Skip to content
Portfolio

Secure Cloud Routing Overview

The Secure Cloud Routing project is a modern, containerized infrastructure designed to host and route web traffic securely with a Zero Trust approach for administrative access.

Hosted on a Hetzner Virtual Private Server (VPS) in Nuremberg, Germany, the environment utilizes Docker to containerize all services, ensuring reliable and reproducible deployments. Traffic is routed globally through Cloudflare’s edge network, managed locally via Nginx Proxy Manager, and secured with Let’s Encrypt SSL certificates. Administrative endpoints are strictly isolated from the public internet using a Tailscale overlay network.


  • Public Web Hosting: Securely serves pablorosi.dev and docs.pablorosi.dev.
  • Legacy Redirection: Intercepts and redirects traffic from .com domains to the .dev equivalent at the Cloudflare edge.
  • Zero Trust Administration: Restricts SSH and the Nginx control panel to authenticated devices on the private Tailnet.
  • Automated Deployments: Uses GitHub Actions CI/CD pipelines for continuous updates over the Tailscale network.

flowchart LR
  UserDev[User .dev] --> CF[Cloudflare Edge]
  CF --> FW[Hetzner Firewall]
  FW --> NPM[Nginx Proxy Manager]
  NPM --> Portfolio[astro-site]
  NPM --> Docs[starlight-docs]
  UserCom[User .com] --> CF
  CF -->|"301 redirect"| DevTarget[pablorosi.dev]
  Admin[Administrator] --> TS[Tailscale Tailnet]
  TS --> SSH["SSH port 22"]
  TS --> NPMAdmin["NPM GUI port 81"]
  GHA["GitHub Actions tag:ci"] --> TS

ComponentRole
Hetzner VPSCompute host running Ubuntu and Docker
CloudflareDNS, CDN, DDoS protection, and legacy redirects
Hetzner Cloud FirewallLayer 4 ingress filter on the public interface
Nginx Proxy ManagerReverse proxy, virtual hosts, and origin TLS
TailscaleEncrypted overlay for SSH, admin UI, and CI/CD
GitHub ActionsBuild static sites and deploy over Tailscale
Docker ComposeIaC for container lifecycle and networking

This section is divided into six sequential phases, mapping the flow of traffic from the public edge down to the private server: