firefrost-gaming/firefrost-operations-manual
3
0
Fork 0
Code Issues 146 Pull Requests Packages Projects Releases Wiki Activity
Files
0dab5abb58d3cd1971ffcf47321b736f28ecc0d2
firefrost-operations-manual/docs/infrastructure/cloudflare-proxy-configuration.md
Claude 43b8d3b01b docs: Add Vaultwarden, LuckPerms MySQL, and Cloudflare proxy configurations 
- Vaultwarden SMTP configured and tested
- Holly and Meg invited to Vaultwarden
- Firefrost Gaming organization created
- LuckPerms MySQL database ready (credentials stored in Vaultwarden)
- 11 web services added to Cloudflare proxy for DDoS protection
- vault.firefrostgaming.com SSL warning resolved
- Comprehensive troubleshooting guides included

All services documented and operational. Ready for Holly's mod deployment.
2026-03-27 02:23:33 +00:00

11 KiB
Raw Blame History

Cloudflare Proxy Configuration

Domain: firefrostgaming.com
Cloudflare Account: [Account details]
Last Updated: 2026-03-27

SSL/TLS Configuration

Encryption Mode: Full (strict)

Benefits:

  • End-to-end encryption (browser ↔ Cloudflare ↔ origin server)
  • Origin server SSL certificates validated
  • Maximum security posture

Requirements:

  • Origin servers must have valid SSL certificates
  • Certificates must match the subdomain
  • Can use Cloudflare Origin Certificates (15-year validity)

Proxied Subdomains (Orange Cloud ☁️)

Web Services (15 total)

All public-facing web services route through Cloudflare proxy for DDoS protection, SSL management, and performance:

  1. firefrostgaming.com (64.50.188.14 - Ghost VPS)

    • Main website
    • Ghost CMS

  2. www.firefrostgaming.com (CNAME → firefrostgaming.com)

    • WWW subdomain
    • Cloudflare Origin Certificate required

  3. billing.firefrostgaming.com (38.68.14.188 - Billing VPS)

    • Paymenter billing portal
    • Public customer access

  4. code.firefrostgaming.com (74.63.218.202)

    • Code-Server web IDE
    • Staff/developer access
    • Added to proxy: 2026-03-27

  5. codex.firefrostgaming.com (38.68.14.26 - TX1)

    • Dify RAG system
    • AI knowledge base
    • Added to proxy: 2026-03-27

  6. docs.firefrostgaming.com (64.50.188.14 - Ghost VPS)

    • Nextcloud file storage
    • Added to proxy: 2026-03-27

  7. git.firefrostgaming.com (63.143.34.217 - Command Center)

    • Gitea code repository
    • Added to proxy: 2026-03-27

  8. n8n.firefrostgaming.com (38.68.14.26 - TX1)

    • n8n workflow automation
    • Added to proxy: 2026-03-27

  9. pokerole.firefrostgaming.com (64.50.188.14 - Ghost VPS)

    • Wiki.js (Pokérole TTRPG wiki)
    • Public wiki access
    • Added to proxy: 2026-03-27

  10. staff.firefrostgaming.com (64.50.188.14 - Ghost VPS)

    • Wiki.js (staff wiki)
    • Internal documentation
    • Added to proxy: 2026-03-27

  11. status.firefrostgaming.com (63.143.34.217 - Command Center)

    • Uptime Kuma status page
    • Added to proxy: 2026-03-27

  12. subscribers.firefrostgaming.com (64.50.188.14 - Ghost VPS)

    • Wiki.js (subscriber wiki)
    • Member-only content
    • Added to proxy: 2026-03-27

  13. tasks.firefrostgaming.com (38.68.14.26 - TX1)

    • Plane project management
    • Added to proxy: 2026-03-27

  14. vault.firefrostgaming.com (63.143.34.217 - Command Center)

    • Vaultwarden password manager
    • Added to proxy: 2026-03-27
    • Fixed: SSL certificate warning resolved

  15. webmail.firefrostgaming.com (38.68.14.188 - Billing VPS)

    • Mailcow webmail interface
    • Added to proxy: 2026-03-27

DNS-Only Subdomains (Gray Cloud ☁️)

Email Services (MUST be DNS-only)

  1. mail.firefrostgaming.com (38.68.14.188 - Billing VPS)

    • Mailcow email server
    • SMTP/IMAP/POP3 protocols
    • Must NOT be proxied - email protocols require direct connection

