# CDN URL Architecture Fix - Cloudflare Configuration This document describes the Cloudflare configuration for the new CDN URL architecture. ## Domain Structure | Domain | Purpose | Cloudflare Proxy | |--------|---------|------------------| | cdn.banatie.app | CDN for images | Yes (orange cloud) | | api.banatie.app | API server | Yes (orange cloud) | | banatie.app | Landing page | Yes (orange cloud) | ## Cache Rules ### Rule 1: Cache UUID Images (High Priority) Cache static images with UUID filenames for maximum performance. **When:** Custom filter expression ``` (http.host eq "cdn.banatie.app" and http.request.uri.path matches "^/[^/]+/[^/]+/img/[0-9a-f-]{36}$") ``` **Then:** - Cache eligibility: Eligible for cache - Edge TTL: Override origin, 7 days - Browser TTL: Override origin, 1 year (31536000 seconds) - Cache Key: Include query string = No ### Rule 2: Bypass Cache for Aliases Aliases need dynamic resolution, bypass cache. **When:** Custom filter expression ``` (http.host eq "cdn.banatie.app" and http.request.uri.path matches "^/[^/]+/[^/]+/img/@") ``` **Then:** - Cache eligibility: Bypass cache ### Rule 3: Bypass Cache for Live URLs Live URLs need dynamic generation, bypass cache. **When:** Custom filter expression ``` (http.host eq "cdn.banatie.app" and http.request.uri.path matches "^/[^/]+/[^/]+/live/") ``` **Then:** - Cache eligibility: Bypass cache ## Page Rules (Alternative) If not using Cache Rules, use Page Rules: ### Page Rule 1: Cache UUID Images - URL: `cdn.banatie.app/*/img/*` - Cache Level: Cache Everything - Edge Cache TTL: 7 days - Browser Cache TTL: 1 year ### Page Rule 2: Bypass Aliases and Live - URL: `cdn.banatie.app/*/img/@*` - Cache Level: Bypass - URL: `cdn.banatie.app/*/live/*` - Cache Level: Bypass ## DNS Configuration Ensure DNS records point to your VPS: ``` cdn.banatie.app A YOUR_VPS_IP Proxied (orange cloud) ``` ## SSL/TLS Configuration - SSL Mode: Full (strict) - Always Use HTTPS: On - Automatic HTTPS Rewrites: On - Minimum TLS Version: TLS 1.2 ## Performance Settings - Auto Minify: CSS, JavaScript (not HTML for API responses) - Brotli: On - Early Hints: On - Rocket Loader: Off (may break API responses) ## Security Settings - Security Level: Medium - Challenge Passage: 30 minutes - Browser Integrity Check: On ## Rate Limiting (Optional) Create rate limiting rule for live URL abuse prevention: **Rule Name:** Live URL Rate Limit **When:** ``` (http.host eq "cdn.banatie.app" and http.request.uri.path matches "^/[^/]+/[^/]+/live/") ``` **Then:** - Rate limit: 10 requests per minute per IP - Action: Block for 1 minute ## Verification After configuration: 1. **Test UUID caching:** ```bash curl -I "https://cdn.banatie.app/org/proj/img/uuid-here" # Check for: cf-cache-status: HIT (on second request) ``` 2. **Test alias bypass:** ```bash curl -I "https://cdn.banatie.app/org/proj/img/@alias" # Check for: cf-cache-status: DYNAMIC or BYPASS ``` 3. **Test live URL bypass:** ```bash curl -I "https://cdn.banatie.app/org/proj/live/scope?prompt=test" # Check for: cf-cache-status: DYNAMIC or BYPASS ``` ## Troubleshooting ### Images not caching - Verify the URL matches UUID pattern (36 character UUID) - Check Cache Rules order (UUID rule should be first) - Purge cache and retry ### Alias/Live URLs being cached - Verify bypass rules are active - Check rule order (bypass rules should run before catch-all) - Development mode may disable caching ### Slow first requests - Expected behavior for cache MISS - Subsequent requests from same edge should be HIT - Consider using Cache Reserve for longer edge retention ## Notes - UUID pattern ensures only static, immutable images are cached at edge - Aliases and live URLs are always fresh from origin - 1-year browser cache is safe because UUID = immutable content - Cloudflare caches at edge, browser caches locally