firefrost-gaming/firefrost-operations-manual
3
0
Fork 0
Code Issues 146 Pull Requests Packages Projects Releases Wiki Activity
Files
52c3293f1f09bab300d03e59e577be97ffdd45bf
firefrost-operations-manual/docs/infrastructure/cloudflare-proxy-configuration.md
Claude 43b8d3b01b docs: Add Vaultwarden, LuckPerms MySQL, and Cloudflare proxy configurations 
- Vaultwarden SMTP configured and tested
- Holly and Meg invited to Vaultwarden
- Firefrost Gaming organization created
- LuckPerms MySQL database ready (credentials stored in Vaultwarden)
- 11 web services added to Cloudflare proxy for DDoS protection
- vault.firefrostgaming.com SSL warning resolved
- Comprehensive troubleshooting guides included

All services documented and operational. Ready for Holly's mod deployment.
2026-03-27 02:23:33 +00:00

414 lines
11 KiB
Markdown
Raw Blame History

# Cloudflare Proxy Configuration
**Domain:** firefrostgaming.com
**Cloudflare Account:** [Account details]
**Last Updated:** 2026-03-27
---
## SSL/TLS Configuration
**Encryption Mode:** Full (strict)
**Benefits:**
- End-to-end encryption (browser ↔ Cloudflare ↔ origin server)
- Origin server SSL certificates validated
- Maximum security posture
**Requirements:**
- Origin servers must have valid SSL certificates
- Certificates must match the subdomain
- Can use Cloudflare Origin Certificates (15-year validity)
---
## Proxied Subdomains (Orange Cloud ☁️)
### Web Services (15 total)
All public-facing web services route through Cloudflare proxy for DDoS protection, SSL management, and performance:
1. **firefrostgaming.com** (64.50.188.14 - Ghost VPS)
- Main website
- Ghost CMS
2. **www.firefrostgaming.com** (CNAME → firefrostgaming.com)
- WWW subdomain
- Cloudflare Origin Certificate required
3. **billing.firefrostgaming.com** (38.68.14.188 - Billing VPS)
- Paymenter billing portal
- Public customer access
4. **code.firefrostgaming.com** (74.63.218.202)
- Code-Server web IDE
- Staff/developer access
- **Added to proxy:** 2026-03-27
5. **codex.firefrostgaming.com** (38.68.14.26 - TX1)
- Dify RAG system
- AI knowledge base
- **Added to proxy:** 2026-03-27
6. **docs.firefrostgaming.com** (64.50.188.14 - Ghost VPS)
- Nextcloud file storage
- **Added to proxy:** 2026-03-27
7. **git.firefrostgaming.com** (63.143.34.217 - Command Center)
- Gitea code repository
- **Added to proxy:** 2026-03-27
8. **n8n.firefrostgaming.com** (38.68.14.26 - TX1)
- n8n workflow automation
- **Added to proxy:** 2026-03-27
9. **pokerole.firefrostgaming.com** (64.50.188.14 - Ghost VPS)
- Wiki.js (Pokérole TTRPG wiki)
- Public wiki access
- **Added to proxy:** 2026-03-27
10. **staff.firefrostgaming.com** (64.50.188.14 - Ghost VPS)
- Wiki.js (staff wiki)
- Internal documentation
- **Added to proxy:** 2026-03-27
11. **status.firefrostgaming.com** (63.143.34.217 - Command Center)
- Uptime Kuma status page
- **Added to proxy:** 2026-03-27
12. **subscribers.firefrostgaming.com** (64.50.188.14 - Ghost VPS)
- Wiki.js (subscriber wiki)
- Member-only content
- **Added to proxy:** 2026-03-27
13. **tasks.firefrostgaming.com** (38.68.14.26 - TX1)
- Plane project management
- **Added to proxy:** 2026-03-27
14. **vault.firefrostgaming.com** (63.143.34.217 - Command Center)
- Vaultwarden password manager
- **Added to proxy:** 2026-03-27
- **Fixed:** SSL certificate warning resolved
15. **webmail.firefrostgaming.com** (38.68.14.188 - Billing VPS)
- Mailcow webmail interface
- **Added to proxy:** 2026-03-27
---
## DNS-Only Subdomains (Gray Cloud ☁️)
### Email Services (MUST be DNS-only)
1. **mail.firefrostgaming.com** (38.68.14.188 - Billing VPS)
- Mailcow email server
- SMTP/IMAP/POP3 protocols
- **Must NOT be proxied** - email protocols require direct connection
2. **autoconfig.firefrostgaming.com** (CNAME → mail.firefrostgaming.com)
