Domain, DNS, Cloudflare proxy, TLS, and the HTML-cache trap
Buy a domain, point it at Cloudflare (orange cloud), terminate TLS at nginx with an origin cert, and never let Cloudflare cache HTML. Plus the one caching bug that breaks a whole site.
Domain, DNS, Cloudflare, TLS
1. DNS + Cloudflare proxy
- Buy the domain (any registrar, ~10 EUR/yr).
- Add it to Cloudflare; Cloudflare gives you two nameservers - set those at the registrar.
- In Cloudflare DNS, add an
Arecord for@(andwww) pointing at your VPS IP, with the orange cloud (proxy on).
Cloudflare now sits in front: it does TLS termination at the edge, caches assets, and hides your VPS IP.
2. nginx TLS with an origin cert
In Cloudflare: Origin Server -> Create Certificate. Put the cert at /etc/nginx/ssl/hackup.pem and key at /etc/nginx/ssl/hackup.key (chmod 600). Cloudflare SSL mode: “Full (strict)”.
nginx terminates TLS on the VPS and reverse-proxies to your Node ports:
server {
listen 443 ssl http2;
server_name hackup.ai www.hackup.ai;
ssl_certificate /etc/nginx/ssl/hackup.pem;
ssl_certificate_key /etc/nginx/ssl/hackup.key;
# fingerprinted, immutable build assets - cache hard
location ^~ /_astro/ {
proxy_pass http://127.0.0.1:8793;
}
# everything else - NEVER cache HTML
location / {
proxy_pass http://127.0.0.1:8793;
proxy_hide_header Cache-Control;
add_header Cache-Control "no-store, must-revalidate" always;
}
}
3. The HTML-cache trap (real incident)
Each npm run build re-hashes the CSS/JS filenames in /_astro/ and deletes the old ones. The HTML page references the new hashed names. If Cloudflare caches the HTML with the old names, visitors get a page that asks for CSS files that no longer exist - the site renders unstyled.
The fix is the no-store, must-revalidate rule above on location /. Fingerprinted assets under /_astro/ stay immutable and cached forever; HTML is always revalidated.
If the site ever loads unstyled after a deploy:
curl -sD- https://hackup.ai/ | grep -i cf-cache # HIT on HTML = bad
A HIT on HTML means a stale page is cached - purge everything in the Cloudflare dashboard and check no “Cache Everything” rule overrides your origin headers.
4. The API subdomain
Put the API on api.hackup.ai (separate Cloudflare A record, orange cloud) -> nginx -> 127.0.0.1:8790. Keep cookies SameSite=None; Secure so they cross subdomains.
New models & deals, once a month
New proprietary and open-source models worth trying, price drops, and the best deals on AI coding plans. No spam.