Manual Setup

This page outlines the complete infrastructure setup and configuration for Pixelflare on Cloudflare (non-Terraform version).

Not Recommended

Manual deployment is significantly more difficult, time-consuming and error-prone than using our automated Terraform setup. This approach requires configuring ~20 different resources across multiple Cloudflare dashboard pages, and then connecting them all together. It is not for the faint hearted.
Use the automated deployment guide instead unless you have specific requirements preventing Terraform usage.

0. Prerequisites

Before starting, ensure you have:

• Cloudflare account with billing enabled
• Domain name added to Cloudflare
• Cloudflare API token with the following permissions:
  • Account → Workers Scripts → Edit
  • Account → Workers KV Storage → Edit
  • Account → D1 → Edit
  • Account → Cloudflare Pages → Edit
  • Account → Account Settings → Read
  • Zone → DNS → Edit
  • Zone → Workers Routes → Edit
• Wrangler CLI installed: npm install -g wrangler
• GitHub account (for authentication)
• Build environment with Node.js, pnpm, and Git

---

1. Storage Resources

1.1 Create R2 Bucket

R2 stores all uploaded images.

1. Navigate to R2 Object Storage in your Cloudflare dashboard
2. Click Create bucket
3. Enter name: pixflare-production-images (or your preferred name)
4. Select location: Automatic (recommended) or specific region:
   • WNAM - Western North America
   • ENAM - Eastern North America
   • WEUR - Western Europe
   • EEUR - Eastern Europe
   • APAC - Asia-Pacific
5. Click Create bucket
6. Do NOT enable Public Access - images are served via Workers only

Note the bucket name - you'll need it later for Worker bindings.

1.2 Create D1 Database

D1 stores image metadata, user data, and analytics.

1. Navigate to D1 SQL Database
2. Click Create database
3. Enter name: pixflare-production-db
4. Select location: Automatic
5. Click Create
6. Note the Database ID (shown after creation) - needed for Worker bindings

Database migrations will be applied later via Wrangler after building the project.

1.3 Create KV Namespace

KV provides caching for CDN requests and API responses.

1. Navigate to Workers & Pages → KV
2. Click Create namespace
3. Enter name: pixflare-production-cache
4. Click Add
5. Note the Namespace ID - needed for Worker bindings

1.4 Create Queues

Queues handle async image processing, backups, and custom domain verification.

Variant Processing Queue

1. Navigate to Workers & Pages → Queues
2. Click Create queue
3. Enter name: pixflare-production-image-processing-queue
4. Click Create

Backup Queue

1. Click Create queue
2. Enter name: pixflare-production-backup-queue
3. Click Create

Custom Domain Queue

1. Click Create queue
2. Enter name: pixflare-production-custom-domain-queue
3. Click Create

Note all queue names for Worker configuration.

---

2. Worker Script

2.1 Build the Project

Clone and build the Pixelflare codebase:

git clone https://github.com/lissy93/pixelflare.git
cd pixelflare
pnpm install
pnpm --filter @pixflare/api run build

2.2 Create Worker

The main Worker handles API and CDN requests.

1. Navigate to Workers & Pages
2. Click Create
3. Select Create Worker
4. Enter name: pixflare-production-api
5. Click Deploy (deploys placeholder code)
6. Navigate to Settings → General
7. Set Compatibility Date to 2024-11-01 (or later)
8. Under Compatibility Flags, add: nodejs_compat

2.3 Configure Worker Bindings

Add resource bindings to connect the Worker to storage:

1. Open your Worker → Settings → Variables and Secrets
2. Under Bindings, add each binding:

R2 Bucket Binding

• Click Add binding
• Type: R2 bucket
• Variable name: R2_BUCKET
• R2 bucket: Select your created bucket
• Click Save

D1 Database Binding

• Click Add binding
• Type: D1 database
• Variable name: DB
• D1 database: Select your created database
• Click Save

KV Namespace Binding

• Click Add binding
• Type: KV namespace
• Variable name: KV_CACHE
• KV namespace: Select your created namespace
• Click Save

Queue Bindings

Add three queue bindings (producers):

1. Variant Queue

   • Variable name: VARIANT_QUEUE
   • Queue: pixflare-production-image-processing-queue

2. Backup Queue

   • Variable name: BACKUP_QUEUE
   • Queue: pixflare-production-backup-queue

3. Custom Domain Queue

   • Variable name: CUSTOM_DOMAIN_QUEUE
   • Queue: pixflare-production-custom-domain-queue

AI Binding (Optional)

If using AI classification or NSFW detection:

• Click Add binding
• Type: AI
• Variable name: AI
• Click Save

2.4 Configure Environment Variables

Under Settings → Variables and Secrets → Environment Variables:

Required Variables

Variable	Value	Description
ENVIRONMENT	production	Environment name
CDN_PUBLIC_HOST	yourdomain.com	Public CDN domain
API_HOST	yourdomain.com/api	API endpoint path
APP_HOST	yourdomain.com	Frontend domain
FRONTEND_HOST	pixflare-frontend.pages.dev	Pages deployment URL
AUTH_MODE	cloudflare	Authentication mode (cloudflare/authjs/none)
VERSION	0.1.0	Application version

Resource Display Names (Optional)

These help in status endpoints but are optional:

Variable	Value	Description
R2_BUCKET_NAME	pixflare-production-images	R2 bucket name
D1_DB_NAME	pixflare-production-db	D1 database name
KV_CACHE_ID	<your-kv-namespace-id>	KV namespace ID
QUEUE_VARIANT_NAME	pixflare-production-image-processing-queue	Queue name

Feature Flags

Variable	Value	Description
AUDIT_LOG_ENABLED	true	Enable audit logging
USAGE_LIMITS_ENABLED	false	Enable upload quotas
ENABLE_AI_CLASSIFICATION	false	Enable AI image tagging
ENABLE_AI_NSFW_DETECTION	false	Enable NSFW detection
ENABLE_CUSTOM_DOMAINS	false	Enable user custom domains
ANALYTICS_REALTIME_ENABLED	true	Enable real-time analytics
ANALYTICS_BATCH_ENABLED	true	Enable batch analytics aggregation
STRIPE_ENABLED	false	Enable Stripe billing

Stripe Configuration (Optional)

If enabling Stripe billing (STRIPE_ENABLED=true):

Variable	Value	Description
STRIPE_PUBLISHABLE_KEY	pk_live_... or pk_test_...	Stripe publishable key (safe to expose)

Image Processing Configuration

Variable	Value	Description
ALLOWED_VARIANTS	["w128","w256","w512","w1024","w1536","w2048","thumb","og-image"]	Allowed image variants (JSON array)
DEFAULT_VARIANT	w1024	Default variant to serve
MAX_UPLOAD_BYTES	104857600	Max upload size (100MB)

Retention & Cleanup

Variable	Value	Description
ANALYTICS_RETENTION_DAYS	90	Days to keep analytics
SOFT_DELETE_RETENTION_DAYS	30	Days before permanent deletion
CLEANUP_CRON	0 1 * * *	Cleanup schedule (1 AM UTC)
ANALYTICS_AGGREGATION_CRON	0 2 * * *	Analytics aggregation (2 AM UTC)
BACKUP_SYNC_CRON	0 3 * * *	Backup sync (3 AM UTC)

2.5 Configure Secrets

Add secrets to your Worker via the dashboard:

1. Navigate to Workers & Pages → [Your Worker] → Settings → Variables and Secrets
2. Under Environment Variables, click Add variable then select Encrypt
3. Add each secret below

IMPORTANT

Generate secure random secrets. You can use an online generator or terminal: openssl rand -base64 32

Required Secrets

Add these two secrets (click Add variable → Encrypt for each):

Secret Name	Description
API_HASH_SECRET	Secret for hashing API tokens (32+ random bytes)
UPLOAD_TOKEN_SECRET	Secret for HMAC signing upload tokens (32+ random bytes)

Optional Secrets

Secret	When Required
TURNSTILE_SECRET_KEY	If using Turnstile CAPTCHA
AUTH_SECRET	If using Auth.js authentication (AUTH_MODE=authjs)
GITHUB_OAUTH_CLIENT_SECRET	If using GitHub OAuth with Auth.js
GOOGLE_OAUTH_CLIENT_SECRET	If using Google OAuth with Auth.js
CLOUDFLARE_API_TOKEN	If enabling custom domains or analytics batch aggregation
CLOUDFLARE_ACCOUNT_ID	Required for analytics batch aggregation
STRIPE_SECRET_KEY	If enabling Stripe billing
STRIPE_WEBHOOK_SECRET	If enabling Stripe billing
BACKUP_ENCRYPTION_KEY	If enabling S3 backups
ENCRYPTION_ROOT_KEY	If enabling image encryption feature

See Environmental Variable Listing for all variables and secrets.

2.6 Configure Cron Triggers

Add scheduled jobs for automated tasks:

1. Navigate to Workers & Pages → [Your Worker] → Settings → Triggers
2. Under Cron Triggers, click Add Cron Trigger
3. Add three schedules:
   • 0 1 * * * - Daily cleanup (soft-deleted images)
   • 0 2 * * * - Analytics aggregation
   • 0 3 * * * - S3 backup sync

2.7 Deploy Worker Code

Deploy the compiled Worker code using Wrangler:

cd packages/api
npx wrangler deploy

This uploads your Worker code and applies the bindings configured in the dashboard.

2.8 Configure Worker Routes

Add custom domain routes to your Worker:

1. Navigate to Workers & Pages → [Your Worker] → Settings → Triggers
2. Under Routes, click Add route

Add two routes:

Route	Zone	Description
yourdomain.com/api/*	yourdomain.com	API routes
yourdomain.com/cdn/*	yourdomain.com	CDN routes

---

3. Database Setup

3.1 Apply Migrations

Run database migrations to create tables:

cd packages/database
npx wrangler d1 migrations apply pixflare-production-db

When prompted, confirm you want to apply migrations to the production database.

---

4. Frontend Deployment

4.1 Create Pages Project

1. Navigate to Workers & Pages
2. Click Create
3. Select Pages
4. Choose Connect to Git or Direct Upload

If using Git:

1. Connect your GitHub/GitLab account
2. Select the pixelflare repository
3. Configure build settings:
   • Framework preset: SvelteKit
   • Build command: cd packages/frontend && pnpm run build
   • Build output directory: packages/frontend/.svelte-kit/cloudflare
   • Root directory: /
4. Click Save and Deploy

If using Direct Upload:

Build the frontend locally and upload:

cd packages/frontend
pnpm run build
npx wrangler pages deploy .svelte-kit/cloudflare --project-name=pixflare-frontend

4.2 Configure Pages Environment Variables

1. Navigate to your Pages project → Settings → Environment variables
2. Add environment variable:
   • Variable name: VITE_API_URL
   • Value: https://yourdomain.com/api
   • Environment: Production

4.3 Add Custom Domain

1. Navigate to Pages project → Custom domains
2. Click Set up a custom domain
3. Enter: yourdomain.com
4. Click Continue
5. DNS records will be created automatically

---

5. DNS Configuration

5.1 Apex Domain

1. Navigate to DNS → Records
2. Add A record:
   • Type: A
   • Name: @
   • IPv4 address: 192.0.2.1 (placeholder for Workers)
   • Proxy status: Proxied (orange cloud)

5.2 API Subdomain (if not using gateway mode)

If you prefer api.yourdomain.com instead of yourdomain.com/api:

1. Add AAAA record:
   • Type: AAAA
   • Name: api
   • IPv6 address: 100::
   • Proxy status: Proxied

5.3 CDN Subdomain (if not using gateway mode)

If you prefer cdn.yourdomain.com instead of yourdomain.com/cdn:

1. Add AAAA record:
   • Type: AAAA
   • Name: cdn
   • IPv6 address: 100::
   • Proxy status: Proxied

---

6. Authentication Setup

6.1 Create OAuth Apps

GitHub OAuth (Required for Cloudflare Access)

1. Go to GitHub → Settings → Developer settings → OAuth Apps
2. Click New OAuth App
3. Configure:
   • Application name: Pixelflare
   • Homepage URL: https://yourdomain.com
   • Authorization callback URL: https://<your-team>.cloudflareaccess.com/cdn-cgi/access/callback
4. Click Register application
5. Note the Client ID and generate a Client Secret

Google OAuth (Optional - for Auth.js)

If using Auth.js mode (AUTH_MODE=authjs) with Google:

1. Go to Google Cloud Console → APIs & Credentials
2. Create OAuth 2.0 credentials
3. Add authorized redirect URI: https://yourdomain.com/api/v1/auth/callback/google
4. Note the Client ID and Client Secret
5. Add to Worker secrets:
   • GOOGLE_OAUTH_CLIENT_ID (environment variable)
   • GOOGLE_OAUTH_CLIENT_SECRET (secret)

6.2 Configure Zero Trust Access

Create Identity Provider

1. Navigate to Zero Trust → Settings → Authentication
2. Under Login methods, click Add new
3. Select GitHub
4. Enter your Client ID and Client Secret
5. Click Save

Create Access Application

1. Navigate to Zero Trust → Access → Applications
2. Click Add an application
3. Select Self-hosted
4. Configure:
   • Application name: Pixelflare App
   • Session duration: 24 hours
   • Application domain: yourdomain.com/app*
5. Click Next

Configure Access Policy

1. Policy name: Allow All Users
2. Action: Allow
3. Configure rules:
   • Include: Everyone
4. Click Next → Add application

Configure CORS

1. Open your Access application
2. Navigate to Settings → CORS
3. Add allowed origins:
   • https://yourdomain.com
4. Allowed methods: GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD
5. Allow credentials: Yes
6. Max age: 86400

6.3 Update Worker with Access Config

1. Navigate to Zero Trust → Settings → Custom Pages
2. Copy your Team domain (e.g., your-team.cloudflareaccess.com)
3. Navigate to Zero Trust → Access → Applications → [Your App] → Overview
4. Copy the Application Audience (AUD) Tag (long alphanumeric string)
5. Navigate to your Worker → Settings → Variables
6. Add environment variables:
   • CF_ACCESS_AUD: <your-application-aud-tag> (from step 4)
   • CF_ACCESS_CERTS_URL: https://your-team.cloudflareaccess.com/cdn-cgi/access/certs
   • AUTH_MODE: cloudflare

Alternative: Auth.js Mode

If using Auth.js authentication instead (AUTH_MODE=authjs):

1. Skip the Zero Trust Access setup above
2. Set AUTH_MODE to authjs
3. Add GITHUB_OAUTH_CLIENT_ID or GOOGLE_OAUTH_CLIENT_ID environment variables
4. Add corresponding secrets: GITHUB_OAUTH_CLIENT_SECRET or GOOGLE_OAUTH_CLIENT_SECRET
5. Generate and add AUTH_SECRET: openssl rand -base64 32

---

7. Optional Features

7.1 R2 Custom Domain (for Image Resizing)

Required for Cloudflare Image Resizing to work with R2.

