Cloudflare tunnel setup
Configure Cloudflare Zero Trust tunnel ingress so customer service URLs resolve with free Universal SSL.
SSL/TLS mode
Zone breachfix.com → SSL/TLS → Overview → Full (not Full Strict — origin is HTTP via tunnel).
Wildcard public hostname
Add near the bottom of tunnel ingress (after explicit infra hostnames like api, cloud):
| Subdomain | * |
| Domain | breachfix.com |
| Service URL | http://breachfix-cloud-gateway:9876 |
Ingress is top-to-bottom, first match wins.
DNS wildcard
CNAME * → {tunnel-id}.cfargotunnel.com, proxied (orange cloud). Cloudflare may not auto-create this when adding the wildcard hostname — add manually if missing.
Cutover checklist
docker compose up -d --buildin breachfix-cloud (joinsbreachfix-net)- Set public URL env vars in
.env - Zero Trust:
cloud.breachfix.com→ gateway - Zero Trust:
*.breachfix.com→ gateway (after infra rules) - DNS wildcard CNAME → tunnel
docker restart breachfix-tunnel./scripts/verify-public-routing.sh
Why breachfix.com not cloud.breachfix.com for services: free Universal SSL covers *.breachfix.com but not *.cloud.breachfix.com without paid Advanced Certificate.