One place for hosting & domains

      Host

      How to Create and Host Your First Webinar


      Hosting a webinar is still one of the most significant — if not slightly daunting — tactics for engaging your existing audience, building a new one, and growing your business online.

      Especially in this new era of working from home, online events have proliferated, with a threefold increase in webinar audience reported in 2020 compared to 2019.

      If the very mention of a webinar works you up into a cold sweat, you’re not alone. Webinars can be super scary if you’ve never created and hosted one before.

      But take a few breaths. Relax. Stay calm.

      We’re here to break it down for you and make sure you’re extra-prepared for hosting your very first webinar.

      To save you scrolling through this entire article, here are the things we’re going to cover so you can jump down to the bits you want:

      What Is a Webinar, Anyway?

      A webinar is simply a video workshop or presentation. It’s often live (but not always) and is usually interactive and largely unscripted.

      The point isn’t to sell, sell, sell to the webinar attendee. It’s about providing information and advice to encourage and inspire your audience to solve issues themselves. Of course, there’s no harm in promoting your service and product somewhere along the way, but making it your primary focus won’t go down well with most audiences.

      Our take: The best webinar marketing focuses on building brand awareness and engagement with attendees rather than hard sells.

      Shared Hosting That Powers Your Purpose

      We make sure your website is fast, secure, and always up so your visitors trust you. Plans start at $2.59/mo.

      Why You Should Host a Webinar

      Here are some important reasons for you to host your first webinar:

      They’re Cheap and Easy

      For a start, webinars are a lot less hassle than they seem. They’re relatively straightforward to create, as long as you find the right hosting software and have a good strategy. That said, you’ll still need to put in the hard work to make it a success.

      They can also be done on a shoestring budget, using just your smartphone. So, while you can splash out and buy all the fancy gear, there’s absolutely no reason you can’t do it on the smallest of budgets.

      They Make Great Evergreen Content

      These days, a lot of visual content is here today, gone tomorrow, but an evergreen webinar can live on and on!

      If you record your webinar, you can reuse it in the future, either by reposting it or repurposing it for different audiences.

      For example, you might try chopping your webinar into smaller pieces and posting them in a series on your social media or blog. Or you could put it on your website in full to be downloaded in return for a sign-up to your newsletter.

      They Add Value

      By providing something informative, valuable, and high-quality, you’re both helping your customers solve a problem while simultaneously promoting your own brand. It’s a win-win.

      So whether you’re demonstrating your latest product or educating about a certain technique or issue, make sure you focus it on your audience’s real — rather than perceived — need.

      It’s Great for Your Brand

      Along with social media, interactive content like a live webinar is a good way to connect with your audience and potential customers.

      Not only do webinars help put a human face to your brand — they’re a great way of showing your customers a sneak peek behind the curtain — but they can also set you up as a thought leader in your industry.

      By providing your audience with actionable tips and valuable knowledge, you can come across as an authority, not just another brand.

      They Can Boost Conversions

      Whether the goal for your webinar is to directly increase your revenue or whether conversions are a happy by-product, there’s good evidence to demonstrate that webinars have a great ROI.

      By establishing yourself as an authoritative, trustworthy brand and by reaching your audience more directly, you can expect to increase sales on your website.

      1. Choose Your Webinar Topic

      Choosing your topic isn’t quite as easy as it sounds. Should you talk about what you know? Of course.

      But first, consider this: What does your audience want to know?

      After all, you can spend all day talking about things you’re passionate about. But if those topics don’t help your audience, they’ll drop out fast.

      If you’re looking to provide value to your audience, your webinar needs to match up with what your audience is asking for. Your expertise needs to answer their questions.

      But how do you know what your audience wants to hear about?

      The most obvious answer is to ask them directly. Use your social channels to directly ask your audience what questions they need answers to. You could also send out a survey to your email list to gather more details.

      Alternatively, you can search through your data to see which social posts or blog articles get the most traction. Or, you can look at your Google Analytics to identify some of the search queries that bring people to your website.

      2. Choose Your Webinar Format

      There are several options for how you conduct your webinar.

      You could go down the traditional route of a webinar presentation or take on a more dynamic Q&A interview format. Just keep in mind that the best webinars always find a way to solicit audience participation.

      What’s most important for your first webinar is that you choose a format that you think will work best for your goals. You can always iterate for future webinars based on what you learn from the first attempt.

      A Presentation

      Most webinars are done as presentations simply because presentations are the most straightforward format. They’re also a good option if you’re targeting a small audience.

      Usually, the host will address the camera while delivering a presentation that can be followed on a PowerPoint, whiteboard, or video running in the background.

      If you want to inject a bit more interactivity into this option, you could enable a chat box so your audience can ask questions throughout the webinar for you to answer at the end.

      Product Demonstrations

      Great for e-commerce businesses, a demonstration-style webinar is a good option if you have a new product or service that you’d like to share with users.

      Depending on your product, you can simply address the camera while showing your audience how to use the item, or you can screen share if your product is digital.

      Interview

      A Q&A with an industry expert or panel of influencers is guaranteed to give your audience extra value.

      Identify and reach out to people who are regarded as thought leaders in your niche and make it an exciting opportunity for them to take part in (after all, it will give them exposure too).

      This format might take a bit more preparation. You shouldn’t rehearse the interview ahead of time, as it may come across as stale to your audience. But it would be helpful to create a list of questions and send them to your interviewees in advance so they can be prepared and share informative responses.

      3. Build Your Toolkit

      Next, it’s time to handle the technical details of creating a webinar.

      There are plenty of tools for hosting webinars available, as well as popular webinar software like ZoomLivestorm, or ClickMeeting.

      When choosing your webinar platform, you need to think about a few things:

      • How much does it cost?
      • How big an audience does it allow?
      • How easy is it to use?
      • Does it let you record the video?
      • Does it allow for Q&As?
      • Does it let you screen share or show a PowerPoint presentation?

      Once you’ve chosen a webinar service, it’s time to think about the other tools you might need: a camera (although most smartphones have high-resolution cameras), microphones, a recording device (if this isn’t built into your hosting tool), strong internet, and good lighting.

      4. Produce the Webinar Content

      So, you know your topic. You’ve identified your format. You have your webinar tool. Now it’s time to focus on the content.

      If you’re hosting a presentation, then you can get started on producing your slide deck. Be careful not to write a formal script, but make a few points on your slide deck to allow your audience to follow along with what you’re saying.

      Make your slide deck visually appealing and include images and color. Bright Talk has found that video-based learning is their preferred learning format among its respondents, and 85% prefer the video to be webinars.

      A Q&A with an expert or a panel will involve more planning. Ask for questions from your audience in advance so that you can field them to your experts on the day.

      Make sure you plan out your speakers and the order of the questions, ensuring you time it so you know how long to allow for your webinar.

      5. Set Up a Landing Page

      Your webinar’s landing page is where you can send your audience to find out more about the event and register to attend. This should be hosted on your website, allowing you to learn more about your attendees and giving your attendees an easy way to learn more about your business by clicking around on your website after they’ve signed up for the webinar.

      Your landing page needs to be fully optimized. Include a target keyword in your page title and in the on-page copy. Embed a registration form that captures enough information without being overly complex.

      Ideally, you should integrate your form into your other marketing tools so that you can turn an attendee into a prospect (use an opt-in checkbox and watch out for GDPR rules for data privacy).

      6. Determine the Date and Time

      When is the best time to host your webinar? ON24 says Wednesdays and Thursdays at 11:00 a.m. are best. LiveWebinar suggests that any midweek day (Tuesday to Thursday) is fine.

      We suggest letting your own data tell you when’s best. Use Google Analytics to see when people are most engaging with your website. Chances are that when they’re on your website, they’ll also be likely to check out your webinar.

      Watch out for time zones if you have an international audience. And steer clear of the start or end of the working day when your audience may be commuting.

      7. Promote Your Webinar

      Of course, your webinar is nothing without an audience.

      But how do you ensure you get people — the right people — to attend?

      You’ve already optimized a landing page. You now have to be creative in how you share that link.

      First of all, you could set up a series of paid ads, either on Google AdWords or social ads (Facebook Ads, Sponsored Tweets, etc.). This tactic gives you more control over the audience you’re trying to reach, but it does come at a modest cost.

      Your free options include promoting your landing page on your free social media accounts. If you already have a regular e-newsletter, create an email campaign inviting your contacts to the webinar.

      Send reminder emails as the date approaches, and entice your audience with some information about the webinar, such as the key points you’ll be covering or, for instance, the guest speaker.

      8. Prepare and Practice

      When it comes to your first webinar, you won’t want to leave anything to chance.

      Set aside time to rehearse your webinar and do a tech run, paying particular attention to details like lighting and sound, camera angles, and your backdrop. Make a note of timing so you don’t run over or, worse, have time to fill. Have a plan in place for any technical issues that might arise on the day.

      Most importantly, practice strategies for staying calm and confident. Focus on your breathing and remind yourself that you are the expert and you’re well-prepared.

      9. Follow up After Your Webinar

      You just hosted a great webinar — congratulations! Give yourself a well-deserved pat on the back.

      But the job’s not over yet.

      The last thing you want to do is let all your hard work go to waste by forgetting to follow up with your audience.

      After your webinar ends, send the attendees a thank you email with the webinar recording or slide deck, along with a request for feedback. If your webinar included a product demonstration or special offer, be sure to include those details in a post-webinar email campaign.

