← Galaxy / notesorg-wide / engineering-docs-operations-cloudflare-dns

Cloudflare DNS — v1 records for `*.jaan.to`

engineering-docs-operations-cloudflare-dns · in engineering/docs/operations · org-wide · updated 2026-06-01 10:19

Frontmatter

lang
en
imported_at
2026-06-01T10:19:42.641Z
source_path
productgalaxy/docs/operations/CLOUDFLARE-DNS.md
source_repo
productgalaxy
tags
#engineering#operations#imported

Cloudflare DNS — v1 records for *.jaan.to

The v1 deploy uses DNS-only mode (grey cloud, not proxied). Caddy on the VPS terminates TLS directly via Let's Encrypt HTTP-01. Cloudflare is just the DNS authority.

Why grey-cloud and not orange-cloud?

Concern Grey-cloud (chosen) Orange-cloud (deferred)
TLS termination Caddy → LE prod CA Cloudflare edge cert
Real client IP at Caddy direct ({remote_host}) requires trusted_proxies cloudflare + CF-Connecting-IP parsing
MCP Streamable HTTP works risks buffering / SSE-style streams cut by CF proxy
WebSocket / HTTP/3 works works (with Cloudflare premium)
DDoS shielding none yes

For v1 we accept the lack of edge shielding; we can flip individual records to orange-cloud later without changing Caddy if we set trusted_proxies cloudflare back in Caddyfile.prod first.

Records to add

Add these in the Cloudflare dashboard → jaan.to zone → DNS → Records:

Type Name Content Proxy TTL
A galaxy 31.97.192.253 DNS only (grey) Auto
A mcp.galaxy 31.97.192.253 DNS only (grey) Auto
A docs.galaxy 31.97.192.253 DNS only (grey) Auto

That is it. Three A records, all pointing at the same VPS, all grey-cloud.

If jaan.to is on Cloudflare's nameservers already (likely — that's how you set up *.jaan.to), no NS changes are needed.

Hostnames the records produce

  • galaxy.jaan.to → Next.js admin shell + REST API
  • mcp.galaxy.jaan.to → MCP Streamable HTTP server
  • docs.galaxy.jaan.to → Astro Starlight reading site

Optional record (only if you want apex coverage)

You probably don't need this for v1, but if you ever want https://jaan.to itself to redirect to galaxy.jaan.to, set up a Cloudflare Page Rule on the apex — don't add another A record here, that would shadow whatever already serves the apex.

Verifying the records

After saving each record, from your laptop:

dig +short galaxy.jaan.to        # expect: 31.97.192.253
dig +short mcp.galaxy.jaan.to    # expect: 31.97.192.253
dig +short docs.galaxy.jaan.to   # expect: 31.97.192.253

Cloudflare propagation is usually under 60 s. If dig returns Cloudflare edge IPs (104.x or 172.x) instead of 31.97.192.253, the record is proxied — click the orange cloud once to flip it back to grey, then re-dig.

Let's Encrypt HTTP-01 prerequisite

Before docker compose up succeeds, the VPS firewall must allow inbound TCP 80 and TCP 443 from anywhere. The HTTP-01 challenge goes to http://<host>/.well-known/acme-challenge/<token> over port 80, so port 80 cannot be redirected to 443 at the firewall layer (Caddy handles the redirect internally after the certificate is issued).

Quick firewall check on the VPS (run after bootstrap):

ss -ltn | grep -E ':(80|443) '
# expect Caddy bound on both

Rolling back (just in case)

If the v1 deploy fails and you want to take the site offline cleanly:

  1. In Cloudflare DNS, change the three A records to point at a parked IP (e.g. 127.0.0.1) — no records to delete, just rebind.
  2. Optionally flip them to orange-cloud while pointing at the parked IP so visitors see Cloudflare's parked page instead of a connection refused.

DNS reverts in <5 minutes thanks to Cloudflare's TTL handling.

Outbound links (0)

This note doesn't reference any other entity.

Version history (1)

  • v12026-06-01 10:19"galaxy-docs importer: initial import"