1. Navigate to R2 → [Your bucket] → Settings → Custom Domains
2. Click Connect Domain
3. Enter subdomain: r2.yourdomain.com
4. Click Connect domain
5. DNS record is created automatically

After creating, add to Worker environment variables:

• R2_CUSTOM_DOMAIN: r2.yourdomain.com

7.2 Vectorize Index (AI Embeddings)

Required for semantic image search.

npx wrangler vectorize create pixflare-production-image-embeddings \
  --dimensions=768 \
  --metric=cosine

Then add Worker binding via dashboard:

1. Navigate to Workers & Pages → [Your Worker] → Settings → Variables and Secrets
2. Under Bindings, click Add binding
3. Type: Vectorize index
4. Variable name: VECTORIZE
5. Index: pixflare-production-image-embeddings
6. Click Save

7.3 Analytics Engine

Analytics Engine is auto-created on first write - no manual setup needed.

To enable:

1. Add Worker environment variable: ENABLE_ANALYTICS=true
2. Add Worker binding:
   • Type: Analytics Engine
   • Variable name: ANALYTICS
   • Dataset: pixflare_cdn_metrics

7.4 Subdomain Redirects (Optional)

If you previously used subdomains and want to redirect to path-based URLs:

1. Navigate to Rules → Redirect Rules
2. Click Create rule
3. Create three redirect rules:

App Subdomain → /app Path

• Rule name: Redirect app subdomain
• Expression: (http.host eq "app.yourdomain.com")
• Type: Dynamic
• Expression: concat("https://yourdomain.com/app", http.request.uri.path, http.request.uri.query)
• Status code: 301
• Preserve query string: No

API Subdomain → /api Path

• Rule name: Redirect api subdomain
• Expression: (http.host eq "api.yourdomain.com")
• Type: Dynamic
• Expression: concat("https://yourdomain.com/api", http.request.uri.path, http.request.uri.query)
• Status code: 301

CDN Subdomain → Root Path

• Rule name: Redirect cdn subdomain
• Expression: (http.host eq "cdn.yourdomain.com")
• Type: Dynamic
• Expression: concat("https://yourdomain.com", http.request.uri.path, http.request.uri.query)
• Status code: 301

7.5 WAF Rule (R2 Protection)

Block direct access to R2 custom domain.

1. Navigate to Security → WAF → Custom rules
2. Click Create rule
3. Configure:
   • Rule name: R2 Bucket Protection
   • Expression: (http.host eq "r2.yourdomain.com") and not any(http.request.headers["via"][*] contains "image-resizing")
   • Action: Block
4. Click Deploy

7.6 Turnstile (CAPTCHA)

1. Navigate to Turnstile
2. Click Add site
3. Configure:
   • Site name: Pixelflare
   • Domain: yourdomain.com
   • Widget mode: Managed (recommended)
4. Click Create
5. Note the Site Key and Secret Key
6. Add to Worker:
   • Environment variable: TURNSTILE_SITE_KEY (public)
   • Secret: TURNSTILE_SECRET_KEY (private)

7.7 Gateway Worker (Single-Domain Routing)

Optional: Route all traffic through yourdomain.com/* instead of subdomains.

Create Gateway Worker

1. Navigate to Workers & Pages
2. Click Create → Create Worker
3. Enter name: pixflare-production-gateway
4. Click Deploy

Configure Gateway Bindings

1. Navigate to Settings → Variables and Secrets → Bindings
2. Add Service binding:
   • Variable name: API_WORKER
   • Service: pixflare-production-api

Configure Gateway Environment Variables

1. Navigate to Settings → Variables
2. Add variables:
   • FRONTEND_HOST: pixflare-production-frontend.pages.dev
   • DOCS_HOST: pixflare-production-docs.pages.dev (if using docs)
   • ENVIRONMENT: production

Deploy Gateway Code

cd packages/gateway
pnpm run build
npx wrangler deploy

Configure Gateway Routes

1. Navigate to Settings → Triggers → Routes
2. Add routes:
   • yourdomain.com/*
   • yourdomain.com (apex domain)

---

8. Verification

8.1 Smoke Tests

Run automated tests to verify deployment:

cd scripts
PIXFLARE_URL=https://yourdomain.com ./tasks/13-smoke-tests.sh

8.2 Manual Checks

1. Frontend: Visit https://yourdomain.com - should show login page
2. API: Visit https://yourdomain.com/api/v1/health - should return {"status":"ok"}
3. Authentication: Log in via Cloudflare Access
4. Upload: Try uploading an image
5. CDN: Access uploaded image via CDN URL

---

9. Secrets Management

All secrets should be added via the Cloudflare dashboard as shown in Section 2.5.

