feat(deploy): nginx vhost serves :443 with a self-signed origin cert

Lets Cloudflare run in Full mode (encrypted Cloudflare<->origin) instead of Flexible (plaintext origin hop). Full (strict) is a later swap to a Cloudflare Origin Certificate. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 18:10:22 +02:00 · 2026-05-21 18:10:22 +02:00 · c016bf237b
commit c016bf237b
parent a288179954
2 changed files with 29 additions and 10 deletions
--- a/DEPLOY.md
+++ b/DEPLOY.md
@ -55,8 +55,10 @@ Verified house pattern — this deploy follows it exactly:
 | A    | `api` | `213.239.213.217`    | Proxied (🟠) |
 | A    | `www` | `213.239.213.217`    | Proxied (🟠) |
-**SSL/TLS mode:** **Full**. (The origin serves HTTP on :80, like the other apps
+**SSL/TLS mode:** **Full**. The origin nginx vhost listens on :443 with a
-on this box. Never use **Flexible**.)
+self-signed cert (step 5), so Cloudflare↔origin is encrypted. Never use
 **Flexible**. For **Full (strict)**, replace the self-signed cert with a
 Cloudflare Origin Certificate.
 ---
@ -118,11 +120,18 @@ Health check: `curl http://127.0.0.1:4000/health` → `{"ok":true,...}`.
 ---
-## 5. nginx vhost **[server]**
+## 5. nginx vhost + origin cert **[server]**
-`infra/nginx/buildmymcpserver.conf` is ready. Install it on the host nginx:
+The vhost serves :80 and :443; the :443 listener needs an origin certificate.
 A self-signed cert is enough for Cloudflare **Full** mode:
 ```bash
 mkdir -p /etc/ssl/buildmymcpserver
 openssl req -x509 -newkey rsa:2048 -nodes -days 3650 \
  -keyout /etc/ssl/buildmymcpserver/origin.key \
  -out    /etc/ssl/buildmymcpserver/origin.crt \
  -subj "/CN=buildmymcpserver.com"
 cp /opt/buildmymcpserver/infra/nginx/buildmymcpserver.conf \
   /etc/nginx/sites-available/buildmymcpserver
 ln -sf /etc/nginx/sites-available/buildmymcpserver \
@ -131,8 +140,7 @@ nginx -t && systemctl reload nginx
 ```
 `nginx -t` must pass before the reload — a reload of a bad config is rejected,
-so the other live sites are never at risk. The vhost is `listen 80` only;
+so the other live sites are never at risk.
 Cloudflare provides TLS.
 ---
--- a/infra/nginx/buildmymcpserver.conf
+++ b/infra/nginx/buildmymcpserver.conf
@ -1,18 +1,24 @@
 # nginx vhost for buildmymcpserver.com — install on the host nginx:
-#   scp this to /etc/nginx/sites-available/buildmymcpserver
+#   cp this to /etc/nginx/sites-available/buildmymcpserver
 #   ln -s /etc/nginx/sites-available/buildmymcpserver /etc/nginx/sites-enabled/
 #   nginx -t && systemctl reload nginx
 #
-# TLS is terminated by Cloudflare (proxied DNS records). The origin serves
+# Serves both :80 and :443. The :443 listener uses a self-signed origin cert
-# plain HTTP on :80 — same pattern as the other Cloudflare-fronted apps here.
+# (see DEPLOY.md) so Cloudflare can run in "Full" mode — TLS all the way to the
-# Set the Cloudflare SSL/TLS mode to "Full" for this zone.
+# origin — instead of "Flexible" (plaintext origin hop). For "Full (strict)",
 # swap the self-signed cert for a Cloudflare Origin Certificate.
 # --- Web app: buildmymcpserver.com ---
 server {
    listen 80;
    listen [::]:80;
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name buildmymcpserver.com www.buildmymcpserver.com;
    ssl_certificate     /etc/ssl/buildmymcpserver/origin.crt;
    ssl_certificate_key /etc/ssl/buildmymcpserver/origin.key;
    client_max_body_size 12M;
    location / {
@ -33,8 +39,13 @@ server {
 server {
    listen 80;
    listen [::]:80;
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name api.buildmymcpserver.com;
    ssl_certificate     /etc/ssl/buildmymcpserver/origin.crt;
    ssl_certificate_key /etc/ssl/buildmymcpserver/origin.key;
    client_max_body_size 12M;
    # Build-log WebSocket stream (/v1/builds/:id/stream) — needs the upgrade