Cloudflare DNS & Edge Routing
Edge Network Strategy
Section titled “Edge Network Strategy”Instead of pointing domains directly to the Hetzner server’s public IP, Cloudflare acts as a reverse proxy at the edge. This provides DDoS protection, global CDN caching, and centralized DNS management.
Active .dev domains are proxied to the Hetzner origin. Legacy .com domains are redirected to their .dev equivalents at the Cloudflare edge, before any traffic reaches the VPS.
Active Domains
Section titled “Active Domains”| Domain | Role |
|---|---|
pablorosi.dev | Primary portfolio (origin on Hetzner) |
docs.pablorosi.dev | Starlight documentation (origin on Hetzner) |
pablorosi.com | Legacy — 301 redirect at Cloudflare edge |
docs.pablorosi.com | Legacy — 301 redirect at Cloudflare edge |
DNS Configuration
Section titled “DNS Configuration”All records for .dev domains are proxied through Cloudflare (orange cloud icon) to the Hetzner VPS.
| Type | Zone | Name | Content | Resolves to | Proxy Status |
|---|---|---|---|---|---|
| A | pablorosi.dev | @ | [Hetzner IP] | pablorosi.dev | Proxied |
| CNAME | pablorosi.dev | docs | pablorosi.dev | docs.pablorosi.dev | Proxied |
The CNAME docs → pablorosi.dev means docs.pablorosi.dev shares the same origin IP as the apex domain. Nginx Proxy Manager distinguishes the two sites by reading the Host header and routing each domain to its container.
Legacy .com zones are managed in Cloudflare for DNS and redirect rules only. They do not need to proxy traffic to Hetzner because all HTTP(S) requests are answered with a 301 at the edge.
Legacy Domain Redirection
Section titled “Legacy Domain Redirection”To preserve SEO and keep legacy URLs working, traffic from .com domains is permanently forwarded to .dev using Cloudflare Redirect Rules (Single Redirects). The Hetzner server never processes these requests.
Why redirect at the edge
Section titled “Why redirect at the edge”| Benefit | Explanation |
|---|---|
| DDoS resilience | Malicious traffic targeting legacy domains is absorbed by Cloudflare’s network; the VPS is not involved. |
| Zero origin load | No TLS handshake, no Nginx processing, and no Let’s Encrypt certificates required for .com on the server. |
| Simpler origin | NPM only manages active .dev proxy hosts. |
Redirect Rules
Section titled “Redirect Rules”| Source pattern | Destination | Status |
|---|---|---|
*pablorosi.com/* | https://pablorosi.dev/${1} | 301 |
*docs.pablorosi.com/* | https://docs.pablorosi.dev/${1} | 301 |
Configure these under Rules → Redirect Rules in the Cloudflare dashboard. Page Rules are deprecated; use Redirect Rules or Bulk Redirects for new setups.
Traffic for active .dev domains is proxied to the Hetzner public IP. Legacy .com requests never leave Cloudflare’s edge.
Validation
Section titled “Validation”curl -I https://pablorosi.devandcurl -I https://docs.pablorosi.devreturn200.curl -I https://pablorosi.comreturns301withLocation: https://pablorosi.dev/.curl -I https://docs.pablorosi.comreturns301withLocation: https://docs.pablorosi.dev/.- In the Cloudflare dashboard,
.devA/CNAME records show the orange cloud (proxied); Redirect Rules for.comzones are active.
Proceed to Cloud Firewall to see how incoming traffic is filtered at the network layer before it reaches the operating system.