      Make sure you send the recorded webinar to your audience who registered but who couldn’t attend as well. And don’t forget to repurpose the webinar into a blog post, YouTube video, Twitter series, or ebook as part of your content marketing strategy.

      Ready to Host Your First Live Event?

      Whether you need help finding a target audience, crafting the ideal social media strategy, or building a webinar registration site, we can help! Subscribe to our monthly digest so you never miss an article.

      Now Over to You…

      You know that hosting an online webinar is a solid marketing idea. It’ll improve your brand awareness, set you apart as a trusted authority, and drive brand awareness for your business.

      These tips will help prepare you to host a successful webinar, but if you need help hosting your website, we’re here to help you with that too. Check out our affordable shared hosting plans today!



      Source link

      How To Host a Website Using Cloudflare and Nginx on Ubuntu 20.04


      Not using Ubuntu 20.04?


      Choose a different version or distribution.

      The author selected the Electronic Frontier Foundation to receive a donation as part of the Write for DOnations program.

      Introduction

      Cloudflare is a service that sits between the visitor and the website owner’s server, acting as a reverse proxy for websites. Cloudflare provides a Content Delivery Network (CDN), as well as DDoS mitigation and distributed domain name server services.

      Nginx is a popular web server responsible for hosting some of the largest and highest-traffic sites on the internet. It’s common for organizations to serve websites with Nginx and use Cloudflare as a CDN and DNS provider.

      In this tutorial, you will secure your website served by Nginx with an Origin CA certificate from Cloudflare and then configure Nginx to use authenticated pull requests. The advantages of using this setup are that you benefit from Cloudflare’s CDN and fast DNS resolution while ensuring that all connections pass through Cloudflare. This prevents any malicious requests from reaching your server.

      Prerequisites

      To complete this tutorial, you’ll need the following:

      Step 1 — Generating an Origin CA TLS Certificate

      The Cloudflare Origin CA lets you generate a free TLS certificate signed by Cloudflare to install on your Nginx server. By using the Cloudflare generated TLS certificate you can secure the connection between Cloudflare’s servers and your Nginx server.

      To generate a certificate with Origin CA, log in to your Cloudflare account in a web browser. Select the domain that you want to secure and navigate to the SSL/TLS section of your Cloudflare dashboard. From there, navigate to the Origin Server tab and click on the Create Certificate button:

      Create certificate option in the Cloudflare dashboard

      Leave the default option of Let Cloudflare generate a private key and a CSR selected.

      Origin CA GUI options

      Click Next and you will see a dialog with the Origin Certificate and Private key. You need to transfer both the origin certificate and private key from Cloudflare to your server. For security reasons, the Private Key information will not be displayed again, so copy the key to your server before clicking Ok.

      Dialog showing the origin certificate and private key

      You’ll use the /etc/ssl directory on the server to hold the origin certificate and the private key files. The folder already exists on the server.

      First, copy the contents of the Origin Certificate displayed in the dialog box in your browser.

      Then, on your server, open /etc/ssl/cert.pem in your preferred text editor:

      • sudo nano /etc/ssl/cert.pem

      Add the certificate contents into the file. Then save and exit the editor.

      Then return to your browser and copy the contents of the Private key. Open the file /etc/ssl/key.pem for editing:

      • sudo nano /etc/ssl/key.pem

      Paste the private key into the file, save the file, and exit the editor.

      Note: Sometimes, when you copy the certificate and key from the Cloudflare dashboard and paste it into the relevant files on the server, blank lines are inserted. Nginx will treat such certificates and keys as invalid, so ensure that there are no blank lines in your files.

      Warning: Cloudflare’s Origin CA Certificate is only trusted by Cloudflare and therefore should only be used by origin servers that are actively connected to Cloudflare. If at any point you pause or disable Cloudflare, your Origin CA certificate will throw an untrusted certificate error.

      Now that you copied the key and certificate files to your server, you need to update the Nginx configuration to use them.

      Step 2 — Installing the Origin CA Certificate in Nginx

      In the previous section, you generated an origin certificate and private key using Cloudflare’s dashboard and saved the files to your server. Now you’ll update the Nginx configuration for your site to use the origin certificate and private key to secure the connection between Cloudflare’s servers and your server.

