Use this when deploying the app with Cloudflare as the TLS terminator.
- Create or reuse a Cloudflare Tunnel for the app.
- Export
CLOUDFLARE_TUNNEL_TOKENinto.envor the deployment environment. - Confirm the tunnel routes the public hostname to the
grounded-uiservice onhttps://ui:443. - Prefer a Cloudflare Origin CA certificate:
SSL/TLS→Origin Server→Create certificate. - Store the cert and key on the server at
/etc/cloudflare/origin/ngallodev-software.uk.pemand/etc/cloudflare/origin/ngallodev-software.uk.key. - Verify the tunnel shows active registered connections in
cloudflaredlogs.
- Keep
grounded-uiserving the app on HTTP 80 and TLS 443 internally. - Keep
grounded-apipublished only on127.0.0.1:5252for host access, with container-to-container traffic over Docker networking. - Leave
VITE_API_BASE_URLempty in the Docker build so the browser uses same-origin/grounded/analytics/*requests. - Confirm nginx forwards
/analytics/*to the API container over HTTP. - Confirm nginx does not emit redirects that rewrite the host or port.
- Confirm the public URL is served over
https://. - Confirm the UI loads at the expected path, for example
https://ngallodev-software.uk/grounded/. - Confirm API calls succeed from the browser without mixed-content warnings.
- Confirm Cloudflare Access or other auth is in place if the hostname is meant to be private.
- Run
make check-httpsfor local verification. - Optionally set
PUBLIC_URL=https://...and rerunmake check-httpsto verify the public HTTPS URL. - Use
PUBLIC_URL=https://... make check-https-publicto verify only the live public URL when the tunnel is already running. - Confirm the local TLS check inside the
uicontainer passes withmake check-https. - Check
docker compose logs --tail=50 cloudflaredfor a live tunnel connection. - Open the public URL and verify the UI renders.
- Submit an analytics query and verify the
/analytics/queryrequest returns200. - Confirm the browser sees HTTPS only; no direct HTTP redirect or mixed content.