d-bis/proxmox
4
0
Fork 0
Code Issues 1 Pull Requests 9 Actions Packages Projects Releases Wiki Activity

Complete markdown files cleanup and organization

Browse Source 
- Organized 252 files across project
- Root directory: 187 → 2 files (98.9% reduction)
- Moved configuration guides to docs/04-configuration/
- Moved troubleshooting guides to docs/09-troubleshooting/
- Moved quick start guides to docs/01-getting-started/
- Moved reports to reports/ directory
- Archived temporary files
- Generated comprehensive reports and documentation
- Created maintenance scripts and guides

All files organized according to established standards.
This commit is contained in:
defiQUG
2026-01-06 01:46:25 -08:00
parent 1edcec953c
commit cb47cce074
1327 changed files with 217220 additions and 801 deletions
Download Patch File Download Diff File Expand all files Collapse all files

600
docs/04-configuration/cloudflare/CLOUDFLARE_DNS_SPECIFIC_SERVICES.md Normal file
View File

@@ -0,0 +1,600 @@
# Cloudflare DNS Configuration for Specific Services
**Last Updated:** 2025-01-20
**Document Version:** 1.0
**Status:** Service-Specific DNS Mapping
---
## Overview
This document provides specific Cloudflare DNS and tunnel configuration for:
1. **Mail Server** (VMID 100) - Mail services for all domains
2. **Public RPC Node** (VMID 2502) - Besu RPC-3 for public access
3. **Solace Frontend** (VMID 300X) - Solace frontend application
---
## Service 1: Mail Server (VMID 100)
### Container Information
- **VMID**: 100
- **Service**: Mail server (Postfix, Dovecot, or similar)
- **Purpose**: Handle mail for all domains
- **IP Address**: To be determined (check with `pct config 100`)
- **Ports**:
- SMTP: 25 (or 587 for submission)
- IMAP: 143 (or 993 for IMAPS)
- POP3: 110 (or 995 for POP3S)
### DNS Records Required
**For each domain that will use this mail server:**
#### MX Records (Mail Exchange)
```
Type: MX
Name: @ (or domain root)
Priority: 10
Target: mail.yourdomain.com
TTL: Auto
Proxy: ❌ DNS only (gray cloud) - MX records cannot be proxied
```
**Example for multiple domains:**
- `yourdomain.com` → MX 10 `mail.yourdomain.com`
- `anotherdomain.com` → MX 10 `mail.anotherdomain.com`
#### A/CNAME Records for Mail Server
```
Type: A (or CNAME if using tunnel)
Name: mail
Target: <tunnel-id>.cfargotunnel.com (if using tunnel)
OR <server-ip> (if direct access)
TTL: Auto
Proxy: 🟠 Proxied (if using tunnel)
❌ DNS only (if direct access with public IP)
```
**Note**: Mail servers typically need direct IP access for MX records. If using Cloudflare tunnel, you may need to:
- Use A records pointing to public IPs for MX
- Use tunnel for webmail interface only
### Tunnel Configuration (Optional - for Webmail)
If your mail server has a webmail interface:
**In Cloudflare Tunnel Dashboard:**
```
Subdomain: webmail
Domain: yourdomain.com
Service: http://<mail-server-ip>:80
OR https://<mail-server-ip>:443
```
**DNS Record:**
```
Type: CNAME
Name: webmail
Target: <tunnel-id>.cfargotunnel.com
Proxy: 🟠 Proxied
```
### Mail Server Ports Configuration
**Important**: Cloudflare tunnels can handle HTTP/HTTPS traffic, but mail protocols (SMTP, IMAP, POP3) require direct connection or special configuration.
**Options:**
1. **Direct Public IP** (Recommended for mail):
- Assign public IP to mail server
- Create A records pointing to public IP
- Configure firewall rules
2. **Cloudflare Tunnel for Webmail Only**:
- Use tunnel for webmail interface
- Use direct IP for mail protocols (SMTP, IMAP, POP3)
3. **SMTP Relay via Cloudflare** (Advanced):
- Use Cloudflare Email Routing for incoming mail
- Configure mail server for outgoing mail only
### Recommended Configuration
```
MX Records (All Domains):
yourdomain.com → MX 10 mail.yourdomain.com
anotherdomain.com → MX 10 mail.anotherdomain.com
A Record (Mail Server):
mail.yourdomain.com → A <public-ip> (if direct access)
OR
mail.yourdomain.com → CNAME <tunnel-id>.cfargotunnel.com (if tunnel)
CNAME Record (Webmail):
webmail.yourdomain.com → CNAME <tunnel-id>.cfargotunnel.com
