Skip to content

bunny.net — Checklist

OWNER: karel
ALSO_USED_BY: stef (DNS/certs)
LAST_VERIFIED: 2026-03-26
GE_STACK_VERSION: bunnynet Terraform provider (BunnyWay/bunnynet) latest

NEW PULL ZONE CHECKLIST (per client project)

  • [ ] CHECK: Pull zone name follows ge-{client}-{project} pattern
    IF_SKIPPED: naming inconsistency, hard to identify in dashboard
  • [ ] CHECK: Origin URL points to UpCloud Load Balancer (Zones 2+3)
    IF_SKIPPED: traffic goes to wrong origin
  • [ ] CHECK: Origin Shield enabled, zone set to NL
    IF_SKIPPED: 119 PoPs hit origin directly — 80-90% more origin load
    ADDED_FROM: origin-overload-2026-02
  • [ ] CHECK: Bunny Shield (WAF) enabled
    IF_SKIPPED: no WAF protection — compliance violation
  • [ ] CHECK: Shield in learning mode for first 48-72 hours
    IF_SKIPPED: false positives block legitimate traffic
  • [ ] CHECK: TLS 1.3 enabled
    IF_SKIPPED: weaker encryption, slower handshakes
  • [ ] CHECK: add_host_header matches origin hostname
    IF_SKIPPED: origin returns 404 for all requests
    ADDED_FROM: origin-404-2026-02
  • [ ] CHECK: cache_error_responses = false
    IF_SKIPPED: error pages cached and served to all users
  • [ ] CHECK: Custom hostname added with force_ssl = true
    IF_SKIPPED: HTTP access possible — compliance violation

DNS CHECKLIST (per client domain)

  • [ ] CHECK: DNS zone created in bunny.net via Terraform
    IF_SKIPPED: unmanaged DNS, no audit trail
  • [ ] CHECK: CNAME record points to {pullzone}.b-cdn.net
    IF_SKIPPED: CDN not serving traffic
  • [ ] CHECK: Root domain uses CNAME flattening (FLATTEN type)
    IF_SKIPPED: root domain cannot use CNAME (DNS spec violation)
  • [ ] CHECK: CAA record includes letsencrypt.org if CAA is used
    IF_SKIPPED: SSL certificate provisioning fails
    ADDED_FROM: ssl-provisioning-delay-2026-03
  • [ ] CHECK: stef (DNS/certs) has reviewed the DNS configuration
    IF_SKIPPED: potential DNS misconfiguration

SECURITY CHECKLIST (production)

  • [ ] CHECK: Bunny Shield Advanced enabled ($9.50/month)
    IF_SKIPPED: no AI WAF, no zero-day protection
  • [ ] CHECK: WAF in enforcement mode (not learning mode)
    IF_SKIPPED: threats detected but not blocked
  • [ ] CHECK: DDoS protection enabled
    IF_SKIPPED: volumetric attacks hit origin directly
  • [ ] CHECK: Token authentication configured for protected content
    IF_SKIPPED: premium content accessible without auth
  • [ ] CHECK: WAF logging enabled with 30-day retention
    IF_SKIPPED: no forensic data for incident investigation

CACHE CHECKLIST

  • [ ] CHECK: Static assets cached 30 days at edge, 1 day in browser
    IF_SKIPPED: unnecessary origin requests, higher latency
  • [ ] CHECK: API responses set Cache-Control: no-store
    IF_SKIPPED: dynamic data cached, stale responses served
  • [ ] CHECK: Vary header is specific (not Vary: *)
    IF_SKIPPED: cache disabled entirely or exploded cardinality
  • [ ] CHECK: Cache hit ratio above 90% for static assets
    IF_SKIPPED: CDN not effective, origin overloaded

COST CHECKLIST

  • [ ] CHECK: Shield Advanced only on production pull zones
    IF_SKIPPED: $9.50/month per dev/staging zone adds up
    ADDED_FROM: billing-review-2026-03
  • [ ] CHECK: Edge Storage replication only to needed regions
    IF_SKIPPED: 4x storage cost from unnecessary replication
    ADDED_FROM: billing-review-2026-03
  • [ ] CHECK: Edge Scripting cost estimated before deployment
    IF_SKIPPED: per-request costs on high-traffic scripts

CROSS-REFERENCES

READ_ALSO: wiki/docs/stack/bunnynet/index.md
READ_ALSO: wiki/docs/stack/bunnynet/cdn.md
READ_ALSO: wiki/docs/stack/bunnynet/security.md
READ_ALSO: wiki/docs/stack/bunnynet/pitfalls.md