Leave the orange cloud.
Without breaking your site.

flareover reads your existing edge setup — DNS, TLS certificates, redirects, WAF rules, caching — and rebuilds it faithfully on your own EU servers (open-source, self-hosted). It never emits config that silently changes how your site behaves: what it can't map exactly, it asks about or flags — it never guesses.

● AGPL-3.0 · self-hostable · no lock-in

It refuses to guess

Every element of your edge gets exactly one verdict. Behavior-changing config is emitted only when equivalence is proven or you answer a bounded yes/no. That honesty is the product.

AUTO

A provably-equivalent target mapping exists. Config is generated.

ASK

A faithful mapping exists with one enumerable ambiguity. A single yes/no resolves it — cached, reviewable.

MANUAL

No faithful mapping (arbitrary edge code, ML bot-scoring). Surfaced with a reason, never guessed.

How it works — five phases

Read-only extraction to a gated, reversible cutover. Every step is deterministic; the parity gate blocks the flip unless the new edge behaves identically.

Assess Prepare Present Execute Guard GATE: PASS ✓

An honest report, at a glance

The engine tells you exactly what carries, what needs a decision, and what it won't touch — before anything changes.

$ flareover assess zone.snapshot.json

╭─ flareover · assessment · example.com ─────────────╮
 43 elements    31 AUTO    11 ASK    1 MANUAL
╰────────────────────────────────────────────────────╯

 MANUAL  (1)
   config-rule  tweak features on /api  → —
     Provider-only edge feature (email obfuscation): no Caddy equivalent.

 ASK  (11)
   dns  A app.example.com   powerdns
     ? Real origin (host:port) behind the orange cloud?

 AUTO  (31)
   tls  hsts   caddy
   waf-custom  block bad UA   caddy-waf
   redirect  apex → www   caddy

Validated end-to-end on a real zone

A real zone was migrated and cut over off its old managed edge, then verified end-to-end. The parity gate first blocked a divergence, and only passed once the new edge behaved identically — these are the checks it ran:

CertificateLet's Encrypt ✓
Server headerown edge · no CDN ✓
apex → www redirect301 → 200 ✓
Security headers3/3 ✓
WAF (malicious UA)403 blocked ✓
Edge cachesouin HIT ✓
Parity gatePASS ✓
Rollback1 command ✓

 GATE: PASS   no behavior-changing divergence — cutover permitted.

Your new edge — EU-sovereign, flat cost

No traffic or egress fees. No exposure to a future price or policy change. Every target is tagged with its jurisdiction, so the migration provably stays EU-scoped.

ConcernToolwhere
Authoritative DNSPowerDNSEU
Reverse proxy · TLS · HTTP/3Caddyfree
WAFcaddy-waffree
Edge cachesouinfree
CertificatesCertMate · Let's Encrypt / ActalisEU CA option
Object storage (S3-compatible →)MinIOno egress fee
Landing zonerefurbished bare metal → Proxmox → LXCEU

Leave the storage too

The same 0% FP discipline migrates S3-compatible object storage (R2, S3, …) onto sovereign MinIO. The engine maps the configuration; rclone copies the data — into the EU, with no egress fee. A public bucket is never made public without your explicit yes; an IAM policy is flagged, never guessed.