- Thunderbird auto-configuration
- Email client setup
3. **autodiscover.firefrostgaming.com** (CNAME → mail.firefrostgaming.com)
- Outlook auto-discovery
- Email client setup
### Infrastructure Services
1. **panel.firefrostgaming.com** (45.94.168.138 - Panel VPS)
- Pterodactyl Panel
- **Must NOT be proxied** - Wings nodes connect directly
- WebSocket connections for real-time console
- Large file transfers (game server files)
2. **downloads.firefrostgaming.com** (64.50.188.14 - Ghost VPS)
- Large file downloads (modpacks >100MB)
- **Must NOT be proxied** - Cloudflare has file size limits
- Direct download is faster and cheaper
3. **us.nc1.firefrostgaming.com** (216.239.104.130 - NC1 Charlotte)
- Direct server access
- Infrastructure endpoint
4. **us.tx1.firefrostgaming.com** (38.68.14.26 - TX1 Dallas)
- Direct server access
- Infrastructure endpoint
### Game Servers (24 subdomains - all DNS-only)
**All Minecraft servers MUST be DNS-only:**
- Game protocols require direct UDP/TCP connections
- Cloudflare proxy doesn't support Minecraft protocol
- SRV records require direct DNS resolution
**TX1 Dallas Servers:**
- allthemons.firefrostgaming.com (38.68.14.30)
- foundry.firefrostgaming.com (38.68.14.26)
- rad2.firefrostgaming.com (38.68.14.26)
- stoneblock4.firefrostgaming.com (38.68.14.26)
- vanilla.firefrostgaming.com (38.68.14.26)
- createplus.firefrostgaming.com (38.68.14.26)
- arseclectica.firefrostgaming.com (38.68.14.26)
**NC1 Charlotte Servers:**
- reclamation.firefrostgaming.com (38.68.14.27)
- society.firefrostgaming.com (38.68.14.28)
- emberproject.firefrostgaming.com (216.239.104.130)
- minecolonies.firefrostgaming.com (216.239.104.130)
- homestead.firefrostgaming.com (216.239.104.130)
- emcsubterratech.firefrostgaming.com (216.239.104.130)
- atm10.firefrostgaming.com (216.239.104.130)
- atm10tts.firefrostgaming.com (216.239.104.130)
- atmons.firefrostgaming.com (216.239.104.130)
- aocc.firefrostgaming.com (216.239.104.130)
- hytale.firefrostgaming.com (216.239.104.130)
- mayview.firefrostgaming.com (216.239.104.130)
- mythcraft5.firefrostgaming.com (216.239.104.130)
- vanilla121.firefrostgaming.com (38.68.14.29)
---
## Benefits of Cloudflare Proxy
### Security
1. **DDoS Protection**
- Absorbs attacks before they reach origin servers
- Unmetered DDoS mitigation
- Protects against Layer 3, 4, and 7 attacks
2. **IP Address Hiding**
- Origin server IPs hidden from public
- Prevents direct attacks on infrastructure
- Reduces server reconnaissance
3. **SSL/TLS Management**
- Cloudflare manages certificates to browsers
- Automatic renewal
- Modern cipher suites
- TLS 1.3 support
4. **Web Application Firewall (WAF)**
- Blocks common exploits
- SQL injection protection
- XSS prevention
- Rate limiting
### Performance
1. **Global CDN**
- Static assets cached worldwide
- Reduced latency for global users
- Faster page loads
2. **Bandwidth Savings**
- Cached content served from Cloudflare edge
- Reduces origin server bandwidth
- Lower hosting costs
3. **Always Online**
- Cached version served during origin downtime
- Improved reliability
4. **Brotli Compression**
- Automatic compression
- Faster page loads
- Reduced bandwidth
---
## Decision Matrix: Proxy vs DNS-Only
### When to Enable Proxy (Orange Cloud)
**Use Cases:**
- Public web interfaces (admin panels, portals, websites)
- HTTP/HTTPS traffic only
- Want DDoS protection
- Want global CDN caching
- Want to hide origin server IP
- Small to medium file sizes (<100MB)
**Examples:**
- Ghost CMS website
- Vaultwarden password manager
- Gitea code repository
- Wiki.js instances
- Paymenter billing portal
### When to Use DNS-Only (Gray Cloud)
**Use Cases:**
- Email servers (SMTP, IMAP, POP3)
- Game servers (Minecraft, etc.)
