banatie-service/docs/url-fix-cloudflare-site.md

# CDN URL Architecture Fix - Cloudflare Configuration

This document describes the Cloudflare configuration for the new CDN URL architecture.

## Domain Structure

| Domain | Purpose | Cloudflare Proxy |
|--------|---------|------------------|
| cdn.banatie.app | CDN for images | Yes (orange cloud) |
| api.banatie.app | API server | Yes (orange cloud) |
| banatie.app | Landing page | Yes (orange cloud) |

## Cache Rules

### Rule 1: Cache UUID Images (High Priority)

Cache static images with UUID filenames for maximum performance.

**When:** Custom filter expression
```
(http.host eq "cdn.banatie.app" and http.request.uri.path matches "^/[^/]+/[^/]+/img/[0-9a-f-]{36}$")
```

**Then:**
- Cache eligibility: Eligible for cache
- Edge TTL: Override origin, 7 days
- Browser TTL: Override origin, 1 year (31536000 seconds)
- Cache Key: Include query string = No

### Rule 2: Bypass Cache for Aliases

Aliases need dynamic resolution, bypass cache.

**When:** Custom filter expression
```
(http.host eq "cdn.banatie.app" and http.request.uri.path matches "^/[^/]+/[^/]+/img/@")
```

**Then:**
- Cache eligibility: Bypass cache

### Rule 3: Bypass Cache for Live URLs

Live URLs need dynamic generation, bypass cache.

**When:** Custom filter expression
```
(http.host eq "cdn.banatie.app" and http.request.uri.path matches "^/[^/]+/[^/]+/live/")
```

**Then:**
- Cache eligibility: Bypass cache

## Page Rules (Alternative)

If not using Cache Rules, use Page Rules:

### Page Rule 1: Cache UUID Images
- URL: `cdn.banatie.app/*/img/*`
- Cache Level: Cache Everything
- Edge Cache TTL: 7 days
- Browser Cache TTL: 1 year

### Page Rule 2: Bypass Aliases and Live
- URL: `cdn.banatie.app/*/img/@*`
- Cache Level: Bypass

- URL: `cdn.banatie.app/*/live/*`
- Cache Level: Bypass

## DNS Configuration

Ensure DNS records point to your VPS:

```
cdn.banatie.app    A    YOUR_VPS_IP    Proxied (orange cloud)
```

## SSL/TLS Configuration

- SSL Mode: Full (strict)
- Always Use HTTPS: On
- Automatic HTTPS Rewrites: On
- Minimum TLS Version: TLS 1.2

## Performance Settings

- Auto Minify: CSS, JavaScript (not HTML for API responses)
- Brotli: On
- Early Hints: On
- Rocket Loader: Off (may break API responses)

## Security Settings

- Security Level: Medium
- Challenge Passage: 30 minutes
- Browser Integrity Check: On

## Rate Limiting (Optional)

Create rate limiting rule for live URL abuse prevention:

**Rule Name:** Live URL Rate Limit

**When:**
```
(http.host eq "cdn.banatie.app" and http.request.uri.path matches "^/[^/]+/[^/]+/live/")
```

**Then:**
- Rate limit: 10 requests per minute per IP
- Action: Block for 1 minute

## Verification

After configuration:

1. **Test UUID caching:**
   ```bash
   curl -I "https://cdn.banatie.app/org/proj/img/uuid-here"
   # Check for: cf-cache-status: HIT (on second request)
   ```

2. **Test alias bypass:**
   ```bash
   curl -I "https://cdn.banatie.app/org/proj/img/@alias"
   # Check for: cf-cache-status: DYNAMIC or BYPASS
   ```

3. **Test live URL bypass:**
   ```bash
   curl -I "https://cdn.banatie.app/org/proj/live/scope?prompt=test"
   # Check for: cf-cache-status: DYNAMIC or BYPASS
   ```

## Troubleshooting

### Images not caching
- Verify the URL matches UUID pattern (36 character UUID)
- Check Cache Rules order (UUID rule should be first)
- Purge cache and retry

### Alias/Live URLs being cached
- Verify bypass rules are active
- Check rule order (bypass rules should run before catch-all)
- Development mode may disable caching

### Slow first requests
- Expected behavior for cache MISS
- Subsequent requests from same edge should be HIT
- Consider using Cache Reserve for longer edge retention

## Notes

- UUID pattern ensures only static, immutable images are cached at edge
- Aliases and live URLs are always fresh from origin
- 1-year browser cache is safe because UUID = immutable content
- Cloudflare caches at edge, browser caches locally