CASE STUDY · STATUS + HOOKS

Status + Hooks Boundary

The status and hooks layer is designed to expose useful public signals and guarded automation entry points, not an admin cockpit.

Background

Solarfans uses Cloudflare Pages for the static public site and Cloudflare Tunnel for selected localhost-only services. The status service answers public read-only checks. The hooks service receives signed automation events.

Problem

Public status is useful only when it is trustworthy and limited. Webhook automation is useful only when unsigned or replay-like traffic is rejected. Both surfaces need to be visible from the web without turning the VPS into a public control plane.

Design

StatusExpose coarse service health through read-only endpoints such as health, version, and checks.

HooksAccept automation only through signed webhook paths, with application-level HMAC verification.

Edge guardUse Cloudflare WAF to block unsigned webhook POST requests before they reach the local service.

Local isolationKeep services bound to localhost behind Tunnel instead of opening new public VPS ports.

Verification pattern

Public status endpoints return HTTP 200 and coarse health results.
Unsigned webhook POST requests are blocked at the Cloudflare edge.
Signed webhook requests reach the application and return accepted responses.
VPS 443 remains reserved for the private VPN boundary.

What stays private

The public site does not disclose HMAC secrets, tunnel tokens, SSH credentials, raw event payloads, private service logs, internal quota state, or VPN configuration. Public status is a signal, not a steering wheel.