Prerequisites
You should already have your Apache server configured and serving web pages for your domain. We have several guides to help you set up an Apache web server from scratch on Ubuntu 18.04.
1. Generate Cert and Private Key
Log in to Cloudflare and navigate to the Crypto page.
Scroll down to Origin Certificates and click Create Certificate.
In Origin Certificate Installation, the defaults should be Private Key Type: RSA with 15 years validity. Click Next.
In the next screen, the Key format should be PEM (default) and Web Server for Installation: Apache httpd.
Copy your Origin Certificate and Private Key to a text editor for later. We will need to paste these into Linux.
Finally, click OK to close.
2. Copy Cert and Key to Server
Create a new directory where our Cert and Key will reside.
sudo mkdir -p /etc/cloudflare/Using nano text editor, create a new file example.com.pem (where example.com is your own domain).
sudo nano /etc/cloudflare/example.com.pemNow paste in your Origin Certificate from Cloudflare. Save file and exit. (Press CTRL + X, press Y and then press ENTER)
Create a new file example.com.key (where example.com is your own domain).
sudo nano /etc/cloudflare/example.com.keyPaste in your Private Key from Cloudflare. Save file and exit. (Press CTRL + X, press Y and then press ENTER)
3. Configure Apache
Open the Apache configuration file for your domain. This is usually located in /etc/apache2/sites-available/
sudo nano /etc/apache2/sites-available/example.com.confThere should already be a block for <VirtualHost *:80>. You need to add a new block underneath it for SSL port 443. You can also add a rewrite condition in your port 80 block to redirect all requests to https.
Below is an example.
<VirtualHost *:80>
ServerAdmin [email protected]
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com [OR]
RewriteCond %{SERVER_NAME} =www.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
ServerAdmin [email protected]example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/cloudflare/example.com.pem
SSLCertificateKeyFile /etc/cloudflare/example.com.key
</VirtualHost>
Save file and exit. (Press CTRL + X, press Y and then press ENTER)
Test the configuration syntax for errors.
apachectl configtestYou can ignore any errors that say Could not reliably determine the server’s fully qualified domain name
If you see Syntax OK, restart Apache.
sudo systemctl restart apache2Note, it can take 5 or 10 minutes for Cloudflare to deploy certs.
Make sure that SSL in Cloudflare is set to Full (Strict).
Getting the Real Client IP Address from Cloudflare in Apache
While you’re still here.. I recently wrote an article which may be of interest to you.
As may or may not know, when you enable Cloudflare on your site, the IP address that appears in your Apache access and error logs is that of the Cloudflare proxy and not the real client’s IP. As you can imagine, this is a security concern should you ever need to audit your logs or use IP restrictions with .htaccess.
Thankfully, Cloudflare sends the real client IP in the HTTP headers as CF-Connecting-IP, and you can configure Apache to use this IP in your logs instead of Cloudflare’s proxy IP.
Let me know in the comments if this helped. Follow me on Twitter, Facebook and YouTube.
p.s. I increased my AdSense revenue by 68% using AI 🤖. Read my Ezoic review to find out how.
5.00 (3 votes)
Great walkthrough. On the final step I was running into a “Invalid command ‘SSLEngine'” error, needed to run “sudo a2enmod ssl” to fix this.
Great, thanks for that.