  2. autoconfig.firefrostgaming.com (CNAME → mail.firefrostgaming.com)

    • Thunderbird auto-configuration
    • Email client setup

  3. autodiscover.firefrostgaming.com (CNAME → mail.firefrostgaming.com)

    • Outlook auto-discovery
    • Email client setup

Infrastructure Services

  1. panel.firefrostgaming.com (45.94.168.138 - Panel VPS)

    • Pterodactyl Panel
    • Must NOT be proxied - Wings nodes connect directly
    • WebSocket connections for real-time console
    • Large file transfers (game server files)

  2. downloads.firefrostgaming.com (64.50.188.14 - Ghost VPS)

    • Large file downloads (modpacks >100MB)
    • Must NOT be proxied - Cloudflare has file size limits
    • Direct download is faster and cheaper

  3. us.nc1.firefrostgaming.com (216.239.104.130 - NC1 Charlotte)

    • Direct server access
    • Infrastructure endpoint

  4. us.tx1.firefrostgaming.com (38.68.14.26 - TX1 Dallas)

    • Direct server access
    • Infrastructure endpoint

Game Servers (24 subdomains - all DNS-only)

All Minecraft servers MUST be DNS-only:

  • Game protocols require direct UDP/TCP connections
  • Cloudflare proxy doesn't support Minecraft protocol
  • SRV records require direct DNS resolution

TX1 Dallas Servers:

  • allthemons.firefrostgaming.com (38.68.14.30)
  • foundry.firefrostgaming.com (38.68.14.26)
  • rad2.firefrostgaming.com (38.68.14.26)
  • stoneblock4.firefrostgaming.com (38.68.14.26)
  • vanilla.firefrostgaming.com (38.68.14.26)
  • createplus.firefrostgaming.com (38.68.14.26)
  • arseclectica.firefrostgaming.com (38.68.14.26)

NC1 Charlotte Servers:

  • reclamation.firefrostgaming.com (38.68.14.27)
  • society.firefrostgaming.com (38.68.14.28)
  • emberproject.firefrostgaming.com (216.239.104.130)
  • minecolonies.firefrostgaming.com (216.239.104.130)
  • homestead.firefrostgaming.com (216.239.104.130)
  • emcsubterratech.firefrostgaming.com (216.239.104.130)
  • atm10.firefrostgaming.com (216.239.104.130)
  • atm10tts.firefrostgaming.com (216.239.104.130)
  • atmons.firefrostgaming.com (216.239.104.130)
  • aocc.firefrostgaming.com (216.239.104.130)
  • hytale.firefrostgaming.com (216.239.104.130)
  • mayview.firefrostgaming.com (216.239.104.130)
  • mythcraft5.firefrostgaming.com (216.239.104.130)
  • vanilla121.firefrostgaming.com (38.68.14.29)

Benefits of Cloudflare Proxy

Security

  1. DDoS Protection

    • Absorbs attacks before they reach origin servers
    • Unmetered DDoS mitigation
    • Protects against Layer 3, 4, and 7 attacks

  2. IP Address Hiding

    • Origin server IPs hidden from public
    • Prevents direct attacks on infrastructure
    • Reduces server reconnaissance

  3. SSL/TLS Management

    • Cloudflare manages certificates to browsers
    • Automatic renewal
    • Modern cipher suites
    • TLS 1.3 support

  4. Web Application Firewall (WAF)

    • Blocks common exploits
    • SQL injection protection
    • XSS prevention
    • Rate limiting

Performance

  1. Global CDN

    • Static assets cached worldwide
    • Reduced latency for global users
    • Faster page loads

  2. Bandwidth Savings

    • Cached content served from Cloudflare edge
    • Reduces origin server bandwidth
    • Lower hosting costs

  3. Always Online

    • Cached version served during origin downtime
    • Improved reliability

  4. Brotli Compression

    • Automatic compression
    • Faster page loads
    • Reduced bandwidth

Decision Matrix: Proxy vs DNS-Only

When to Enable Proxy (Orange Cloud)

Use Cases:

  • Public web interfaces (admin panels, portals, websites)
  • HTTP/HTTPS traffic only
  • Want DDoS protection
  • Want global CDN caching
  • Want to hide origin server IP
  • Small to medium file sizes (<100MB)

Examples:

  • Ghost CMS website
  • Vaultwarden password manager
  • Gitea code repository
  • Wiki.js instances
  • Paymenter billing portal

