# Cloudflare Proxy Configuration **Domain:** firefrostgaming.com **Cloudflare Account:** [Account details] **Last Updated:** 2026-03-27 --- ## SSL/TLS Configuration **Encryption Mode:** Full (strict) **Benefits:** - End-to-end encryption (browser ↔ Cloudflare ↔ origin server) - Origin server SSL certificates validated - Maximum security posture **Requirements:** - Origin servers must have valid SSL certificates - Certificates must match the subdomain - Can use Cloudflare Origin Certificates (15-year validity) --- ## Proxied Subdomains (Orange Cloud ☁️) ### Web Services (15 total) All public-facing web services route through Cloudflare proxy for DDoS protection, SSL management, and performance: 1. **firefrostgaming.com** (64.50.188.14 - Ghost VPS) - Main website - Ghost CMS 2. **www.firefrostgaming.com** (CNAME → firefrostgaming.com) - WWW subdomain - Cloudflare Origin Certificate required 3. **billing.firefrostgaming.com** (38.68.14.188 - Billing VPS) - Paymenter billing portal - Public customer access 4. **code.firefrostgaming.com** (74.63.218.202) - Code-Server web IDE - Staff/developer access - **Added to proxy:** 2026-03-27 5. **codex.firefrostgaming.com** (38.68.14.26 - TX1) - Dify RAG system - AI knowledge base - **Added to proxy:** 2026-03-27 6. **docs.firefrostgaming.com** (64.50.188.14 - Ghost VPS) - Nextcloud file storage - **Added to proxy:** 2026-03-27 7. **git.firefrostgaming.com** (63.143.34.217 - Command Center) - Gitea code repository - **Added to proxy:** 2026-03-27 8. **n8n.firefrostgaming.com** (38.68.14.26 - TX1) - n8n workflow automation - **Added to proxy:** 2026-03-27 9. **pokerole.firefrostgaming.com** (64.50.188.14 - Ghost VPS) - Wiki.js (Pokérole TTRPG wiki) - Public wiki access - **Added to proxy:** 2026-03-27 10. **staff.firefrostgaming.com** (64.50.188.14 - Ghost VPS) - Wiki.js (staff wiki) - Internal documentation - **Added to proxy:** 2026-03-27 11. **status.firefrostgaming.com** (63.143.34.217 - Command Center) - Uptime Kuma status page - **Added to proxy:** 2026-03-27 12. **subscribers.firefrostgaming.com** (64.50.188.14 - Ghost VPS) - Wiki.js (subscriber wiki) - Member-only content - **Added to proxy:** 2026-03-27 13. **tasks.firefrostgaming.com** (38.68.14.26 - TX1) - Plane project management - **Added to proxy:** 2026-03-27 14. **vault.firefrostgaming.com** (63.143.34.217 - Command Center) - Vaultwarden password manager - **Added to proxy:** 2026-03-27 - **Fixed:** SSL certificate warning resolved 15. **webmail.firefrostgaming.com** (38.68.14.188 - Billing VPS) - Mailcow webmail interface - **Added to proxy:** 2026-03-27 --- ## DNS-Only Subdomains (Gray Cloud ☁️) ### Email Services (MUST be DNS-only) 1. **mail.firefrostgaming.com** (38.68.14.188 - Billing VPS) - Mailcow email server - SMTP/IMAP/POP3 protocols - **Must NOT be proxied** - email protocols require direct connection 2. **autoconfig.firefrostgaming.com** (CNAME → mail.firefrostgaming.com) - Thunderbird auto-configuration - Email client setup 3. **autodiscover.firefrostgaming.com** (CNAME → mail.firefrostgaming.com) - Outlook auto-discovery - Email client setup ### Infrastructure Services 1. **panel.firefrostgaming.com** (45.94.168.138 - Panel VPS) - Pterodactyl Panel - **Must NOT be proxied** - Wings nodes connect directly - WebSocket connections for real-time console - Large file transfers (game server files) 2. **downloads.firefrostgaming.com** (64.50.188.14 - Ghost VPS) - Large file downloads (modpacks >100MB) - **Must NOT be proxied** - Cloudflare has file size limits - Direct download is faster and cheaper 