      First, make sure that UFW will allow HTTPS traffic. Enable Nginx Full, which will open both port 80 (HTTP) and port 443 (HTTPS):

      • sudo ufw allow 'Nginx Full'

      Now reload UFW:

      Finally, check that your new rules are allowed and that UFW is active:

      You will see an output like this:

      Output

      Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx Full (v6) ALLOW Anywhere (v6)

      Now you are ready to adjust your Nginx server block. Nginx creates a default server block during installation. Remove it if it still exists, as you’ve already configured a custom server block for your domain:

      • sudo rm /etc/nginx/sites-enabled/default

      Next, open the Nginx configuration file for your domain:

      • sudo nano /etc/nginx/sites-available/your_domain

      The file should look like this:

      /etc/nginx/sites-available/your_domain

      server {
              listen 80;
              listen [::]:80;
      
              root /var/www/your_domain/html;
              index index.html index.htm index.nginx-debian.html;
      
              server_name your_domain www.your_domain;
      
              location / {
                      try_files $uri $uri/ =404;
              }
      }
      
      

      You’ll modify the Nginx configuration file to do the following:

      • Listen on port 80 and redirect all requests to use https.
      • Listen on port 443 and use the origin certificate and private key added in the previous section.

      Modify the file so it looks like the following:

      /etc/nginx/sites-available/your_domain

      server {
          listen 80;
          listen [::]:80;
          server_name your_domain www.your_domain;
          return 302 https://$server_name$request_uri;
      }
      
      server {
      
          # SSL configuration
      
          listen 443 ssl http2;
          listen [::]:443 ssl http2;
          ssl_certificate         /etc/ssl/cert.pem;
          ssl_certificate_key     /etc/ssl/key.pem;
      
          server_name your_domain www.your_domain;
      
          root /var/www/your_domain/html;
          index index.html index.htm index.nginx-debian.html;
      
      
          location / {
                  try_files $uri $uri/ =404;
          }
      }
      

      Save the file and exit the editor.

      Next, test to ensure that there are no syntax errors in any of your Nginx configuration files:

      If you found no problems, restart Nginx to enable your changes:

      • sudo systemctl restart nginx

      Now go to the Cloudflare dashboard’s SSL/TLS section, navigate to the Overview tab, and change SSL/TLS encryption mode to Full (strict). This informs Cloudflare to always encrypt the connection between Cloudflare and your origin Nginx server.

      Enable Full(strict) SSL mode in the Cloudflare Dashboard

      Now visit your website at https://your_domain to verify that it’s set up properly. You’ll see your home page displayed, and the browser will report that the site is secure.

      In the next section, you will set up Authenticated Origin Pulls to verify that your origin server is indeed talking to Cloudflare and not some other server. By doing so, Nginx will be configured to only accept requests that use a valid client certificate from Cloudflare; all requests that have not passed through Cloudflare will be dropped.

      Step 3 — Setting Up Authenticated Origin Pulls

      The Origin CA certificate will help Cloudflare verify that it is talking to the correct origin server. This step will use TLS Client Authentication to verify that your origin Nginx server is talking to Cloudflare.

      In a client-authenticated TLS handshake, both sides provide a certificate to be verified. The origin server is configured to only accept requests that use a valid client certificate from Cloudflare. Requests which have not passed through Cloudflare will be dropped as they will not have Cloudflare’s certificate. This means that attackers cannot circumvent Cloudflare’s security measures and directly connect to your Nginx server.

      Cloudflare presents certificates signed by a CA with the following certificate:

      -----BEGIN CERTIFICATE-----
      MIIGCjCCA/KgAwIBAgIIV5G6lVbCLmEwDQYJKoZIhvcNAQENBQAwgZAxCzAJBgNV
      BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmln
      aW4gUHVsbDEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZv
      cm5pYTEjMCEGA1UEAxMab3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwHhcNMTkx
      MDEwMTg0NTAwWhcNMjkxMTAxMTcwMDAwWjCBkDELMAkGA1UEBhMCVVMxGTAXBgNV
      BAoTEENsb3VkRmxhcmUsIEluYy4xFDASBgNVBAsTC09yaWdpbiBQdWxsMRYwFAYD
      VQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMSMwIQYDVQQD
      ExpvcmlnaW4tcHVsbC5jbG91ZGZsYXJlLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQAD
      ggIPADCCAgoCggIBAN2y2zojYfl0bKfhp0AJBFeV+jQqbCw3sHmvEPwLmqDLqynI
      42tZXR5y914ZB9ZrwbL/K5O46exd/LujJnV2b3dzcx5rtiQzso0xzljqbnbQT20e
      ihx/WrF4OkZKydZzsdaJsWAPuplDH5P7J82q3re88jQdgE5hqjqFZ3clCG7lxoBw
      hLaazm3NJJlUfzdk97ouRvnFGAuXd5cQVx8jYOOeU60sWqmMe4QHdOvpqB91bJoY
      QSKVFjUgHeTpN8tNpKJfb9LIn3pun3bC9NKNHtRKMNX3Kl/sAPq7q/AlndvA2Kw3
      Dkum2mHQUGdzVHqcOgea9BGjLK2h7SuX93zTWL02u799dr6Xkrad/WShHchfjjRn
      aL35niJUDr02YJtPgxWObsrfOU63B8juLUphW/4BOjjJyAG5l9j1//aUGEi/sEe5
      lqVv0P78QrxoxR+MMXiJwQab5FB8TG/ac6mRHgF9CmkX90uaRh+OC07XjTdfSKGR
      PpM9hB2ZhLol/nf8qmoLdoD5HvODZuKu2+muKeVHXgw2/A6wM7OwrinxZiyBk5Hh
      CvaADH7PZpU6z/zv5NU5HSvXiKtCzFuDu4/Zfi34RfHXeCUfHAb4KfNRXJwMsxUa
      +4ZpSAX2G6RnGU5meuXpU5/V+DQJp/e69XyyY6RXDoMywaEFlIlXBqjRRA2pAgMB
      AAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1Ud
      DgQWBBRDWUsraYuA4REzalfNVzjann3F6zAfBgNVHSMEGDAWgBRDWUsraYuA4REz
      alfNVzjann3F6zANBgkqhkiG9w0BAQ0FAAOCAgEAkQ+T9nqcSlAuW/90DeYmQOW1
      QhqOor5psBEGvxbNGV2hdLJY8h6QUq48BCevcMChg/L1CkznBNI40i3/6heDn3IS
      zVEwXKf34pPFCACWVMZxbQjkNRTiH8iRur9EsaNQ5oXCPJkhwg2+IFyoPAAYURoX
      VcI9SCDUa45clmYHJ/XYwV1icGVI8/9b2JUqklnOTa5tugwIUi5sTfipNcJXHhgz
      6BKYDl0/UP0lLKbsUETXeTGDiDpxZYIgbcFrRDDkHC6BSvdWVEiH5b9mH2BON60z
      0O0j8EEKTwi9jnafVtZQXP/D8yoVowdFDjXcKkOPF/1gIh9qrFR6GdoPVgB3SkLc
      5ulBqZaCHm563jsvWb/kXJnlFxW+1bsO9BDD6DweBcGdNurgmH625wBXksSdD7y/
      fakk8DagjbjKShYlPEFOAqEcliwjF45eabL0t27MJV61O/jHzHL3dknXeE4BDa2j
      bA+JbyJeUMtU7KMsxvx82RmhqBEJJDBCJ3scVptvhDMRrtqDBW5JShxoAOcpFQGm
      iYWicn46nPDjgTU0bX1ZPpTpryXbvciVL5RkVBuyX2ntcOLDPlZWgxZCBp96x07F
      AnOzKgZk4RzZPNAxCXERVxajn/FLcOhglVAKo5H0ac+AitlQ0ip55D2/mf8o72tM
      fVQ6VpyjEXdiIXWUq/o=
      -----END CERTIFICATE-----
      

      You can also download the certificate directly from Cloudflare here.

      Copy this certificate.

      Then create the file /etc/ssl/cloudflare.crt file to hold Cloudflare’s certificate:

      • sudo nano /etc/ssl/cloudflare.crt

      Add the certificate to the file. Then save the file and exit the editor.

      Now update your Nginx configuration to use TLS Authenticated Origin Pulls. Open the configuration file for your domain:

      • sudo nano /etc/nginx/sites-available/your_domain

      Add the ssl_client_certificate and ssl_verify_client directives as shown in the following example:

      /etc/nginx/sites-available/your_domain

      . . .
      
      server {
      
          # SSL configuration
      
          listen 443 ssl http2;
          listen [::]:443 ssl http2;
          ssl_certificate         /etc/ssl/cert.pem;
          ssl_certificate_key     /etc/ssl/key.pem;
          ssl_client_certificate /etc/ssl/cloudflare.crt;
          ssl_verify_client on;
      
          . . .
      

      Save the file and exit the editor.

      Next, test Nginx to make sure that there are no syntax errors in your Nginx configuration:

      If no problems were found, restart Nginx to enable your changes:

      • sudo systemctl restart nginx

      Finally, to enable Authenticated Pulls, open the SSL/TLS section in the Cloudflare dashboard, navigate to the Origin Server tab and toggle the Authenticated Origin Pulls option .

      Enable Authenticated Origin Pulls

      Now visit your website at https://your_domain to verify that it was set up properly. As before, you’ll see your home page displayed.

      To verify that your server will only accept requests signed by Cloudflare’s CA, toggle the Authenticated Origin Pulls option to disable it and then reload your website. You should get the following error message :

      Error message

      Your origin server raises an error if Cloudflare’s CA does not sign a request.

      Note: Most browsers will cache requests, so to see the above change you can use Incognito/Private browsing mode in your browser. To prevent Cloudflare from caching requests while you set up your website, navigate to Overview in the Cloudflare dashboard and toggle Development Mode.