Proxy: 🟠 Proxied
```
---
## Service 2: Public RPC Node (VMID 2502)
### Container Information
- **VMID**: 2502
- **Hostname**: besu-rpc-3
- **IP Address**: 192.168.11.252
- **Service**: Besu JSON-RPC API
- **Port**: 8545 (HTTP-RPC), 8546 (WebSocket-RPC)
- **Purpose**: Public access to blockchain RPC endpoint
### DNS Records
#### Primary RPC Endpoint
```
Type: CNAME
Name: rpc
Target: <tunnel-id>.cfargotunnel.com
TTL: Auto
Proxy: 🟠 Proxied (orange cloud) - Required for tunnel
```
**Alternative subdomains:**
```
rpc-public.yourdomain.com
rpc-mainnet.yourdomain.com
api.yourdomain.com (if this is the primary API)
```
### Tunnel Configuration
**In Cloudflare Tunnel Dashboard:**
**Public Hostname:**
```
Subdomain: rpc
Domain: yourdomain.com
Service: http://192.168.11.252:8545
```
**For WebSocket Support:**
```
Subdomain: rpc-ws
Domain: yourdomain.com
Service: http://192.168.11.252:8546
```
**Or use single endpoint with path-based routing:**
```
Subdomain: rpc
Domain: yourdomain.com
Service: http://192.168.11.252:8545
Path: /ws → http://192.168.11.252:8546
```
### Complete Configuration Example
**DNS Records:**
| Type | Name | Target | Proxy |
|------|------|--------|-------|
| CNAME | `rpc` | `<tunnel-id>.cfargotunnel.com` | 🟠 Proxied |
| CNAME | `rpc-ws` | `<tunnel-id>.cfargotunnel.com` | 🟠 Proxied |
**Tunnel Ingress:**
```yaml
ingress:
# HTTP JSON-RPC
- hostname: rpc.yourdomain.com
service: http://192.168.11.252:8545
# WebSocket RPC
- hostname: rpc-ws.yourdomain.com
service: http://192.168.11.252:8546
# Catch-all
- service: http_status:404
```
### Testing
**Test HTTP-RPC:**
```bash
curl -X POST https://rpc.yourdomain.com \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"method": "eth_blockNumber",
"params": [],
"id": 1
}'
```
**Test WebSocket (from browser console):**
```javascript
const ws = new WebSocket('wss://rpc-ws.yourdomain.com');
ws.onopen = () => {
ws.send(JSON.stringify({
jsonrpc: "2.0",
method: "eth_blockNumber",
params: [],
id: 1
}));
};
```
### Security Considerations
1. **Rate Limiting**: Configure rate limiting in Cloudflare
2. **DDoS Protection**: Cloudflare automatically provides DDoS protection
3. **Access Control**: Consider adding Cloudflare Access for additional security
4. **API Keys**: Implement API key authentication at application level
5. **CORS**: Configure CORS headers if needed for web applications
---
## Service 3: Solace Frontend (VMID 300X)
### Container Information
- **VMID**: 300X (specific VMID to be determined)
- **Service**: Solace frontend application
- **Purpose**: User-facing web interface for Solace
- **IP Address**: To be determined
- **Port**: Typically 80 (HTTP) or 443 (HTTPS)
### VMID Allocation Note
**Important**: Solace is not explicitly assigned a VMID range in the official allocation documents (`VMID_ALLOCATION_FINAL.md`).
The 300X range falls within the **"Besu RPC / Gateways"** allocation (2500-3499), which includes:
- **2500-2502**: Initial Besu RPC nodes (3 nodes)
- **2503-3499**: Reserved for RPC/Gateway expansion (997 VMIDs)
Since Solace frontend is deployed in the 300X range, it's using VMIDs from the RPC/Gateway expansion pool. This should be documented in the VMID allocation plan for future reference.
### Finding the Solace Container
**Check which container is Solace:**
```bash
# List containers in 300X range
pct list | grep -E "^\s*3[0-9]{3}"
# Check container hostname
pct config <VMID> | grep hostname
# Check container IP
pct config <VMID> | grep ip
```
**Or check running services:**
```bash
# SSH into Proxmox host and check
for vmid in 3000 3001 3002 3003 3004 3005; do
echo "=== VMID $vmid ==="
pct exec $vmid -- hostname 2>/dev/null || echo "Not found"
done
```
### DNS Records
**Primary Frontend:**
```
Type: CNAME
Name: solace
Target: <tunnel-id>.cfargotunnel.com
TTL: Auto
Proxy: 🟠 Proxied (orange cloud)
```
**Alternative names:**
```
app.yourdomain.com
solace-app.yourdomain.com
frontend.yourdomain.com
```
### Tunnel Configuration
**In Cloudflare Tunnel Dashboard:**
**Public Hostname:**
```
