diff --git a/CLOUDFLARE_DNS_SETUP.md b/CLOUDFLARE_DNS_SETUP.md new file mode 100644 index 0000000..4f3beff --- /dev/null +++ b/CLOUDFLARE_DNS_SETUP.md @@ -0,0 +1,597 @@ +# Cloudflare DNS Configuration Guide + +**Domain**: mtd.runfoo.run +**Target**: nexus-vector (100.95.3.92) +**Job ID**: MTAD-IMPL-2025-11-18-CL +**Date**: 2025-11-18 + +--- + +## 🎯 QUICK START (5 minutes) + +### What You Need +- Cloudflare account (free tier works great) +- Domain: mtd.runfoo.run +- Target IP: 100.95.3.92 (nexus-vector) + +### 5-Step Setup + +1. **Add domain to Cloudflare** (1 min) +2. **Change nameservers** (1 min) +3. **Add DNS records** (2 min) +4. **Configure SSL/TLS** (1 min) + +**Total time**: ~5 minutes + +--- + +## 📋 STEP-BY-STEP SETUP + +### Step 1: Sign Up / Login to Cloudflare + +1. Go to https://dash.cloudflare.com +2. Create account or login with existing credentials +3. You're now in the Cloudflare dashboard + +### Step 2: Add Domain to Cloudflare + +1. Click **"Add a site"** button +2. Enter domain: `mtd.runfoo.run` +3. Click **"Add site"** +4. Select **"Free"** plan (or your preferred plan) +5. Click **"Continue"** + +Wait a few seconds for Cloudflare to scan your domain... + +### Step 3: Review Existing DNS Records + +Cloudflare will show existing DNS records. You should see something like: + +``` +Type | Name | Content | TTL +--------|-------------------|------------------|-------- +A | mtd.runfoo.run | 1.1.1.1 | Auto +``` + +**Delete or update existing records** - we'll create new ones. + +Click on any existing record and delete it with the trash icon. + +### Step 4: Change Nameservers (CRITICAL STEP) + +Cloudflare shows you 2 nameservers: + +``` +ns1.cloudflare.com +ns2.cloudflare.com +``` + +**You must change nameservers at your domain registrar** (wherever you bought mtd.runfoo.run): + +1. Log into your domain registrar (GoDaddy, Namecheap, etc.) +2. Find "Nameservers" or "DNS Management" +3. Replace existing nameservers with: + ``` + ns1.cloudflare.com + ns2.cloudflare.com + ``` +4. Save changes +5. Wait 10-48 hours for propagation (usually 30 min) + +**You can verify propagation**: +```bash +# Run this command to check nameservers +nslookup -type=NS mtd.runfoo.run +# Should show: ns1.cloudflare.com, ns2.cloudflare.com +``` + +### Step 5: Add DNS Records in Cloudflare + +In Cloudflare dashboard, click **"DNS"** in the left menu. + +#### Add Main A Record + +1. Click **"+ Add Record"** +2. Set: + - **Type**: A + - **Name**: mtd.runfoo.run (or just `@`) + - **IPv4 address**: 100.95.3.92 + - **TTL**: Auto (or 3600) + - **Proxy status**: **Proxied** (orange cloud) ⭐ IMPORTANT +3. Click **"Save"** + +#### Add WWW Subdomain (Optional) + +1. Click **"+ Add Record"** +2. Set: + - **Type**: A + - **Name**: www + - **IPv4 address**: 100.95.3.92 + - **TTL**: Auto + - **Proxy status**: **Proxied** +3. Click **"Save"** + +Your DNS records should now look like: + +``` +Type | Name | Content | TTL | Status +-----|-------------------|-------------|------|-------- +A | mtd.runfoo.run | 100.95.3.92 | Auto | Proxied +A | www | 100.95.3.92 | Auto | Proxied +``` + +### Step 6: Configure SSL/TLS + +1. Click **"SSL/TLS"** in left menu +2. Click **"Overview"** +3. Select **"Full (strict)"** mode + +This ensures Cloudflare encrypts traffic between users and Cloudflare, and between Cloudflare and your origin (nexus-vector). + +--- + +## 🔐 SSL/TLS Configuration Details + +### SSL/TLS Modes Explained + +| Mode | Cloudflare → Origin | Uses | Security | +|------|-------------------|------|----------| +| Off | No encryption | No | ⚠️ Not recommended | +| Flexible | No encryption | HTTP origin | ⚠️ Not recommended | +| Full | Self-signed OK | Any | ✅ Recommended | +| Full (Strict) | Valid cert required | HTTPS origin | ✅✅ Best | + +**We recommend: "Full (Strict)"** since your backend uses Let's Encrypt certificates. + +### How to Set + +1. Go to **SSL/TLS** → **Overview** +2. Select **"Full (strict)"** +3. Wait for automatic configuration + +--- + +## 🚀 ADVANCED CLOUDFLARE SETTINGS + +### Page Rules (Optional but Recommended) + +1. Click **"Rules"** → **"Page Rules"** +2. Click **"Create Page Rule"** + +#### Rule 1: Cache Everything for APIs + +``` +URL Pattern: mtd.runfoo.run/api/* +Actions: + - Cache Level: Bypass + - Browser Cache TTL: 30 minutes +``` + +This prevents caching of API responses (they change frequently). + +#### Rule 2: Security for Admin + +``` +URL Pattern: mtd.runfoo.run/admin/* +Actions: + - Security Level: High + - Challenge: On +``` + +Adds CAPTCHA for admin endpoints. + +### WAF (Web Application Firewall) + +1. Click **"Security"** → **"WAF"** +2. Enable **"OWASP ModSecurity Core Ruleset"** + +This protects against common web attacks (XSS, SQL injection, etc.). + +### Rate Limiting + +1. Click **"Security"** → **"Rate Limiting"** +2. Click **"Create Rate Limiting Rule"** + +``` +URL Pattern: mtd.runfoo.run/api/auth/* +Threshold: 10 requests per 10 seconds +Action: Block for 10 minutes +``` + +This prevents brute force attacks on authentication. + +--- + +## ✅ VERIFICATION CHECKLIST + +After setup, verify everything: + +### 1. DNS Propagation +```bash +# Check if nameservers updated (may take up to 48 hours) +nslookup -type=NS mtd.runfoo.run + +# Should show: +# nameserver = ns1.cloudflare.com +# nameserver = ns2.cloudflare.com +``` + +### 2. A Record Resolution +```bash +# Check if A record points to correct IP +nslookup mtd.runfoo.run + +# Should show: +# Address: 100.95.3.92 +``` + +### 3. HTTPS Accessibility +```bash +# Check if HTTPS works +curl -I https://mtd.runfoo.run/health + +# Should return 200 OK and security headers +``` + +### 4. Cloudflare Dashboard Checks + +In Cloudflare dashboard: + +- [ ] Domain shows "Active" (green checkmark) +- [ ] A records show as "Proxied" (orange cloud) +- [ ] SSL/TLS mode is "Full (Strict)" +- [ ] No DNS errors +- [ ] Traffic showing as proxied through Cloudflare + +### 5. API Endpoint Test +```bash +curl -I https://mtd.runfoo.run/api/v1/health + +# Expected response: +# HTTP/2 200 OK +# server: cloudflare +# cf-ray: +# content-type: application/json +``` + +--- + +## 🔧 COMMON ISSUES & FIXES + +### Issue: "DNS SERVFAIL" Error + +**Cause**: Nameservers not updated yet + +**Fix**: +1. Wait 24 hours for DNS propagation +2. Verify nameservers were changed at registrar +3. Use online tool to check: https://mxtoolbox.com/ + +### Issue: "SSL Certificate Error" + +**Cause**: SSL/TLS mode mismatch + +**Fix**: +1. Go to SSL/TLS → Overview +2. Change to "Full (strict)" +3. Wait 5 minutes for certificate validation +4. Try HTTPS connection again + +### Issue: Origin Server Unreachable + +**Cause**: Cloudflare can't reach backend + +**Fix**: +1. Verify backend is running on 100.95.3.92 +2. Check firewall allows Cloudflare IPs +3. Try accessing directly: `curl -I https://100.95.3.92/health` +4. Add Cloudflare IP ranges to firewall whitelist: + +```bash +# Cloudflare IPv4 ranges (whitelist these) +103.21.244.0/22 +103.22.200.0/22 +103.31.4.0/22 +# ... (complete list: https://www.cloudflare.com/ips/) +``` + +### Issue: Timeout Errors + +**Cause**: Cloudflare timeout settings too low + +**Fix**: +1. Go to **Network** → **Timeout** +2. Set to **30 seconds** or higher +3. Save + +### Issue: "Too Many Redirects" + +**Cause**: HTTP to HTTPS redirect loop + +**Fix**: +1. Ensure backend sends proper headers +2. Don't create redirect rules in Cloudflare +3. Let Cloudflare handle HTTPS automatically + +--- + +## 📊 CLOUDFLARE SETTINGS SUMMARY + +### Recommended Configuration + +``` +DNS: +├── A Record: mtd.runfoo.run → 100.95.3.92 (Proxied) +├── A Record: www → 100.95.3.92 (Proxied) +└── CNAME: api → mtd.runfoo.run (Proxied) + +SSL/TLS: +├── Mode: Full (Strict) +├── Minimum TLS Version: 1.2 +└── Certificate: Auto-managed by Cloudflare + +Security: +├── WAF: OWASP ModSecurity Core Ruleset Enabled +├── DDoS Protection: Advanced +├── Rate Limiting: 10 req/10s on /api/auth/* +└── Bot Management: Challenge (free tier) + +Performance: +├── Caching: Default +├── Minify: JavaScript, CSS, HTML +├── Brotli Compression: Enabled +└── HTTP/2: Enabled + +Rules: +├── Cache Bypass: /api/* (no caching) +├── Security High: /admin/* (CAPTCHA enabled) +└── Always HTTPS: Enabled +``` + +--- + +## 🌍 CUSTOM SUBDOMAIN SETUP (Optional) + +If you want subdomains like `api.mtd.runfoo.run`: + +### Add Subdomain A Record + +1. In DNS menu, click **"+ Add Record"** +2. Set: + - **Type**: A + - **Name**: api + - **IPv4 address**: 100.95.3.92 + - **Proxy status**: Proxied +3. Click **"Save"** + +Now `api.mtd.runfoo.run` will work! + +### Common Subdomains to Add + +``` +api.mtd.runfoo.run → 100.95.3.92 (API endpoints) +admin.mtd.runfoo.run → 100.95.3.92 (Admin panel) +docs.mtd.runfoo.run → 100.95.3.92 (API docs) +status.mtd.runfoo.run → 100.95.3.92 (Status page) +``` + +--- + +## 📈 MONITORING CLOUDFLARE + +### View Analytics + +1. Click **"Analytics"** in left menu +2. See real-time metrics: + - Requests (cached vs uncached) + - Bandwidth saved + - Security events + - Performance metrics + +### Set Up Alerts + +1. Click **"Notifications"** +2. Click **"Alert Policy"** +3. Create alerts for: + - Origin server down + - High error rate + - High traffic spike + - SSL/TLS certificate expiring + +--- + +## 🚀 NEXT STEPS AFTER DNS SETUP + +### 1. Verify Everything Works (immediately) +```bash +# Test HTTP redirect to HTTPS +curl -I http://mtd.runfoo.run +# Should redirect to HTTPS + +# Test HTTPS +curl -I https://mtd.runfoo.run/health +# Should return 200 OK +``` + +### 2. Update Backend Configuration (if needed) + +In `/srv/containers/mtad-api/.env`: + +```bash +# Add Cloudflare origin verification +TRUSTED_PROXIES=["0.0.0.0/0"] # Trust Cloudflare headers +``` + +### 3. Deploy Backend (if not done) + +Follow `DEPLOYMENT_GUIDE.md` to deploy FastAPI backend. + +### 4. Test Full Flow + +```bash +# Signup +curl -X POST https://mtd.runfoo.run/api/v1/auth/signup \ + -H "Content-Type: application/json" \ + -d '{"email":"test@example.com","password":"password123","display_name":"Test User"}' + +# Login +curl -X POST https://mtd.runfoo.run/api/v1/auth/login \ + -H "Content-Type: application/json" \ + -d '{"email":"test@example.com","password":"password123"}' +``` + +--- + +## 💡 CLOUDFLARE PRO TIPS + +### Tip 1: Use Cloudflare Page Rules Wisely +- Don't cache API endpoints (use Cache Level: Bypass) +- Cache static assets aggressively (1 month TTL) +- Use robots.txt to control crawling + +### Tip 2: Monitor Origin Performance +- Check Analytics → Origin status +- Cloudflare shows if origin is slow/down +- Adjust timeouts if needed + +### Tip 3: Use Cloudflare Workers (Advanced) +- Create serverless functions at edge +- Redirect traffic, modify headers, etc. +- Free tier includes 100,000 requests/day + +### Tip 4: Enable Auto HTTPS Rewrites +- In SSL/TLS → Edge Certificates +- Enable "Automatic HTTPS Rewrites" +- Fixes mixed content warnings + +### Tip 5: Use Cloudflare Tunnel (Advanced) +- Instead of exposing IP directly +- Securely connect origin behind NAT +- Premium feature but very secure + +--- + +## 📋 CLOUDFLARE SETUP CHECKLIST + +Before considering DNS fully configured: + +- [ ] Domain added to Cloudflare +- [ ] Nameservers changed at registrar +- [ ] A record created (mtd.runfoo.run → 100.95.3.92) +- [ ] A record set to "Proxied" (orange cloud) +- [ ] SSL/TLS mode set to "Full (strict)" +- [ ] DNS propagation verified (nslookup works) +- [ ] HTTPS accessible (curl https://mtd.runfoo.run works) +- [ ] API endpoints responding (curl https://mtd.runfoo.run/api/v1/health works) +- [ ] WAF rules enabled +- [ ] Rate limiting configured +- [ ] SSL certificate valid (https://crt.sh or browser check) +- [ ] Analytics showing traffic +- [ ] Alerts configured + +--- + +## 🔄 TROUBLESHOOTING FLOW + +``` +Problem occurs + ↓ +Check Cloudflare Dashboard + ↓ +Is domain "Active"? + ├─ No → Verify nameservers changed at registrar + └─ Yes ↓ +Check DNS record + ↓ +Is A record correct (100.95.3.92)? + ├─ No → Edit A record to 100.95.3.92 + └─ Yes ↓ +Is A record "Proxied"? + ├─ No → Click record, toggle to Proxied + └─ Yes ↓ +Check SSL/TLS mode + ↓ +Is mode "Full (strict)"? + ├─ No → Change to Full (strict) + └─ Yes ↓ +Is backend running? + ├─ No → Deploy backend (see DEPLOYMENT_GUIDE.md) + └─ Yes ↓ +Test connectivity + ↓ +Can you curl https://mtd.runfoo.run/health? + ├─ No → Check firewall, backend logs + └─ Yes ↓ +✅ Cloudflare DNS configured! +``` + +--- + +## 📞 SUPPORT RESOURCES + +- **Cloudflare Docs**: https://developers.cloudflare.com +- **DNS Propagation Checker**: https://mxtoolbox.com +- **SSL Checker**: https://www.ssllabs.com/ssltest +- **Status Page**: https://www.cloudflarestatus.com + +--- + +## 🎯 WHAT HAPPENS AFTER SETUP + +Once Cloudflare DNS is configured: + +1. **All traffic routes through Cloudflare** + - Users → Cloudflare → nexus-vector (100.95.3.92) + +2. **HTTPS is automatic** + - Cloudflare provides SSL/TLS + - Your backend also has SSL/TLS (Let's Encrypt) + - Double encryption for maximum security + +3. **Security features active** + - DDoS protection + - WAF protection + - Rate limiting + - Bot protection + +4. **Performance optimized** + - CDN caching + - Automatic compression + - HTTP/2 enabled + - Global edge network + +5. **Monitoring enabled** + - Real-time analytics + - Performance metrics + - Security events + - Uptime monitoring + +--- + +## ✅ SUCCESS CRITERIA + +You'll know DNS is properly configured when: + +✅ `nslookup mtd.runfoo.run` shows `100.95.3.92` +✅ `curl https://mtd.runfoo.run/health` returns 200 OK +✅ `curl https://mtd.runfoo.run/api/v1/health` returns API response +✅ Browser shows padlock icon (HTTPS) +✅ Cloudflare dashboard shows "Active" domain +✅ Analytics show incoming traffic +✅ SSL certificate is valid + +--- + +**Status**: Ready for Cloudflare configuration +**Estimated Time**: 5-10 minutes setup + 24-48 hours propagation +**Difficulty**: Easy (beginner-friendly) +**Support**: Cloudflare has excellent documentation + +--- + +**Job ID**: MTAD-IMPL-2025-11-18-CL +**Last Updated**: 2025-11-18 +**Domain**: mtd.runfoo.run +**Target**: nexus-vector (100.95.3.92) + +**Ready to configure Cloudflare? Start with Step 1! 🚀**