Diagnosed azcomputerguru.com 521 errors: Cox's BGP route to specific
Cloudflare origin-pull prefixes (162.158.0.0/16, 172.64.0.0/13,
173.245.48.0/20, 141.101.64.0/18) is broken from 72.194.62.0/29.
Confirmed by TCP probe matrix from pfSense WAN, traceroute latency
comparison, and state-table showing 0 inbound CF connections while
direct-internet traffic still reached origin.
Deployed Cloudflare Tunnel 'acg-origin' on Jupiter Unraid as a
Docker container. Routes 4 proxied hostnames (azcomputerguru.com,
analytics., community., radio.) through the tunnel with HTTPS
backend to IX 172.16.3.10:443 with per-ingress SNI matching. All
4 hostnames return 200 OK through CF edge after the cutover.
Repo hygiene:
- Merged clients/ix-server/ into clients/internal-infrastructure/
(IX is internal infra, not a paying-client account). Git detected
the session-log files as renames so history is preserved. Updated
4 stale path references in 2 files.
- Moved cox-bgp ticket draft out of projects/dataforth-dos/ (wrong
project) to clients/internal-infrastructure/vendor-tickets/.
- Relocated tunnel-setup helper scripts from
projects/dataforth-dos/datasheet-pipeline/implementation/ to
clients/internal-infrastructure/scripts/cloudflared-tunnel-setup/.
Deleted superseded/abandoned login attempts. Sanitized hardcoded
Jupiter/pfSense SSH passwords to pull from SOPS vault at runtime;
Cloudflare token reads from env var (tokens still in 1Password,
vault entry is metadata-only).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Mike Swanson
a78fb96f95