projectglyphmotion.github.io/config.yml at main · ProjectGlyphMotion/projectglyphmotion.github.io · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# config.yml
# Cloudflare Tunnel Configuration File
# SECURITY NOTE: All traffic passes to the local server on port 5000.
# The server itself implements comprehensive route whitelisting and file access blocking.
# This is a defense-in-depth approach: the tunnel forwards, the server decides.

# The unique ID for your Cloudflare Tunnel.
tunnel: e7f0b3fb-5e72-486c-9722-371f0f8a3063

# The path to your Cloudflare Tunnel credentials file.
credentials-file: /home/shitij/.cloudflared/e7f0b3fb-5e72-486c-9722-371f0f8a3063.json

# Ingress rules define how traffic is routed through your tunnel.
ingress:
  # All traffic for backend.projectglyphmotion.studio goes to local server.
  # The server's LocalAPIHandler implements:
  #   1. Route whitelist — only known API paths are served
  #   2. File extension blocking — all file requests return 403
  #   3. Dotfile blocking — .env, .git, etc. return 403
  #   4. Path traversal prevention — ../ attempts return 403
  #   5. HTTP method whitelisting — only GET, POST, HEAD, OPTIONS allowed
  #   6. CORS origin restriction — only legitimate frontend domains
  #   7. Security headers — X-Content-Type-Options, X-Frame-Options, etc.
  - hostname: backend.projectglyphmotion.studio
    service: http://localhost:5000

  # Final fallback: reject everything else with 404.
  - service: http_status:404