diff --git a/DEPLOY.md b/DEPLOY.md index cb0812a..6d71b7a 100644 --- a/DEPLOY.md +++ b/DEPLOY.md @@ -55,8 +55,10 @@ Verified house pattern — this deploy follows it exactly: | A | `api` | `213.239.213.217` | Proxied (🟠) | | A | `www` | `213.239.213.217` | Proxied (🟠) | -**SSL/TLS mode:** **Full**. (The origin serves HTTP on :80, like the other apps -on this box. Never use **Flexible**.) +**SSL/TLS mode:** **Full**. The origin nginx vhost listens on :443 with a +self-signed cert (step 5), so Cloudflare↔origin is encrypted. Never use +**Flexible**. For **Full (strict)**, replace the self-signed cert with a +Cloudflare Origin Certificate. --- @@ -118,11 +120,18 @@ Health check: `curl http://127.0.0.1:4000/health` → `{"ok":true,...}`. --- -## 5. nginx vhost **[server]** +## 5. nginx vhost + origin cert **[server]** -`infra/nginx/buildmymcpserver.conf` is ready. Install it on the host nginx: +The vhost serves :80 and :443; the :443 listener needs an origin certificate. +A self-signed cert is enough for Cloudflare **Full** mode: ```bash +mkdir -p /etc/ssl/buildmymcpserver +openssl req -x509 -newkey rsa:2048 -nodes -days 3650 \ + -keyout /etc/ssl/buildmymcpserver/origin.key \ + -out /etc/ssl/buildmymcpserver/origin.crt \ + -subj "/CN=buildmymcpserver.com" + cp /opt/buildmymcpserver/infra/nginx/buildmymcpserver.conf \ /etc/nginx/sites-available/buildmymcpserver ln -sf /etc/nginx/sites-available/buildmymcpserver \ @@ -131,8 +140,7 @@ nginx -t && systemctl reload nginx ``` `nginx -t` must pass before the reload — a reload of a bad config is rejected, -so the other live sites are never at risk. The vhost is `listen 80` only; -Cloudflare provides TLS. +so the other live sites are never at risk. --- diff --git a/infra/nginx/buildmymcpserver.conf b/infra/nginx/buildmymcpserver.conf index ad8886a..5a961c1 100644 --- a/infra/nginx/buildmymcpserver.conf +++ b/infra/nginx/buildmymcpserver.conf @@ -1,18 +1,24 @@ # nginx vhost for buildmymcpserver.com — install on the host nginx: -# scp this to /etc/nginx/sites-available/buildmymcpserver +# cp this to /etc/nginx/sites-available/buildmymcpserver # ln -s /etc/nginx/sites-available/buildmymcpserver /etc/nginx/sites-enabled/ # nginx -t && systemctl reload nginx # -# TLS is terminated by Cloudflare (proxied DNS records). The origin serves -# plain HTTP on :80 — same pattern as the other Cloudflare-fronted apps here. -# Set the Cloudflare SSL/TLS mode to "Full" for this zone. +# Serves both :80 and :443. The :443 listener uses a self-signed origin cert +# (see DEPLOY.md) so Cloudflare can run in "Full" mode — TLS all the way to the +# origin — instead of "Flexible" (plaintext origin hop). For "Full (strict)", +# swap the self-signed cert for a Cloudflare Origin Certificate. # --- Web app: buildmymcpserver.com --- server { listen 80; listen [::]:80; + listen 443 ssl; + listen [::]:443 ssl; server_name buildmymcpserver.com www.buildmymcpserver.com; + ssl_certificate /etc/ssl/buildmymcpserver/origin.crt; + ssl_certificate_key /etc/ssl/buildmymcpserver/origin.key; + client_max_body_size 12M; location / { @@ -33,8 +39,13 @@ server { server { listen 80; listen [::]:80; + listen 443 ssl; + listen [::]:443 ssl; server_name api.buildmymcpserver.com; + ssl_certificate /etc/ssl/buildmymcpserver/origin.crt; + ssl_certificate_key /etc/ssl/buildmymcpserver/origin.key; + client_max_body_size 12M; # Build-log WebSocket stream (/v1/builds/:id/stream) — needs the upgrade