🔒 Subdomain Setup Guide

Turn http://34.55.179.122:8501 into https://morpheus.callbrightside.com
HTTPS, custom subdomain, professional URL, padlock icon in browser.
⏱ Total time: 15-25 minutes

📌 Current Setup vs. Target

ItemCurrentAfter
URLhttp://34.55.179.122:8501https://morpheus.callbrightside.com
HTTPS❌ No (browser shows "Not Secure")✅ Yes (padlock icon)
AccessIP + port numberClean subdomain
Cert RenewalN/AAuto-renews every 90 days
FirewallPort 8501 open to internetPort 443 only (nginx proxy)
0 of 12 steps complete

🌐 Phase 1: DNS Record in Cloudflare

⏱ 2 minutes

💡 Why Cloudflare, Not Squarespace?

The domain callbrightside.com is registered through Squarespace, but DNS is managed by Cloudflare (nameservers: nick.ns.cloudflare.com, kim.ns.cloudflare.com). Squarespace even shows a warning: "Your DNS records are managed with your third-party nameserver provider." So the A record MUST be added in Cloudflare, not Squarespace.

🌐 Step 1: Open Cloudflare Dashboard
📁 Go to dash.cloudflare.com and log in
👤 Use the account that manages callbrightside.com
📁 Click on callbrightside.com in your site list
📁 Click DNS in the left sidebar, then Records
➕ Step 2: Add DNS A Record
➕ Click "Add record" button
Fill in these fields exactly:
Type: A Name: morpheus IPv4: 34.55.179.122 Proxy: DNS only (gray cloud, NOT orange)
⚠️ IMPORTANT: Set proxy status to "DNS only" (gray cloud). If you use the orange cloud (Proxied), Cloudflare will try to proxy the WebSocket connection and Streamlit will break.
💾 Click "Save"
✅ You should now see the record in the list
🔍 Step 3: Verify DNS Propagation
Open a new terminal/command prompt on your computer and run:
nslookup morpheus.callbrightside.com
✅ You should see 34.55.179.122 in the response
⏳ If not, wait 2-3 minutes and try again (Cloudflare DNS is usually instant)

⚙️ Phase 2: Install Nginx on VM

⏱ 5 minutes
💻 Step 4: SSH into the VM
Open your terminal and run:
gcloud compute ssh nexus-vm --zone=us-central1-a
✅ You should see the Ubuntu welcome banner and a dovew@nexus-vm:~$ prompt
📦 Step 5: Install Nginx + Certbot
Run these commands one by one:
sudo apt update sudo apt install nginx certbot python3-certbot-nginx -y
⏳ This takes 1-2 minutes. You will see package installation output.
✅ When done, verify nginx is running:
sudo systemctl status nginx
You should see active (running)
📝 Step 6: Create Nginx Config
Create the reverse proxy configuration file:
sudo nano /etc/nginx/sites-available/morpheus
Paste this ENTIRE block (right-click to paste in terminal):
server { listen 80; server_name morpheus.callbrightside.com; location / { proxy_pass http://127.0.0.1:8501; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 86400; proxy_buffering off; } location /_stcore/health { proxy_pass http://127.0.0.1:8501/_stcore/health; } }
💾 Press Ctrl+O then Enter to save
💾 Press Ctrl+X to exit nano
🔗 Step 7: Enable the Config + Test
Run these commands:
sudo ln -s /etc/nginx/sites-available/morpheus /etc/nginx/sites-enabled/morpheus sudo nginx -t
✅ You should see: "nginx: configuration file /etc/nginx/nginx.conf test is successful"
If the test passes, restart nginx:
sudo systemctl restart nginx