      Now that you know it works properly return to the SSL/TLS section in the Cloudflare dashboard, navigate to the Origin Server tab and toggle the Authenticated Origin Pulls option again to enable it.

      Conclusion

      In this tutorial, you secured your Nginx-powered website by encrypting traffic between Cloudflare and the Nginx server using an Origin CA certificate from Cloudflare. You then set up Authenticated Origin Pulls on the Nginx server to ensure that it only accepts Cloudflare servers’ requests, preventing anyone else from directly connecting to the Nginx server.



      Source link

      How To Host a Website Using Cloudflare and Nginx on Ubuntu 18.04


      Not using Ubuntu 18.04?


      Choose a different version or distribution.

      The author selected the Electronic Frontier Foundation to receive a donation as part of the Write for DOnations program.

      Introduction

      Cloudflare is a service that sits between the visitor and the website owner’s server, acting as a reverse proxy for websites. Cloudflare provides a Content Delivery Network (CDN), as well as DDoS mitigation and distributed domain name server services.

      Nginx is a popular web server responsible for hosting some of the largest and highest-traffic sites on the internet. It’s common for organizations to serve websites with Nginx and use Cloudflare as a CDN and DNS provider.

      In this tutorial you will secure your website served by Nginx with an Origin CA certificate from Cloudflare and then configure Nginx to use authenticated pull requests. The advantages of using this setup are that you benefit from Cloudflare’s CDN and fast DNS resolution while ensuring that all connections pass through Cloudflare. This prevents any malicious requests from reaching your server.

      Prerequisites

      To complete this tutorial, you’ll need the following:

      Step 1 — Generating an Origin CA TLS Certificate

      The Cloudflare Origin CA lets you generate a free TLS certificate signed by Cloudflare to install on your Nginx server. By using the Cloudflare generated TLS certificate you can secure the connection between Cloudflare’s servers and your Nginx server.

      To generate a certificate with Origin CA, log in to your Clouflare account in a web browser. Select the domain that you want to secure and navigate to the SSL/TLS section of your Cloudflare dashboard. From there, navigate to the Origin Server tab and click on the Create Certificate button:

      Create certificate option in the Cloudflare dashboard

      Leave the default option of Let Cloudflare generate a private key and a CSR selected.

      Origin CA GUI options

      Click Next and you will see a dialog with the Origin Certificate and Private key. You need to transfer both the origin certificate and private key from Cloudflare to your server. For security reasons, the Private Key information will not be displayed again, so copy the key to your server before clicking Ok.

      Dialog showing the origin certificate and private key

      We’ll use the /etc/ssl directory on the server to hold the origin certificate and the private key files. The folder already exists on the server.

      First, copy the contents of the Origin Certificate displayed in the dialog box in your browser.

      Then, on your server, open /etc/ssl/cert.pem in your preferred text editor:

      • sudo nano /etc/ssl/cert.pem

      Add the certificate contents into the file. Then save and exit the editor.

      Then return to your browser and copy the contents of the Private key. Open the file /etc/ssl/key.pem for editing:

      • sudo nano /etc/ssl/key.pem

      Paste the private key into the file, save the file, and exit the editor.

      Note: Sometimes, when you copy the certificate and key from the Cloudflare dashboard and paste it into the relevant files on the server, blank lines are inserted. Nginx will treat such certificates and keys as invalid, so ensure that there are no blank lines in your files.

      Warning: Cloudflare’s Origin CA Certificate is only trusted by Cloudflare and therefore should only be used by origin servers that are actively connected to Cloudflare. If at any point you pause or disable Cloudflare, your Origin CA certificate will throw an untrusted certificate error.

      Now that you copied the key and certificate files to your server, you need to update the Nginx configuration to use them.

      Step 2 — Installing the Origin CA Certificate in Nginx

      In the previous section, you generated an origin certificate and private key using Cloudlfare’s dashboard and saved the files to your server. Now you’ll update the Nginx configuration for your site to use the origin certificate and private key to secure the connection between Cloudflare’s servers and your server.

      Nginx creates a default server block during installation. Remove it if it exists, as you’ve already configured a custom server block for your domain:

      • sudo rm /etc/nginx/sites-enabled/default

      Next, open the Nginx configuration file for your domain:

      • sudo nano /etc/nginx/sites-available/your_domain

      The file should look like this:

      /etc/nginx/sites-available/your_domain

      server {
              listen 80;
              listen [::]:80;
      
              root /var/www/your_domain/html;
              index index.html index.htm index.nginx-debian.html;
      
              server_name your_domain www.your_domain;
      
              location / {
                      try_files $uri $uri/ =404;
              }
      }
      
      

      We’ll modify the Nginx configuration file to do the following:

      • Listen on port 80 and redirect all requests to use https.
      • Listen on port 443 and use the origin certificate and private key that you added in the previous section.

