Skip to content
Portfolio

Cloudflare DNS & Edge Routing

Instead of pointing domains directly to the Hetzner server’s public IP, Cloudflare acts as a reverse proxy at the edge. This provides DDoS protection, global CDN caching, and centralized DNS management.

Active .dev domains are proxied to the Hetzner origin. Legacy .com domains are redirected to their .dev equivalents at the Cloudflare edge, before any traffic reaches the VPS.

DomainRole
pablorosi.devPrimary portfolio (origin on Hetzner)
docs.pablorosi.devStarlight documentation (origin on Hetzner)
pablorosi.comLegacy — 301 redirect at Cloudflare edge
docs.pablorosi.comLegacy — 301 redirect at Cloudflare edge

All records for .dev domains are proxied through Cloudflare (orange cloud icon) to the Hetzner VPS.

TypeZoneNameContentResolves toProxy Status
Apablorosi.dev@[Hetzner IP]pablorosi.devProxied
CNAMEpablorosi.devdocspablorosi.devdocs.pablorosi.devProxied

The CNAME docspablorosi.dev means docs.pablorosi.dev shares the same origin IP as the apex domain. Nginx Proxy Manager distinguishes the two sites by reading the Host header and routing each domain to its container.

Legacy .com zones are managed in Cloudflare for DNS and redirect rules only. They do not need to proxy traffic to Hetzner because all HTTP(S) requests are answered with a 301 at the edge.


To preserve SEO and keep legacy URLs working, traffic from .com domains is permanently forwarded to .dev using Cloudflare Redirect Rules (Single Redirects). The Hetzner server never processes these requests.

BenefitExplanation
DDoS resilienceMalicious traffic targeting legacy domains is absorbed by Cloudflare’s network; the VPS is not involved.
Zero origin loadNo TLS handshake, no Nginx processing, and no Let’s Encrypt certificates required for .com on the server.
Simpler originNPM only manages active .dev proxy hosts.
Source patternDestinationStatus
*pablorosi.com/*https://pablorosi.dev/${1}301
*docs.pablorosi.com/*https://docs.pablorosi.dev/${1}301

Configure these under Rules → Redirect Rules in the Cloudflare dashboard. Page Rules are deprecated; use Redirect Rules or Bulk Redirects for new setups.

Traffic for active .dev domains is proxied to the Hetzner public IP. Legacy .com requests never leave Cloudflare’s edge.


  • curl -I https://pablorosi.dev and curl -I https://docs.pablorosi.dev return 200.
  • curl -I https://pablorosi.com returns 301 with Location: https://pablorosi.dev/.
  • curl -I https://docs.pablorosi.com returns 301 with Location: https://docs.pablorosi.dev/.
  • In the Cloudflare dashboard, .dev A/CNAME records show the orange cloud (proxied); Redirect Rules for .com zones are active.

Proceed to Cloud Firewall to see how incoming traffic is filtered at the network layer before it reaches the operating system.