Cloud Infra
Showcase.
Real services running on a self-hosted server — not a mock, not a screenshot. Ubuntu Server, Docker containers, Nginx reverse proxy, and Cloudflare Tunnel with zero open inbound ports.
Architecture
Traffic enters through Cloudflare's network — not directly to the server. No port is open on the host machine. Every request arrives via an outbound-only encrypted tunnel, then routes through Nginx to the correct service.
$ uname -a
Linux ubuntu 6.x · i5-13xxx · 16GB RAM
$ docker ps
3 services running on host
Services
Portainer
Docker container management — lifecycle, logs, resource usage for all running containers.
Admin surface deliberately not exposed to the internet.
Cockpit
System metrics and OS management — CPU, memory, disk, and service health.
Enough to prove the system is real without exposing controls.
File Browser
File access and lightweight storage demo — browse a sample project workspace.
Demo account: username demo · read-only guest access.
Live Demo
— Proof of deployment
A real service on a real server. Not a screenshot.
File Browser runs as a Docker container, routed through Nginx, exposed via Cloudflare Tunnel. The demo account will have read-only access to a sample project workspace — CSV files, a README, an architecture diagram. No uploads, no deletes.
Scoped read-only guest account — coming once the service is provisioned.
Service not yet provisioned — will be live at files.demo.vancornelio.dev
File Browser container not yet deployed
Security
— Zero Trust posture
Designed to expose the minimum required surface.
Every security decision here was intentional — not an afterthought. Cloudflare sits in front of everything. Admin tools stay internal. The only public-facing service is a read-only demo account. The attack surface is as small as it can be while still proving the deployment is real.
cloudflared creates an outbound-only encrypted tunnel to Cloudflare. The host firewall has no open inbound ports — nothing for a scanner to find.
Edge-layer Web Application Firewall applies ruleset before traffic reaches the origin. DDoS mitigation included at the Cloudflare network layer.
Portainer (Docker UI) and OS-level tools are internal-only. No admin panel is reachable from the public internet under any routing configuration.
File Browser runs with a read-only guest account scoped to the demo directory. No upload, delete, or rename permissions.
Cloudflare rate limiting on the File Browser subdomain prevents brute-force attempts on the demo login.
How It Works
Provision
- ›Ubuntu Server base install on i5 13th-gen desktop
- ›Docker Engine + Docker Compose installed
- ›Nginx installed and enabled via systemd
- ›cloudflared installed and authenticated
Deploy Services
- ›Each service defined as a Docker Compose file
- ›Started via Portainer UI or docker compose up -d
- ›Container ports bound to localhost only (127.0.0.1:PORT)
- ›Portainer manages state, logs, and restarts
Route Traffic
- ›Nginx virtual hosts map subdomains to container ports
- ›proxy_pass http://127.0.0.1:PORT for each service
- ›Each vhost is isolated — no cross-service access
- ›Access logs retained locally for audit
Expose via Tunnel
- ›cloudflared config maps public hostnames → local Nginx ports
- ›Cloudflare Tunnel creates outbound connection only
- ›TLS handled by Cloudflare — no self-signed cert complexity
- ›DNS records proxied through Cloudflare (orange cloud)
Full request flow
Skills
Infrastructure work translates directly to hireable engineering competency. Every item below maps to the services running on the self-hosted server.
| Skill Area | Demonstrated Capability | Evidence in This Project |
|---|---|---|
| Linux Server Administration | Ubuntu Server setup, user management, systemd services | Cockpit service dashboards, SSH hardening, systemd unit management |
| Containerization | Docker, container lifecycle, Compose orchestration | All services run as isolated Docker containers managed by Portainer |
| Networking & Reverse Proxy | Nginx vhost routing, subdomain isolation, upstream management | demo.vancornelio.dev → Nginx → each service via proxy_pass |
| Cloud Security | Cloudflare Tunnel, Zero Trust, no public port exposure | Zero inbound ports; all traffic through encrypted outbound tunnel |
| Infrastructure as Code | Terraform for provisioning, reproducible environments | AWS EC2 + Terraform in DriftCode project; Docker Compose as declarative IaC |
| Backend Deployment | Service deployment, health checks, uptime monitoring | Portainer + Cockpit verify running state; systemd handles restarts |
| DevOps Practice | CI/CD pipelines (GitHub Actions), Docker-based build flows | Cross-project: iAyos, Govani Tech, DriftCode CI/CD pipelines |
Linux Server Administration
Ubuntu Server setup, user management, systemd services
Cockpit service dashboards, SSH hardening, systemd unit management
Containerization
Docker, container lifecycle, Compose orchestration
All services run as isolated Docker containers managed by Portainer
Networking & Reverse Proxy
Nginx vhost routing, subdomain isolation, upstream management
demo.vancornelio.dev → Nginx → each service via proxy_pass
Cloud Security
Cloudflare Tunnel, Zero Trust, no public port exposure
Zero inbound ports; all traffic through encrypted outbound tunnel
Infrastructure as Code
Terraform for provisioning, reproducible environments
AWS EC2 + Terraform in DriftCode project; Docker Compose as declarative IaC
Backend Deployment
Service deployment, health checks, uptime monitoring
Portainer + Cockpit verify running state; systemd handles restarts
DevOps Practice
CI/CD pipelines (GitHub Actions), Docker-based build flows
Cross-project: iAyos, Govani Tech, DriftCode CI/CD pipelines