Via Dashboard (Recommended):

1. Navigate to Workers & Pages → [Your Worker] → Settings → Variables and Secrets
2. Click Add variable → Select Encrypt
3. Enter name and value
4. Click Save

Via Wrangler CLI (Alternative):

echo "your-secret-value" | npx wrangler secret put SECRET_NAME

IMPORTANT

Never commit secrets to version control. Store them in a secure password manager.

---

10. Additional Cloudflare Configuration

At this point, your core Pixelflare deployment should be complete and functional. You can now move onto the essential optimizations and security settings

10.1 SSL/TLS Settings

Ensure secure connections for your domain:

1. Navigate to SSL/TLS → Overview
2. Set encryption mode to Full (strict) - ensures end-to-end encryption with valid certificates
3. Navigate to SSL/TLS → Edge Certificates
4. Enable Always Use HTTPS - redirects all HTTP requests to HTTPS
5. Enable HTTP Strict Transport Security (HSTS):
   • Max Age: 12 months
   • Include subdomains: enabled
   • Preload: enabled (optional)
6. Set Minimum TLS Version to TLS 1.2 or higher
7. Enable TLS 1.3 for improved performance and security
8. Enable Automatic HTTPS Rewrites

10.2 Security Level

Adjust challenge sensitivity based on traffic patterns:

1. Navigate to Security → Settings
2. Set Security Level:
   • Medium - Recommended for most sites (challenges suspicious visitors)
   • High - During attacks or high-risk periods
   • Low - If experiencing false positives
3. Consider enabling Browser Integrity Check to verify legitimate browsers

10.3 Web Application Firewall (WAF)

Add managed rulesets for common vulnerabilities:

1. Navigate to Security → WAF → Managed rules
2. Enable Cloudflare Managed Ruleset - protects against CVEs and known attacks
3. Enable Cloudflare OWASP Core Ruleset:
   • Set paranoia level based on risk tolerance (1-4, recommend 2)
   • Set action to Block for production
4. Review Cloudflare Exposed Credentials Check (optional)

10.4 Bot Protection

Protect against automated attacks:

1. Navigate to Security → Bots
2. Review Bot Fight Mode (free tier) or Super Bot Fight Mode (paid)
3. Enable Verified Bots allowlist (Google, Bing, etc.)
4. Configure bot score threshold if on Enterprise plan

10.5 Rate Limiting

Additional rate limiting beyond Worker-level controls:

1. Navigate to Security → WAF → Rate limiting rules
2. Create rules for:
   • API endpoints: 100 requests per minute per IP
   • Login endpoints: 5 requests per minute per IP
   • CDN assets: 1000 requests per minute per IP (if needed)

10.6 Cache Configuration

Optimize caching for static assets:

1. Navigate to Caching → Configuration
2. Set Caching Level to Standard
3. Set Browser Cache TTL to 4 hours or Respect Existing Headers
4. Navigate to Caching → Cache Rules
5. Create cache rule for image variants:
   • If: URI Path contains /w128 OR /w256 OR /w512 (etc.)
   • Then: Cache everything, Edge TTL 30 days, Browser TTL 7 days

10.7 Speed Optimizations

Enable performance features:

1. Navigate to Speed → Optimization
2. Enable Auto Minify for:
   • JavaScript
   • CSS
   • HTML
3. Enable Brotli compression
4. Enable Early Hints for faster page loads
5. Navigate to Network
6. Enable HTTP/3 (with QUIC) for reduced latency
7. Enable 0-RTT Connection Resumption
8. Enable WebSockets if using real-time features
9. Consider enabling Argo Smart Routing (paid) for 30% faster performance

