Cloudflare ensures that visitors browsing your site do so in a secure, private and encrypted manner using SSL/TLS. This is done by default by all sites added to Cloudflare. It is also recommended that Cloudflare communicate with your origin server over a secure connection. This involves installing an SSL certificate at your origin and configuring Nginx to use HTTPS instead of HTTP.
You can read more about SSL/TLS here: https://www.cloudflare.com/learning/ssl/what-is-ssl/. Now let’s configure our Raspberry Pi to make its first SSL handshake…
It’s now time to witness first-hand the magic that is Argo-Tunnel. First, let’s go through some pre-requisite reading here: https://developers.cloudflare.com/argo-tunnel/quickstart/.
We now need to download the correct Cloudflared client compiled for Raspberry Pi. The official client for Pi can be found here: https://developers.cloudflare.com/argo-tunnel/downloads/. However, there is a problem when using this version with a Pi Zero. Instead, you’ll need to get a correctly compiled client here: https://hobin.ca/cloudflared.
You are now ready to start digging your first tunnels!
It’s finally time to get hands-on with Cloudflare. However, we first need to go through some pre-requisites:
First, here is a traditional configuration without Cloudflare:
Having configured Raspbian and UFW, we are now ready to install software which will host our content. The two main options are Apache and Nginx. Apache is more prevalent, with more than 60% market share. However, Nginx is considered to be more resource efficient. This is particularly relevant for our underpowered Raspberry Pi.
We can use apt-get to download and install Nginx. We will simultaneously install a variant of PHP called PHP-fpm. This is a scripting language which can be embedded in HTML. Scripts are executed on the web server, and the resulting HTML is passed to the client to be rendered. Our Content Management System (or CMS), which we will install later on, uses PHP to display content.
You can think of Nginx as a waiter at a restaurant who takes down your order, passes this to the kitchen, and then returns with your food once ready.
We will divide our tasks into several blog posts over the coming weeks. However, it is important to visualise what we are trying to accomplish. The diagram below illustrates how our Raspberry Pi cluster and Cloudflare work together to provide visitors with the best possible browsing experience.
Layers interact with each other, forming a complete stack of necessary services. The Raspberry Pi has all the components needed to host and serve content. Cloudflare sits in the middle between our Pi and our visitors, replacing traditional network hardware such as routers, firewalls and load balancers. Our hardware is hidden behind Cloudflare, while our content is now accelerated, secured, and fault tolerant.
I’ve always been interested in tinkering with Raspberry Pi, but was put-off by the size, power requirements, and necessity to know my way around Linux. Arduino micro-controllers on the other are easier to interface with various sensors, since there is no operating system, and everything is programmed in C through an IDE. They are also much smaller and consume far less power.
However, there are many things that Raspberry Pi can do beyond being a cheap desktop computer. I recently changed jobs and started working at Cloudflare. The technologies are completely new to me, having spent the last 20 years with Active Directory, Exchange, and SharePoint. I had no idea about the Linux web-hosting world of Apache/Nginx, SSL, CDN, etc.
I started off with building Debian VMs but wanted something a bit more tactile. I then picked up a Raspberry Pi Zero W. This tiny thing is a full Linux computer capable of pretty much anything. I quickly learnt my way around Linux basics, installed Apache, and propped up a basic “hello world” website. This is a great proof of concept exercise to show what’s possible with something so small. However, it isn’t really production ready, nor scalable to handle real-world visitors to your site. It’s not fast, nor secure, and cannot be configured for high availability.