1.**Centralized Management**: Single web UI to manage all RPC routing
2.**Type-Based Routing**: Route requests to appropriate RPC node type (Public, Core, Permissioned, etc.)
3.**SSL Termination**: Handle HTTPS at the proxy level
4.**Access Control**: Different access rules per RPC node type
5.**Simplified RPC Nodes**: Remove nginx from RPC nodes (they just run Besu)
6.**Better Monitoring**: Central point to monitor RPC traffic
**Note**: RPC nodes 2500-2502 are **different types**, not redundant instances. Therefore, load balancing/failover between them is NOT appropriate. See `docs/RPC_NODE_TYPES_ARCHITECTURE.md` for details.
---
## Implementation Options
### Option 1: Use VMID 105 Only (Recommended)
**Remove nginx from RPC nodes** and use nginx-proxy-manager exclusively:
**Steps**:
1. Remove nginx package from `install/besu-rpc-install.sh` ✅ **DONE**
2. Configure nginx-proxy-manager (VMID 105) with **separate proxy hosts** for each RPC node type:
- **Access**: Additional authentication/authorization as needed
---
### Option 2: Hybrid Approach
**Keep both** but use them for different purposes:
- **nginx-proxy-manager (VMID 105)**:
- Public-facing entry point
- SSL termination
- Load balancing across RPC nodes
- **nginx on RPC nodes**:
- Optional: Local rate limiting
- Optional: Node-specific routing
- Can be used for internal routing within the container
**Use Case**: If you need per-node rate limiting or complex local routing
---
## Configuration Details
### nginx-proxy-manager Configuration (VMID 105)
**Proxy Host Setup**:
1. Access nginx-proxy-manager web UI (typically port 81)
2. Add Proxy Host:
- **Domain Names**: `rpc.besu.local`, `rpc.chainid138.local` (or your domain)
- **Scheme**: `http`
- **Forward Hostname/IP**: Use load balancer with:
-`192.168.11.250:8545`
-`192.168.11.251:8545`
-`192.168.11.252:8545`
- **Forward Port**: `8545`
- **Cache Assets**: Disabled (RPC responses shouldn't be cached)
- **Websockets**: Enabled
- **Block Common Exploits**: Enabled
- **SSL**: Configure Let's Encrypt or custom certificate
**Type-Based Routing Configuration**:
Since RPC nodes are different types (not redundant instances), configure **separate proxy hosts** rather than load balancing:
1.**Core RPC Proxy**: Routes to `192.168.11.250:8545` only (VMID 2500)
2.**Permissioned RPC Proxy**: Routes to `192.168.11.251:8545` only (VMID 2501)
3.**Public RPC Proxy**: Routes to `192.168.11.252:8545` only (VMID 2502)
**Health Checks**: Enable health checks for each proxy host to detect if the specific node type is down
**Note**: If you deploy multiple instances of the same type (e.g., 2 Public RPC nodes), THEN you can configure load balancing within that type's proxy host.
**WebSocket Support**:
- Add separate proxy host for WebSocket:
- **Forward Port**: `8546`
- **Websockets**: Enabled
- **Domain**: `rpc-ws.besu.local` (or subdomain)
---
### Removing nginx from RPC Nodes (Option 1)
**Update `install/besu-rpc-install.sh`**:
Remove nginx from apt packages:
```bash
apt-get install -y -qq \
openjdk-17-jdk \
wget \
curl \
jq \
netcat-openbsd \
iproute2 \
iptables \
ca-certificates \
gnupg \
lsb-release
# nginx <-- REMOVE THIS LINE
```
**Update documentation**:
- Remove nginx from `docs/APT_PACKAGES_CHECKLIST.md` for RPC nodes
- Update architecture diagrams to show nginx-proxy-manager as entry point
---
## Network Flow
### Current Flow (with nginx on RPC nodes):
```
Internet → nginx-proxy-manager (VMID 105) → [Optional] nginx on RPC node → Besu (8545)
```
### Recommended Flow (nginx-proxy-manager only):
```
Internet → nginx-proxy-manager (VMID 105) → Besu RPC Node (2500-2502:8545)
- **[../04-configuration/cloudflare/CLOUDFLARE_DNS_TO_CONTAINERS.md](../04-configuration/cloudflare/CLOUDFLARE_DNS_TO_CONTAINERS.md)** - DNS mapping to containers
### External References
- [nginx-proxy-manager](https://nginxproxymanager.com/) - Official documentation