3. **us.nc1.firefrostgaming.com** (216.239.104.130 - NC1 Charlotte) - Direct server access - Infrastructure endpoint 4. **us.tx1.firefrostgaming.com** (38.68.14.26 - TX1 Dallas) - Direct server access - Infrastructure endpoint ### Game Servers (24 subdomains - all DNS-only) **All Minecraft servers MUST be DNS-only:** - Game protocols require direct UDP/TCP connections - Cloudflare proxy doesn't support Minecraft protocol - SRV records require direct DNS resolution **TX1 Dallas Servers:** - allthemons.firefrostgaming.com (38.68.14.30) - foundry.firefrostgaming.com (38.68.14.26) - rad2.firefrostgaming.com (38.68.14.26) - stoneblock4.firefrostgaming.com (38.68.14.26) - vanilla.firefrostgaming.com (38.68.14.26) - createplus.firefrostgaming.com (38.68.14.26) - arseclectica.firefrostgaming.com (38.68.14.26) **NC1 Charlotte Servers:** - reclamation.firefrostgaming.com (38.68.14.27) - society.firefrostgaming.com (38.68.14.28) - emberproject.firefrostgaming.com (216.239.104.130) - minecolonies.firefrostgaming.com (216.239.104.130) - homestead.firefrostgaming.com (216.239.104.130) - emcsubterratech.firefrostgaming.com (216.239.104.130) - atm10.firefrostgaming.com (216.239.104.130) - atm10tts.firefrostgaming.com (216.239.104.130) - atmons.firefrostgaming.com (216.239.104.130) - aocc.firefrostgaming.com (216.239.104.130) - hytale.firefrostgaming.com (216.239.104.130) - mayview.firefrostgaming.com (216.239.104.130) - mythcraft5.firefrostgaming.com (216.239.104.130) - vanilla121.firefrostgaming.com (38.68.14.29) --- ## Benefits of Cloudflare Proxy ### Security 1. **DDoS Protection** - Absorbs attacks before they reach origin servers - Unmetered DDoS mitigation - Protects against Layer 3, 4, and 7 attacks 2. **IP Address Hiding** - Origin server IPs hidden from public - Prevents direct attacks on infrastructure - Reduces server reconnaissance 3. **SSL/TLS Management** - Cloudflare manages certificates to browsers - Automatic renewal - Modern cipher suites - TLS 1.3 support 4. **Web Application Firewall (WAF)** - Blocks common exploits - SQL injection protection - XSS prevention - Rate limiting ### Performance 1. **Global CDN** - Static assets cached worldwide - Reduced latency for global users - Faster page loads 2. **Bandwidth Savings** - Cached content served from Cloudflare edge - Reduces origin server bandwidth - Lower hosting costs 3. **Always Online** - Cached version served during origin downtime - Improved reliability 4. **Brotli Compression** - Automatic compression - Faster page loads - Reduced bandwidth --- ## Decision Matrix: Proxy vs DNS-Only ### When to Enable Proxy (Orange Cloud) **Use Cases:** - Public web interfaces (admin panels, portals, websites) - HTTP/HTTPS traffic only - Want DDoS protection - Want global CDN caching - Want to hide origin server IP - Small to medium file sizes (<100MB) **Examples:** - Ghost CMS website - Vaultwarden password manager - Gitea code repository - Wiki.js instances - Paymenter billing portal ### When to Use DNS-Only (Gray Cloud) **Use Cases:** - Email servers (SMTP, IMAP, POP3) - Game servers (Minecraft, etc.) - Large file downloads (>100MB) - Infrastructure endpoints needing direct access - Services with WebSocket-heavy requirements - API endpoints with strict timeout requirements **Examples:** - mail.firefrostgaming.com - panel.firefrostgaming.com (Wings direct connection) - downloads.firefrostgaming.com - All Minecraft game servers --- ## SSL Certificate Requirements ### Proxied Subdomains **Options:** 1. **Cloudflare Origin Certificate (Recommended)** - Generate in Cloudflare dashboard - 15-year validity - Supports