Docs / Platform Ops

Cloudflare tunnel setup

Configure Cloudflare Zero Trust tunnel ingress so customer service URLs resolve with free Universal SSL.

SSL/TLS mode

Zone breachfix.com → SSL/TLS → Overview → Full (not Full Strict — origin is HTTP via tunnel).

Wildcard public hostname

Add near the bottom of tunnel ingress (after explicit infra hostnames like api, cloud):

Subdomain*
Domainbreachfix.com
Service URLhttp://breachfix-cloud-gateway:9876

Ingress is top-to-bottom, first match wins.

DNS wildcard

CNAME *{tunnel-id}.cfargotunnel.com, proxied (orange cloud). Cloudflare may not auto-create this when adding the wildcard hostname — add manually if missing.

Cutover checklist

  1. docker compose up -d --build in breachfix-cloud (joins breachfix-net)
  2. Set public URL env vars in .env
  3. Zero Trust: cloud.breachfix.com → gateway
  4. Zero Trust: *.breachfix.com → gateway (after infra rules)
  5. DNS wildcard CNAME → tunnel
  6. docker restart breachfix-tunnel
  7. ./scripts/verify-public-routing.sh

Why breachfix.com not cloud.breachfix.com for services: free Universal SSL covers *.breachfix.com but not *.cloud.breachfix.com without paid Advanced Certificate.