🛡️ Phase 3: Open Port 80/443 on GCP

⏱ 2 minutes
🔐 Step 8: Verify Firewall Rules
The VM already has http-server and https-server network tags, which auto-allow ports 80 and 443. Verify:
gcloud compute firewall-rules list --filter="name:default-allow-http OR name:default-allow-https" --format="table(name,allowed,sourceRanges)"
✅ You should see rules allowing tcp:80 and tcp:443 from 0.0.0.0/0
If missing, create them:
gcloud compute firewall-rules create allow-http --allow=tcp:80 --target-tags=http-server --source-ranges=0.0.0.0/0 gcloud compute firewall-rules create allow-https --allow=tcp:443 --target-tags=https-server --source-ranges=0.0.0.0/0
🔎 Step 9: Test HTTP Access
Open your browser and go to:
http://morpheus.callbrightside.com
✅ You should see the Nexus Dashboard (without HTTPS yet)
❌ If you get "connection refused", wait 1 minute and try again
⚠️ If it still doesn't work, SSH back into the VM and check: sudo nginx -t && sudo systemctl status nginx

🔒 Phase 4: SSL Certificate (HTTPS)

⏱ 3 minutes
🔒 Step 10: Get SSL Certificate from Let's Encrypt
SSH into the VM (if not already connected) and run:
sudo certbot --nginx -d morpheus.callbrightside.com
Certbot will ask a few questions:
📩 Email address: Enter robert.dove@callbrightside.com
Terms of Service: Type Y and press Enter
📩 Share email with EFF: Type N and press Enter

Certbot will automatically:
1. Verify you own the domain (via HTTP challenge)
2. Download the SSL certificate
3. Update the nginx config to use HTTPS
4. Set up auto-redirect from HTTP to HTTPS
✅ You should see: "Congratulations! Your certificate and chain have been saved"
🔄 Step 11: Test Auto-Renewal
Let's Encrypt certificates expire every 90 days. Certbot auto-renews, but let's verify:
sudo certbot renew --dry-run
✅ You should see: "Congratulations, all simulated renewals succeeded"
The system will auto-renew before expiration. No manual action needed.

🏆 Phase 5: Verify Everything Works

⏱ 2 minutes
🌐 Step 12: Final Verification
Open your browser and go to:
https://morpheus.callbrightside.com
Padlock icon should appear in browser address bar
Dashboard loads with all pages working
Login works (test all roles: robert, kalen, stephanie)
WebSocket works (real-time updates, no "WebSocket connection failed" errors in console)
http:// auto-redirects to https://
🎉 DONE! Share https://morpheus.callbrightside.com with the team. Professional, secure, no IP addresses or port numbers.

🛡️ Optional: Restrict Access to Office IP Only

Right now the dashboard is accessible from anywhere. To lock it down to your office/home IP:

# 1. Find your IP curl ifconfig.me # 2. Update the firewall rule (replace YOUR_IP) gcloud compute firewall-rules update default-allow-https \ --source-ranges=YOUR_IP/32 # 3. Close port 8501 (no longer needed, nginx proxies) gcloud compute firewall-rules delete allow-streamlit-8501

⚠️ Warning: If your IP changes (home internet resets), you will lose access until you update the rule. Consider using a VPN with a static IP for more reliable access.

💡 Future Plan: One Dashboard for All

Current: Port 8501 (Ashton) and Port 8502 (Robert) run separate Streamlit instances.

After subdomain: One instance at morpheus.callbrightside.com for everyone. Role-based access (login page) controls what each person sees. Perfect this one dashboard first, then create role-specific views if needed later.

To consolidate: After subdomain is live, shut down port 8502 service and close the firewall rule:

sudo systemctl stop nexus-executive sudo systemctl disable nexus-executive gcloud compute firewall-rules delete allow-nexus-executive-8502

🚧 Troubleshooting

ProblemFix
"Connection refused"Check nginx is running: sudo systemctl status nginx
"502 Bad Gateway"Streamlit not running: sudo systemctl restart nexus-dashboard
"DNS not found"Wait 5 min for DNS propagation, or check Cloudflare A record for "morpheus" (NOT Squarespace, DNS is managed by Cloudflare)
Certbot failsEnsure port 80 is open and DNS points to VM IP
WebSocket errorsNginx config missing Upgrade headers. Re-paste Step 6 config.
Dashboard blankCheck Streamlit logs: sudo journalctl -u nexus-dashboard -n 50
Cert expiredRun: sudo certbot renew (should auto-renew)
Lost access after IP changeUpdate firewall: gcloud compute firewall-rules update ... with new IP
Bright Side Plumbing | Nexus AI | Subdomain Setup Guide | Generated March 7, 2026