- Large file downloads (>100MB)
- Infrastructure endpoints needing direct access
- Services with WebSocket-heavy requirements
- API endpoints with strict timeout requirements
**Examples:**
- mail.firefrostgaming.com
- panel.firefrostgaming.com (Wings direct connection)
- downloads.firefrostgaming.com
- All Minecraft game servers
---
## SSL Certificate Requirements
### Proxied Subdomains
**Options:**
1. **Cloudflare Origin Certificate (Recommended)**
- Generate in Cloudflare dashboard
- 15-year validity
- Supports wildcards (*.firefrostgaming.com)
- Free
- Only trusted by Cloudflare (perfect for proxied)
2. **Let's Encrypt**
- 90-day validity (auto-renewal required)
- Free
- Publicly trusted
- Works for both proxied and DNS-only
3. **Commercial Certificate**
- 1-year validity
- Publicly trusted
- Cost varies
### DNS-Only Subdomains
**Requirements:**
- MUST use publicly trusted certificates
- Let's Encrypt recommended
- Cloudflare Origin Certificates won't work (not publicly trusted)
**Current Status:**
- mail.firefrostgaming.com: Let's Encrypt ✅
- panel.firefrostgaming.com: (check certificate status)
- vault.firefrostgaming.com: Let's Encrypt (expires May 14, 2026) ✅
---
## Troubleshooting
### "Dangerous Site" Warning
**Symptoms:** Chrome/Firefox shows SSL warning when accessing proxied subdomain
**Cause:** Origin server doesn't have valid SSL certificate for that subdomain
**Solution:**
1. Generate Cloudflare Origin Certificate
2. Install on origin server
3. Update Nginx to use new certificate
4. Reload Nginx
**Example Fix (vault.firefrostgaming.com):**
```bash
# On origin server
# Certificate already exists at: /etc/letsencrypt/live/vault.firefrostgaming.com/
# Enable Cloudflare proxy (orange cloud) in DNS settings
# Wait 5 minutes for DNS propagation
# Test: https://vault.firefrostgaming.com
```
### 521 Error (Web Server Down)
**Symptoms:** "Error 521: Web server is down"
**Cause:** Origin server not responding on proxied port
**Checks:**
1. Service running on origin server
2. Nginx/Apache listening on correct port
3. Firewall allows Cloudflare IPs
4. Origin server not blocking Cloudflare
**Solution:**
```bash
# Check service status
systemctl status nginx
# Check port listening
netstat -tlnp | grep :80
netstat -tlnp | grep :443
# Allow Cloudflare IPs (if using UFW)
# https://www.cloudflare.com/ips/
```
### 522 Error (Connection Timed Out)
**Symptoms:** "Error 522: Connection timed out"
**Cause:** Cloudflare can't connect to origin server
**Checks:**
1. Origin server firewall blocking Cloudflare
2. Origin server IP correct in DNS
3. Origin server online
**Solution:**
1. Verify A record points to correct IP
2. Ensure firewall allows Cloudflare IP ranges
3. Check origin server is responding
### 526 Error (Invalid SSL Certificate)
**Symptoms:** "Error 526: Invalid SSL certificate"
**Cause:** SSL/TLS mode is Full (strict) but origin certificate is invalid
**Solution:**
1. Install valid SSL certificate on origin
2. OR temporarily set SSL/TLS mode to "Full" (not recommended)
3. OR use Cloudflare Origin Certificate
---
## Monitoring
### Check Proxy Status
**Cloudflare Dashboard:**
1. Select domain (firefrostgaming.com)
2. Go to DNS → Records
3. Check cloud icon color:
- **Orange** = Proxied ✅
- **Gray** = DNS Only
### Verify SSL
**Test SSL configuration:**
```bash
# Test from external location
curl -I https://vault.firefrostgaming.com
openssl s_client -connect vault.firefrostgaming.com:443 -servername vault.firefrostgaming.com
```
### Analytics
**Cloudflare Analytics Dashboard:**
- Traffic volume per subdomain
- Bandwidth savings from caching
- Threats blocked
- Cache hit ratio
---
## Related Documentation
- [Nginx Reverse Proxy Configuration](../infrastructure/nginx-proxy-configuration.md)
- [SSL Certificate Management](../infrastructure/ssl-certificates.md)
- [Vaultwarden Configuration](vaultwarden-configuration.md)
- [Mailcow Configuration](mailcow-configuration.md)
---
**Last Updated:** 2026-03-27
**Documented By:** The Verifier (Chronicler #42)
**Changes:** Added 11 web services to Cloudflare proxy, fixed vault.firefrostgaming.com SSL warning
Reference in New Issue View Git Blame Copy Permalink