Stack A · 30 min · ~10 EUR/yr (domain)

Domain, DNS, Cloudflare proxy, TLS, and the HTML-cache trap

Buy a domain, point it at Cloudflare (orange cloud), terminate TLS at nginx with an origin cert, and never let Cloudflare cache HTML. Plus the one caching bug that breaks a whole site.

Domain, DNS, Cloudflare, TLS

1. DNS + Cloudflare proxy

  1. Buy the domain (any registrar, ~10 EUR/yr).
  2. Add it to Cloudflare; Cloudflare gives you two nameservers - set those at the registrar.
  3. In Cloudflare DNS, add an A record for @ (and www) pointing at your VPS IP, with the orange cloud (proxy on).

Cloudflare now sits in front: it does TLS termination at the edge, caches assets, and hides your VPS IP.

2. nginx TLS with an origin cert

In Cloudflare: Origin Server -> Create Certificate. Put the cert at /etc/nginx/ssl/hackup.pem and key at /etc/nginx/ssl/hackup.key (chmod 600). Cloudflare SSL mode: “Full (strict)”.

nginx terminates TLS on the VPS and reverse-proxies to your Node ports:

server {
    listen 443 ssl http2;
    server_name hackup.ai www.hackup.ai;
    ssl_certificate     /etc/nginx/ssl/hackup.pem;
    ssl_certificate_key /etc/nginx/ssl/hackup.key;

    # fingerprinted, immutable build assets - cache hard
    location ^~ /_astro/ {
        proxy_pass http://127.0.0.1:8793;
    }

    # everything else - NEVER cache HTML
    location / {
        proxy_pass http://127.0.0.1:8793;
        proxy_hide_header Cache-Control;
        add_header Cache-Control "no-store, must-revalidate" always;
    }
}

3. The HTML-cache trap (real incident)

Each npm run build re-hashes the CSS/JS filenames in /_astro/ and deletes the old ones. The HTML page references the new hashed names. If Cloudflare caches the HTML with the old names, visitors get a page that asks for CSS files that no longer exist - the site renders unstyled.

The fix is the no-store, must-revalidate rule above on location /. Fingerprinted assets under /_astro/ stay immutable and cached forever; HTML is always revalidated.

If the site ever loads unstyled after a deploy:

curl -sD- https://hackup.ai/ | grep -i cf-cache   # HIT on HTML = bad

A HIT on HTML means a stale page is cached - purge everything in the Cloudflare dashboard and check no “Cache Everything” rule overrides your origin headers.

4. The API subdomain

Put the API on api.hackup.ai (separate Cloudflare A record, orange cloud) -> nginx -> 127.0.0.1:8790. Keep cookies SameSite=None; Secure so they cross subdomains.

New models & deals, once a month

New proprietary and open-source models worth trying, price drops, and the best deals on AI coding plans. No spam.