feat: enable HTTPS with Cloudflare Origin Certificate

Syntax-Error-1337 · claude · Syntax-Error-1337 · commit 733c114045ca · 2026-03-10T14:24:57.000+08:00
- Uncomment and activate HTTPS server block on port 443
- Switch from Let's Encrypt/certbot to Cloudflare Origin Certificate
  (stored at ./ssl/origin.pem + origin.key, mounted read-only into nginx)
- Remove certbot service and unused volumes — not needed behind Cloudflare proxy
- Redirect all HTTP traffic to HTTPS

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -32,20 +32,8 @@ services:
       - "443:443"
     volumes:
       - ./nginx.conf:/etc/nginx/nginx.conf:ro
-      - certbot-www:/var/www/certbot:ro
-      - certbot-certs:/etc/letsencrypt:ro
+      - ./ssl:/etc/nginx/ssl:ro
     depends_on:
       - radar
     restart: unless-stopped
 
-  certbot:
-    image: certbot/certbot
-    container_name: radar-certbot
-    volumes:
-      - certbot-www:/var/www/certbot
-      - certbot-certs:/etc/letsencrypt
-    entrypoint: /bin/sh -c "trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot --quiet; sleep 12h & wait $${!}; done"
-
-volumes:
-  certbot-www:
-  certbot-certs:
diff --git a/nginx.conf b/nginx.conf
@@ -26,9 +26,18 @@ http {
             root /var/www/certbot;
         }
 
-        # Redirect all HTTP traffic to HTTPS once certs are in place
-        # Uncomment the line below and remove the location / block after running certbot
-        # return 301 https://$host$request_uri;
+        return 301 https://$host$request_uri;
+    }
+
+    # HTTPS — Cloudflare Origin Certificate
+    server {
+        listen 443 ssl;
+        server_name radar.army www.radar.army;
+
+        ssl_certificate     /etc/nginx/ssl/origin.pem;
+        ssl_certificate_key /etc/nginx/ssl/origin.key;
+        ssl_protocols       TLSv1.2 TLSv1.3;
+        ssl_ciphers         HIGH:!aNULL:!MD5;
 
         location / {
             proxy_pass         http://radar:3001;
@@ -43,34 +52,4 @@ http {
             proxy_read_timeout 90s;
         }
     }
-
-    # HTTPS — uncomment this block after running certbot
-    # Replace radar.army with your actual domain
-    #
-    # server {
-    #     listen 443 ssl;
-    #     server_name radar.army www.radar.army;
-    #
-    #     ssl_certificate     /etc/letsencrypt/live/radar.army/fullchain.pem;
-    #     ssl_certificate_key /etc/letsencrypt/live/radar.army/privkey.pem;
-    #     ssl_protocols       TLSv1.2 TLSv1.3;
-    #     ssl_ciphers         HIGH:!aNULL:!MD5;
-    #
-    #     location /.well-known/acme-challenge/ {
-    #         root /var/www/certbot;
-    #     }
-    #
-    #     location / {
-    #         proxy_pass         http://radar:3001;
-    #         proxy_http_version 1.1;
-    #         proxy_set_header   Upgrade $http_upgrade;
-    #         proxy_set_header   Connection 'upgrade';
-    #         proxy_set_header   Host $host;
-    #         proxy_set_header   X-Real-IP $remote_addr;
-    #         proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-    #         proxy_set_header   X-Forwarded-Proto $scheme;
-    #         proxy_cache_bypass $http_upgrade;
-    #         proxy_read_timeout 90s;
-    #     }
-    # }
 }
