# Mifos — Remaining Steps (after automated setup) **Last Updated:** 2026-02-09 **Status:** Checklist for operator **Context:** LXC 5800 created; Mifos X 24.04.30 (Docker) running on 192.168.11.85:80; DNS mifos.d-bis.org → 76.53.10.41 (A, Proxied). --- ## Done automatically - [x] LXC 5800 created on r630-02 (192.168.11.85) - [x] Nesting + keyctl + AppArmor unconfined set on 5800 - [x] Docker + Mifos 24.04.30 (Docker Compose) installed and running in 5800 - [x] Cloudflare DNS: mifos.d-bis.org → **76.53.10.41** (A record, Proxied) via `MIFOS_DNS_MODE=direct ./scripts/cloudflare/configure-mifos-dns.sh` --- ## Remaining (manual or with secrets) ### 1. UDM Pro port forward (for direct access via 76.53.10.41) - In **UniFi Network** → **Settings** → **Firewall & Security** → **Port Forwarding** add: - **76.53.10.41:80** → **192.168.11.85:80** (TCP) - **76.53.10.41:443** → **192.168.11.85:443** (TCP) if you add TLS later - Ensure 76.53.10.41 is assigned on the UDM Pro. - See [UDM_PRO_MIFOS_76_53_10_41_PORT_FORWARD.md](UDM_PRO_MIFOS_76_53_10_41_PORT_FORWARD.md). ### 2. Optional: Cloudflare Tunnel + UK egress (no port forward) If you want traffic via Tunnel instead of direct IP: 1. **Zero Trust** → **Networks** → **Tunnels** → **Create a tunnel** → name `mifos-r630-02` → copy the **tunnel token**. 2. In `.env` set: - `CLOUDFLARE_TUNNEL_TOKEN_MIFOS_R630_02=''` - `CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02=''` (from dashboard or `cloudflared tunnel list` after install) 3. Run: `./scripts/install-tunnel-mifos-r630-02.sh` 4. In Zero Trust → **mifos-r630-02** → **Published application routes**: add **mifos.d-bis.org** → **Service** either `http://192.168.11.85:80` (no SSL on origin) or `https://192.168.11.85:443` (run `./scripts/mifos/install-nginx-https-5800.sh` first, then add Origin config **No TLS Verify**). 5. **Switch DNS to use the tunnel:** In `.env` set `CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02=`, then run: ```bash MIFOS_DNS_MODE=tunnel ./scripts/cloudflare/configure-mifos-dns.sh ``` (mifos.d-bis.org becomes CNAME to `.cfargotunnel.com`; no UDM port forward needed for this hostname.) 6. **Regional Services (UK):** Zero Trust / Data Localization → **Regional Services** → attach **mifos.d-bis.org** → select UK (or EU) region. ### 3. Change default password - Log in at https://mifos.d-bis.org (after port forward or tunnel) with **mifos** / **password** and change the password. ### 4. Verification - **Direct (76.53.10.41):** After UDM port forward: `curl -I https://mifos.d-bis.org` - **Tunnel:** After tunnel + DNS switch: same URL; tunnel status in Zero Trust should be Healthy. - **UK egress:** Check `Cf-Ray` header or Cloudflare analytics for UK colo. ### 5. Troubleshooting HTTP 530 (tunnel) Cloudflare returns **530** when the tunnel can’t reach the origin. Check: 1. **Run from project root:** `./scripts/verify/verify-mifos-tunnel-530.sh` Confirms: cloudflared active in LXC 5800, and `http://127.0.0.1:80` responds inside the container. 2. **Zero Trust → Networks → Tunnels** → **mifos-r630-02** → **Published application routes** - For **HTTP to origin:** Service `http://192.168.11.85:80`. - For **HTTPS to origin:** Service `https://192.168.11.85:443`; run `./scripts/mifos/install-nginx-https-5800.sh` first, then add an **Origin configuration** for this route with **No TLS Verify** (required for self-signed cert). 3. **Tunnel status** in the dashboard should be **Healthy**. If not, restart in 5800: `ssh root@ 'pct exec 5800 -- systemctl restart cloudflared'`