      Modify the file so it looks like the following:

      /etc/nginx/sites-available/your_domain

      server {
          listen 80;
          listen [::]:80;
          server_name your_domain www.your_domain;
          return 302 https://$server_name$request_uri;
      }
      
      server {
      
          # SSL configuration
      
          listen 443 ssl http2;
          listen [::]:443 ssl http2;
          ssl        on;
          ssl_certificate         /etc/ssl/cert.pem;
          ssl_certificate_key     /etc/ssl/key.pem;
      
          server_name your_domain www.your_domain;
      
          root /var/www/your_domain/html;
          index index.html index.htm index.nginx-debian.html;
      
      
          location / {
                  try_files $uri $uri/ =404;
          }
      }
      

      Save the file and exit the editor.

      Next, test to make sure that there are no syntax errors in any of your Nginx configuration files:

      If no problems were found, restart Nginx to enable your changes:

      • sudo systemctl restart nginx

      Now go to the Cloudflare dashboard’s SSL/TLS section, navigate to the Overview tab, and change SSL/TLS encryption mode to Full (strict). This informs Cloudflare to always encrypt the connection between Cloudflare and your origin Nginx server.

      Enable Full(strict) SSL mode in the Cloudflare Dashboard

      Now visit your website at https://your_domain to verify that it’s set up properly. You’ll see your home page displayed, and the browser will report that the site is secure.

      In the next section, you will set up Authenticated Origin Pulls to verify that your origin server is indeed talking to Cloudflare and not some other server. By doing so, Nginx will be configured to only accept requests that use a valid client certificate from Cloudflare; all requests that have not passed through Cloudflare will be dropped.

      Step 3 — Setting Up Authenticated Origin Pulls

      The Origin CA certificate will help Cloudflare verify that it is talking to the correct origin server. This step will use TLS Client Authentication to verify that your origin Nginx server is talking to Cloudflare.

      In a client-authenticated TLS handshake, both sides provide a certificate to be verified. The origin server is configured to only accept requests that use a valid client certificate from Cloudflare. Requests which have not passed through Cloudflare will be dropped as they will not have Cloudflare’s certificate. This means that attackers cannot circumvent Cloudflare’s security measures and directly connect to your Nginx server.

      Cloudflare presents certificates signed by a CA with the following certificate:

      -----BEGIN CERTIFICATE-----
      MIIGCjCCA/KgAwIBAgIIV5G6lVbCLmEwDQYJKoZIhvcNAQENBQAwgZAxCzAJBgNV
      BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmln
      aW4gUHVsbDEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZv
      cm5pYTEjMCEGA1UEAxMab3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwHhcNMTkx
      MDEwMTg0NTAwWhcNMjkxMTAxMTcwMDAwWjCBkDELMAkGA1UEBhMCVVMxGTAXBgNV
      BAoTEENsb3VkRmxhcmUsIEluYy4xFDASBgNVBAsTC09yaWdpbiBQdWxsMRYwFAYD
      VQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMSMwIQYDVQQD
      ExpvcmlnaW4tcHVsbC5jbG91ZGZsYXJlLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQAD
      ggIPADCCAgoCggIBAN2y2zojYfl0bKfhp0AJBFeV+jQqbCw3sHmvEPwLmqDLqynI
      42tZXR5y914ZB9ZrwbL/K5O46exd/LujJnV2b3dzcx5rtiQzso0xzljqbnbQT20e
      ihx/WrF4OkZKydZzsdaJsWAPuplDH5P7J82q3re88jQdgE5hqjqFZ3clCG7lxoBw
      hLaazm3NJJlUfzdk97ouRvnFGAuXd5cQVx8jYOOeU60sWqmMe4QHdOvpqB91bJoY
      QSKVFjUgHeTpN8tNpKJfb9LIn3pun3bC9NKNHtRKMNX3Kl/sAPq7q/AlndvA2Kw3
      Dkum2mHQUGdzVHqcOgea9BGjLK2h7SuX93zTWL02u799dr6Xkrad/WShHchfjjRn
      aL35niJUDr02YJtPgxWObsrfOU63B8juLUphW/4BOjjJyAG5l9j1//aUGEi/sEe5
      lqVv0P78QrxoxR+MMXiJwQab5FB8TG/ac6mRHgF9CmkX90uaRh+OC07XjTdfSKGR
      PpM9hB2ZhLol/nf8qmoLdoD5HvODZuKu2+muKeVHXgw2/A6wM7OwrinxZiyBk5Hh
      CvaADH7PZpU6z/zv5NU5HSvXiKtCzFuDu4/Zfi34RfHXeCUfHAb4KfNRXJwMsxUa
      +4ZpSAX2G6RnGU5meuXpU5/V+DQJp/e69XyyY6RXDoMywaEFlIlXBqjRRA2pAgMB
      AAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1Ud
      DgQWBBRDWUsraYuA4REzalfNVzjann3F6zAfBgNVHSMEGDAWgBRDWUsraYuA4REz
      alfNVzjann3F6zANBgkqhkiG9w0BAQ0FAAOCAgEAkQ+T9nqcSlAuW/90DeYmQOW1
      QhqOor5psBEGvxbNGV2hdLJY8h6QUq48BCevcMChg/L1CkznBNI40i3/6heDn3IS
      zVEwXKf34pPFCACWVMZxbQjkNRTiH8iRur9EsaNQ5oXCPJkhwg2+IFyoPAAYURoX
      VcI9SCDUa45clmYHJ/XYwV1icGVI8/9b2JUqklnOTa5tugwIUi5sTfipNcJXHhgz
      6BKYDl0/UP0lLKbsUETXeTGDiDpxZYIgbcFrRDDkHC6BSvdWVEiH5b9mH2BON60z
      0O0j8EEKTwi9jnafVtZQXP/D8yoVowdFDjXcKkOPF/1gIh9qrFR6GdoPVgB3SkLc
      5ulBqZaCHm563jsvWb/kXJnlFxW+1bsO9BDD6DweBcGdNurgmH625wBXksSdD7y/
      fakk8DagjbjKShYlPEFOAqEcliwjF45eabL0t27MJV61O/jHzHL3dknXeE4BDa2j
      bA+JbyJeUMtU7KMsxvx82RmhqBEJJDBCJ3scVptvhDMRrtqDBW5JShxoAOcpFQGm
      iYWicn46nPDjgTU0bX1ZPpTpryXbvciVL5RkVBuyX2ntcOLDPlZWgxZCBp96x07F
      AnOzKgZk4RzZPNAxCXERVxajn/FLcOhglVAKo5H0ac+AitlQ0ip55D2/mf8o72tM
      fVQ6VpyjEXdiIXWUq/o=
      -----END CERTIFICATE-----
      

      You can also download the certificate directly from Cloudflare here.

      Copy this certificate.

      Then create the file /etc/ssl/cloudflare.crt file to hold Cloudflare’s certificate:

      • sudo nano /etc/ssl/cloudflare.crt

      Add the certificate to the file. Then save the file and exit the editor.

      Now update your Nginx configuration to use TLS Authenticated Origin Pulls. Open the configuration file for your domain:

      • sudo nano /etc/nginx/sites-available/your_domain

      Add the ssl_client_certificate and ssl_verify_client directives as shown in the following example:

      /etc/nginx/sites-available/your_domain

      . . .
      
      server {
      
          # SSL configuration
      
          listen 443 ssl http2;
          listen [::]:443 ssl http2;
          ssl        on;
          ssl_certificate         /etc/ssl/cert.pem;
          ssl_certificate_key     /etc/ssl/key.pem;
          ssl_client_certificate /etc/ssl/cloudflare.crt;
          ssl_verify_client on;
      
          . . .
      

      Save the file and exit the editor.

      Next, test to make sure that there are no syntax errors in your Nginx configuration:

      If no problems were found, restart Nginx to enable your changes:

      • sudo systemctl restart nginx

      Finally, to enable Authenticated Pulls, open the SSL/TLS section in the Cloudflare dashboard, navigate to the Origin Server tab and toggle the Authenticated Origin Pulls option .

      Enable Authenticated Origin Pulls

      Now visit your website at https://your_domain to verify that it was set up properly. As before, you’ll see your home page displayed.

      To verify that your server will only accept requests signed by Cloudflare’s CA, toggle the Authenticated Origin Pulls option to disable it and then reload your website. You should get the following error message :

      Error message

      Your origin server raises an error if a request is not signed by Cloudflare’s CA.

      Note: Most browsers will cache requests, so to see the above change you can use Incognito/Private browsing mode in your browser. To prevent Cloudflare from caching requests while you set up your website, navigate to Overview in the Cloudflare dashboard and toggle Development Mode.

      Now that you know it works properly, return to the SSL/TLS section in the Cloudflare dashboard, navigate to the Origin Server tab and toggle the Authenticated Origin Pulls option again to enable it.

      Conclusion

      In this tutorial you secured your Nginx-powered website by encrypting traffic between Cloudflare and the Nginx server using an Origin CA certificate from Cloudflare. You then set up Authenticated Origin Pulls on the Nginx server to ensure that it only accepts requests from Cloudflare’s servers, preventing anyone else from directly connecting to the Nginx server.



      Source link