update skills

2026-03-21 18:11:27 -07:00 · 2026-03-17 16:53:22 -07:00
parent 0b0783ef8e
commit f9a530667e
389 changed files with 54512 additions and 1 deletions
--- a/.agents/skills/cloudflare-deploy/references/spectrum/configuration.md
+++ b/.agents/skills/cloudflare-deploy/references/spectrum/configuration.md
@@ -0,0 +1,194 @@
+## Origin Types
+
+### Direct IP Origin
+
+Use when origin is a single server with static IP.
+
+**TypeScript SDK:**
+```typescript
+const app = await client.spectrum.apps.create({
+  zone_id: 'your-zone-id',
+  protocol: 'tcp/22',
+  dns: { type: 'CNAME', name: 'ssh.example.com' },
+  origin_direct: ['tcp://192.0.2.1:22'],
+  ip_firewall: true,
+  tls: 'off',
+});
+```
+
+**Terraform:**
+```hcl
+resource "cloudflare_spectrum_application" "ssh" {
+  zone_id  = var.zone_id
+  protocol = "tcp/22"
+
+  dns {
+    type = "CNAME"
+    name = "ssh.example.com"
+  }
+
+  origin_direct      = ["tcp://192.0.2.1:22"]
+  ip_firewall        = true
+  tls                = "off"
+  argo_smart_routing = true
+}
+```
+
+### CNAME Origin
+
+Use when origin is a hostname (not static IP). Spectrum resolves DNS dynamically.
+
+**TypeScript SDK:**
+```typescript
+const app = await client.spectrum.apps.create({
+  zone_id: 'your-zone-id',
+  protocol: 'tcp/3306',
+  dns: { type: 'CNAME', name: 'db.example.com' },
+  origin_dns: { name: 'db-primary.internal.example.com' },
+  origin_port: 3306,
+  tls: 'full',
+});
+```
+
+**Terraform:**
+```hcl
+resource "cloudflare_spectrum_application" "database" {
+  zone_id  = var.zone_id
+  protocol = "tcp/3306"
+
+  dns {
+    type = "CNAME"
+    name = "db.example.com"
+  }
+
+  origin_dns {
+    name = "db-primary.internal.example.com"
+  }
+
+  origin_port        = 3306
+  tls                = "full"
+  argo_smart_routing = true
+}
+```
+
+### Load Balancer Origin
+
+Use for high availability and failover.
+
+**Terraform:**
+```hcl
+resource "cloudflare_load_balancer" "game_lb" {
+  zone_id          = var.zone_id
+  name             = "game-lb.example.com"
+  default_pool_ids = [cloudflare_load_balancer_pool.game_pool.id]
+}
+
+resource "cloudflare_load_balancer_pool" "game_pool" {
+  name    = "game-primary"
+  origins { name = "game-1"; address = "192.0.2.1" }
+  monitor = cloudflare_load_balancer_monitor.tcp_monitor.id
+}
+
+resource "cloudflare_load_balancer_monitor" "tcp_monitor" {
+  type = "tcp"; port = 25565; interval = 60; timeout = 5
+}
+
+resource "cloudflare_spectrum_application" "game" {
+  zone_id  = var.zone_id
+  protocol = "tcp/25565"
+  dns { type = "CNAME"; name = "game.example.com" }
+  origin_dns { name = cloudflare_load_balancer.game_lb.name }
+  origin_port = 25565
+}
+```
+
+## TLS Configuration
+
+| Mode | Description | Use Case | Origin Cert |
+|------|-------------|----------|-------------|
+| `off` | No TLS | Non-encrypted (SSH, gaming) | No |
+| `flexible` | TLS client→CF, plain CF→origin | Testing | No |
+| `full` | TLS end-to-end, self-signed OK | Production | Yes (any) |
+| `strict` | Full + valid cert verification | Max security | Yes (CA) |
+
+**Example:**
+```typescript
+const app = await client.spectrum.apps.create({
+  zone_id: 'your-zone-id',
+  protocol: 'tcp/3306',
+  dns: { type: 'CNAME', name: 'db.example.com' },
+  origin_direct: ['tcp://192.0.2.1:3306'],
+  tls: 'strict',  // Validates origin certificate
+});
+```
+
+## Proxy Protocol
+
+Forwards real client IP to origin. Origin must support parsing.
+
+| Version | Protocol | Use Case |
+|---------|----------|----------|
+| `off` | - | Origin doesn't need client IP |
+| `v1` | TCP | Most TCP apps (SSH, databases) |
+| `v2` | TCP | High-performance TCP |
+| `simple` | UDP | UDP applications |
+
+**Compatibility:**
+- **v1**: HAProxy, nginx, SSH, most databases
+- **v2**: HAProxy 1.5+, nginx 1.11+
+- **simple**: Cloudflare-specific UDP format
+
+**Enable:**
+```typescript
+const app = await client.spectrum.apps.create({
+  // ...
+  proxy_protocol: 'v1',  // Origin must parse PROXY header
+});
+```
+
+**Origin Config (nginx):**
+```nginx
+stream {
+    server {
+        listen 22 proxy_protocol;
+        proxy_pass backend:22;
+    }
+}
+```
+
+## IP Access Rules
+
+Enable `ip_firewall: true` then configure zone-level firewall rules.
+
+```typescript
+const app = await client.spectrum.apps.create({
+  // ...
+  ip_firewall: true,  // Applies zone firewall rules
+});
+```
+
+## Port Ranges (Enterprise Only)
+
+```hcl
+resource "cloudflare_spectrum_application" "game_cluster" {
+  zone_id  = var.zone_id
+  protocol = "tcp/25565-25575"
+
+  dns {
+    type = "CNAME"
+    name = "games.example.com"
+  }
+
+  origin_direct = ["tcp://192.0.2.1"]
+  
+  origin_port {
+    start = 25565
+    end   = 25575
+  }
+}
+```
+
+## See Also
+
+- [patterns.md](patterns.md) - Protocol-specific examples
+- [api.md](api.md) - REST/SDK reference