wildcards (*.firefrostgaming.com) - Free - Only trusted by Cloudflare (perfect for proxied) 2. **Let's Encrypt** - 90-day validity (auto-renewal required) - Free - Publicly trusted - Works for both proxied and DNS-only 3. **Commercial Certificate** - 1-year validity - Publicly trusted - Cost varies ### DNS-Only Subdomains **Requirements:** - MUST use publicly trusted certificates - Let's Encrypt recommended - Cloudflare Origin Certificates won't work (not publicly trusted) **Current Status:** - mail.firefrostgaming.com: Let's Encrypt ✅ - panel.firefrostgaming.com: (check certificate status) - vault.firefrostgaming.com: Let's Encrypt (expires May 14, 2026) ✅ --- ## Troubleshooting ### "Dangerous Site" Warning **Symptoms:** Chrome/Firefox shows SSL warning when accessing proxied subdomain **Cause:** Origin server doesn't have valid SSL certificate for that subdomain **Solution:** 1. Generate Cloudflare Origin Certificate 2. Install on origin server 3. Update Nginx to use new certificate 4. Reload Nginx **Example Fix (vault.firefrostgaming.com):** ```bash # On origin server # Certificate already exists at: /etc/letsencrypt/live/vault.firefrostgaming.com/ # Enable Cloudflare proxy (orange cloud) in DNS settings # Wait 5 minutes for DNS propagation # Test: https://vault.firefrostgaming.com ``` ### 521 Error (Web Server Down) **Symptoms:** "Error 521: Web server is down" **Cause:** Origin server not responding on proxied port **Checks:** 1. Service running on origin server 2. Nginx/Apache listening on correct port 3. Firewall allows Cloudflare IPs 4. Origin server not blocking Cloudflare **Solution:** ```bash # Check service status systemctl status nginx # Check port listening netstat -tlnp | grep :80 netstat -tlnp | grep :443 # Allow Cloudflare IPs (if using UFW) # https://www.cloudflare.com/ips/ ``` ### 522 Error (Connection Timed Out) **Symptoms:** "Error 522: Connection timed out" **Cause:** Cloudflare can't connect to origin server **Checks:** 1. Origin server firewall blocking Cloudflare 2. Origin server IP correct in DNS 3. Origin server online **Solution:** 1. Verify A record points to correct IP 2. Ensure firewall allows Cloudflare IP ranges 3. Check origin server is responding ### 526 Error (Invalid SSL Certificate) **Symptoms:** "Error 526: Invalid SSL certificate" **Cause:** SSL/TLS mode is Full (strict) but origin certificate is invalid **Solution:** 1. Install valid SSL certificate on origin 2. OR temporarily set SSL/TLS mode to "Full" (not recommended) 3. OR use Cloudflare Origin Certificate --- ## Monitoring ### Check Proxy Status **Cloudflare Dashboard:** 1. Select domain (firefrostgaming.com) 2. Go to DNS → Records 3. Check cloud icon color: - **Orange** = Proxied ✅ - **Gray** = DNS Only ### Verify SSL **Test SSL configuration:** ```bash # Test from external location curl -I https://vault.firefrostgaming.com openssl s_client -connect vault.firefrostgaming.com:443 -servername vault.firefrostgaming.com ``` ### Analytics **Cloudflare Analytics Dashboard:** - Traffic volume per subdomain - Bandwidth savings from caching - Threats blocked - Cache hit ratio --- ## Related Documentation - [Nginx Reverse Proxy Configuration](../infrastructure/nginx-proxy-configuration.md) - [SSL Certificate Management](../infrastructure/ssl-certificates.md) - [Vaultwarden Configuration](vaultwarden-configuration.md) - [Mailcow Configuration](mailcow-configuration.md) --- **Last Updated:** 2026-03-27 **Documented By:** The Verifier (Chronicler #42) **Changes:** Added 11 web services to Cloudflare proxy, fixed vault.firefrostgaming.com SSL warning