10.8 Custom Error Pages

Brand your error pages:

1. Navigate to Custom Pages
2. Customize pages for:
   • 500 Class Errors - Server errors
   • WAF Block - Firewall blocks
   • Rate Limiting - Rate limit exceeded
   • 1000 Class Errors - DNS errors

10.9 Analytics & Monitoring

Set up monitoring and alerts:

1. Navigate to Analytics & Logs
2. Review traffic patterns in Web Analytics
3. Check Security Analytics for threats
4. Navigate to Notifications
5. Create alerts for:
   • Traffic Anomalies - unusual traffic spikes
   • Origin Error Rate Increase - backend issues
   • SSL/TLS Certificate Expiration - renewal reminders
   • DDoS Attack - attack detection

10.10 Page Rules (Optional)

Fine-tune caching and security per path:

1. Navigate to Rules → Page Rules
2. Example rules:
   • Rule: yourdomain.com/api/*
     • Cache Level: Bypass
   • Rule: yourdomain.com/*/w*/*
     • Cache Level: Cache Everything
     • Edge Cache TTL: 30 days

10.11 Network Settings

Advanced network optimizations:

1. Navigate to Network
2. Enable gRPC if using gRPC services
3. Enable Onion Routing to allow Tor users
4. Review Max Upload Size (default 100MB, increase if needed for Enterprise)
5. Enable IP Geolocation for location-based features

10.12 Scrape Shield

Protect content from scrapers:

1. Navigate to Scrape Shield
2. Enable Email Address Obfuscation
3. Enable Server-side Excludes to hide content from bots
4. Enable Hotlink Protection to prevent bandwidth theft (configure allowed domains)

10.13 DNS Configuration

Optimize DNS performance:

1. Navigate to DNS → Settings
2. Enable DNSSEC for DNS security
3. Ensure Cloudflare Nameservers are active
4. Review CAA Records to restrict certificate issuance

10.14 Load Balancing (Enterprise/Business)

For high availability:

1. Navigate to Traffic → Load Balancing
2. Create health checks for your Workers
3. Configure geographic steering for multi-region deployments
4. Set up failover pools

10.15 Audit Logs

Track configuration changes:

1. Navigate to Manage Account → Audit Log
2. Review recent changes to your Cloudflare configuration
3. Set up notifications for critical changes
4. Export logs for compliance if needed

---

Common Issues

Worker Bindings Not Working

Symptom: TypeError: env.DB is undefined

Solution: Ensure bindings are configured in Worker settings and redeploy:

npx wrangler deploy

Authentication Redirects Failing

Symptom: Infinite redirect loop

Solution:

1. Verify CF_ACCESS_AUD matches your Access application's Audience tag
2. Check CORS configuration allows credentials
3. Ensure Access application domain matches your Worker route

Image Resizing Not Working

Symptom: Images serve at full resolution

Solution:

1. Verify R2 custom domain is configured
2. Add R2_CUSTOM_DOMAIN environment variable to Worker
3. Ensure Worker has R2 bucket binding

Database Migrations Fail

Symptom: Error: no such table: images

Solution: Apply migrations manually:

npx wrangler d1 migrations apply pixflare-production-db

---

Maintenance

Updating Pixelflare

git pull origin main
pnpm install
pnpm --filter @pixflare/api run build
cd packages/api && npx wrangler deploy
cd ../frontend && pnpm run build && npx wrangler pages deploy .svelte-kit/cloudflare

Database Backups

Configure S3 backup credentials in Worker secrets, then backups run automatically via scheduled queue consumer.

Monitoring

• Analytics: View in Cloudflare Analytics or Pixelflare dashboard
• Logs: View real-time logs via npx wrangler tail pixflare-production-api
• Metrics: Monitor in Workers & Pages → Overview

---

Next Steps

• Configure custom domains for users
• Enable AI classification
• Set up S3 backups (configure BACKUPS3* environment variables)
• Review security best practices