the non www verision.  It’s important that you only have the www version of your domain name on this line. If you were to enter them both your site will not be available.

In server block 3 we listen on port 443 and serve your site

In block 3 we have the code  that actually serves your site.  You will need to take your original server block that you started with and have added

listen 443;
listen [::]:443;

To the top of it so that this block will now only listen on the default secure port 443

server_name example.com;

The site only responds to the non www version of example.com as specified by the “server_name”.  www.example.com is being redirected in block 2 redirecting to the non www version in block 3.

ssl on;

ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

This is the code that actually enables SSL the line “ssl_certificate” needs the path to the .crt file that we generate. The other lines pertaining to SSL should be copied verbatim and define which encryption protocols we will support and how the browser should communicate with the server. !In the “ssl_protocols” do not enable ssl3. It posses a security risk and should remain disabled.

Double check that every comment line start with “#” and every parameter ends in “;”

Hit Ctrl+x to save the changes you’ve made then “y” when prompted followed by “enter”

Now we need to load your modified config into Nginx and we do that by typing this

sudo service nginx reload

If you don’t see an error then you’ve done everything correctly if you do get an error open your config back up and take look everything over again.  It’s most likely the path to the cert, key or a missing semicolon.

Basic step #4 : Enable full SSL in CloudFlare

If you didn’t have an error restarting Nginx at the end of step #3 you can now enable Full SSL in CloudFlare.

Try visiting http://your-site.com then http://www.your-site.com the https://www.yourssite.com they should all now redirect to http://your-site.com where your-site is the name of the website you’ve just configured.

If you are setting this up for a WordPress website you should also install the HTTPS plugin for wordpress.

 

If you need a great virtual server I highly recommend that you
Sign up for a Linode SSD VPS

After reading through all of this you’ve decided that you would rather leave the management of you server in the hands of professionals have a look at

CloudWays Managed VPS

CloudWays offers VPS management on top of DigitalOcean’s network

That’s it. Hopefully you’ve gotten everything working without too many headaches.  If you’ve found this tutorial useful, are having problems, noticed a mistake or have a suggestion please leave me a comment here on this page.