When to Use DNS-Only (Gray Cloud)

Use Cases:

  • Email servers (SMTP, IMAP, POP3)
  • Game servers (Minecraft, etc.)
  • Large file downloads (>100MB)
  • Infrastructure endpoints needing direct access
  • Services with WebSocket-heavy requirements
  • API endpoints with strict timeout requirements

Examples:

  • mail.firefrostgaming.com
  • panel.firefrostgaming.com (Wings direct connection)
  • downloads.firefrostgaming.com
  • All Minecraft game servers

SSL Certificate Requirements

Proxied Subdomains

Options:

  1. Cloudflare Origin Certificate (Recommended)

    • Generate in Cloudflare dashboard
    • 15-year validity
    • Supports wildcards (*.firefrostgaming.com)
    • Free
    • Only trusted by Cloudflare (perfect for proxied)

  2. Let's Encrypt

    • 90-day validity (auto-renewal required)
    • Free
    • Publicly trusted
    • Works for both proxied and DNS-only

  3. Commercial Certificate

    • 1-year validity
    • Publicly trusted
    • Cost varies

DNS-Only Subdomains

Requirements:

  • MUST use publicly trusted certificates
  • Let's Encrypt recommended
  • Cloudflare Origin Certificates won't work (not publicly trusted)

Current Status:

  • mail.firefrostgaming.com: Let's Encrypt
  • panel.firefrostgaming.com: (check certificate status)
  • vault.firefrostgaming.com: Let's Encrypt (expires May 14, 2026)

Troubleshooting

"Dangerous Site" Warning

Symptoms: Chrome/Firefox shows SSL warning when accessing proxied subdomain

Cause: Origin server doesn't have valid SSL certificate for that subdomain

Solution:

  1. Generate Cloudflare Origin Certificate
  2. Install on origin server
  3. Update Nginx to use new certificate
  4. Reload Nginx

Example Fix (vault.firefrostgaming.com):

# On origin server
# Certificate already exists at: /etc/letsencrypt/live/vault.firefrostgaming.com/
# Enable Cloudflare proxy (orange cloud) in DNS settings
# Wait 5 minutes for DNS propagation
# Test: https://vault.firefrostgaming.com

521 Error (Web Server Down)

Symptoms: "Error 521: Web server is down"

Cause: Origin server not responding on proxied port

Checks:

  1. Service running on origin server
  2. Nginx/Apache listening on correct port
  3. Firewall allows Cloudflare IPs
  4. Origin server not blocking Cloudflare

Solution:

# Check service status
systemctl status nginx

# Check port listening
netstat -tlnp | grep :80
netstat -tlnp | grep :443

# Allow Cloudflare IPs (if using UFW)
# https://www.cloudflare.com/ips/

522 Error (Connection Timed Out)

Symptoms: "Error 522: Connection timed out"

Cause: Cloudflare can't connect to origin server

Checks:

  1. Origin server firewall blocking Cloudflare
  2. Origin server IP correct in DNS
  3. Origin server online

Solution:

  1. Verify A record points to correct IP
  2. Ensure firewall allows Cloudflare IP ranges
  3. Check origin server is responding

526 Error (Invalid SSL Certificate)

Symptoms: "Error 526: Invalid SSL certificate"

Cause: SSL/TLS mode is Full (strict) but origin certificate is invalid

Solution:

  1. Install valid SSL certificate on origin
  2. OR temporarily set SSL/TLS mode to "Full" (not recommended)
  3. OR use Cloudflare Origin Certificate

Monitoring

Check Proxy Status

Cloudflare Dashboard:

  1. Select domain (firefrostgaming.com)
  2. Go to DNS → Records
  3. Check cloud icon color:
    • Orange = Proxied
    • Gray = DNS Only

Verify SSL

Test SSL configuration:

# Test from external location
curl -I https://vault.firefrostgaming.com
openssl s_client -connect vault.firefrostgaming.com:443 -servername vault.firefrostgaming.com

Analytics

Cloudflare Analytics Dashboard:

  • Traffic volume per subdomain
  • Bandwidth savings from caching
  • Threats blocked
  • Cache hit ratio

Related Documentation

Last Updated: 2026-03-27
Documented By: The Verifier (Chronicler #42)
Changes: Added 11 web services to Cloudflare proxy, fixed vault.firefrostgaming.com SSL warning

Reference in New Issue View Git Blame Copy Permalink