Subdomain: solace
Domain: yourdomain.com
Service: http://<solace-container-ip>:<port>
```
**Example (assuming VMID 3000, IP 192.168.11.300, port 80):**
```
Subdomain: solace
Domain: yourdomain.com
Service: http://192.168.11.300:80
```
### Complete Configuration Example
**Once container details are confirmed:**
**DNS Record:**
| Type | Name | Target | Proxy |
|------|------|--------|-------|
| CNAME | `solace` | `<tunnel-id>.cfargotunnel.com` | 🟠 Proxied |
**Tunnel Ingress:**
```yaml
ingress:
- hostname: solace.yourdomain.com
service: http://<solace-ip>:<port>
# Catch-all
- service: http_status:404
```
### Additional Configuration (If Needed)
**If Solace has API endpoints:**
```
Subdomain: solace-api
Domain: yourdomain.com
Service: http://<solace-ip>:<api-port>
```
**If Solace has WebSocket support:**
```
Subdomain: solace-ws
Domain: yourdomain.com
Service: http://<solace-ip>:<ws-port>
```
---
## Complete DNS Mapping Summary
### All Services Together
| Service | VMID | IP | DNS Record | Tunnel Ingress |
|---------|------|-----|------------|----------------|
| **Mail Server** | 100 | TBD | `mail.yourdomain.com` | Webmail only (if applicable) |
| **Public RPC** | 2502 | 192.168.11.252 | `rpc.yourdomain.com` | `http://192.168.11.252:8545` |
| **Solace Frontend** | 300X | TBD | `solace.yourdomain.com` | `http://<ip>:<port>` |
### DNS Records to Create
**In Cloudflare DNS Dashboard:**
1. **Mail Server:**
```
Type: MX
Name: @
Priority: 10
Target: mail.yourdomain.com
Proxy: ❌ DNS only
Type: A or CNAME
Name: mail
Target: <public-ip> or <tunnel-id>.cfargotunnel.com
Proxy: Based on access method
```
2. **RPC Node:**
```
Type: CNAME
Name: rpc
Target: <tunnel-id>.cfargotunnel.com
Proxy: 🟠 Proxied
Type: CNAME
Name: rpc-ws
Target: <tunnel-id>.cfargotunnel.com
Proxy: 🟠 Proxied
```
3. **Solace Frontend:**
```
Type: CNAME
Name: solace
Target: <tunnel-id>.cfargotunnel.com
Proxy: 🟠 Proxied
```
---
## Tunnel Ingress Configuration (Complete)
**In Cloudflare Zero Trust → Networks → Tunnels → Configure:**
```yaml
ingress:
# Mail Server Webmail (if applicable)
- hostname: webmail.yourdomain.com
service: http://<mail-server-ip>:80
# Public RPC - HTTP
- hostname: rpc.yourdomain.com
service: http://192.168.11.252:8545
# Public RPC - WebSocket
- hostname: rpc-ws.yourdomain.com
service: http://192.168.11.252:8546
# Solace Frontend
- hostname: solace.yourdomain.com
service: http://<solace-ip>:<port>
# Catch-all
- service: http_status:404
```
---
## Verification Steps
### 1. Verify Container Status
```bash
# Check mail server
pct status 100
pct config 100 | grep -E "hostname|ip"
# Check RPC node
pct status 2502
pct config 2502 | grep -E "hostname|ip"
# Should show: hostname=besu-rpc-3, ip=192.168.11.252
# Find Solace container
pct list | grep -E "^\s*3[0-9]{3}"
```
### 2. Test Direct Container Access
```bash
# Test RPC node
curl -X POST http://192.168.11.252:8545 \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
# Test Solace (once IP is known)
curl -I http://<solace-ip>:<port>
# Test mail server webmail (if applicable)
curl -I http://<mail-ip>:80
```
### 3. Test DNS Resolution
```bash
# Test DNS records
dig rpc.yourdomain.com
dig solace.yourdomain.com
dig mail.yourdomain.com
nslookup rpc.yourdomain.com
```
### 4. Test Through Cloudflare
```bash
# Test RPC via Cloudflare
curl -X POST https://rpc.yourdomain.com \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
# Test Solace via Cloudflare
curl -I https://solace.yourdomain.com
# Test webmail via Cloudflare (if configured)
curl -I https://webmail.yourdomain.com
```
---
## Security Recommendations
### Mail Server
1. **MX Records**: Use DNS-only (gray cloud) for MX records
2. **SPF Records**: Add SPF records for email authentication
```
Type: TXT
Name: @
Content: v=spf1 ip4:<mail-server-ip> include:_spf.google.com ~all
```
3. **DKIM**: Configure DKIM signing
4. **DMARC**: Set up DMARC policy
5. **Firewall**: Restrict mail ports to necessary IPs
### RPC Node
1. **Rate Limiting**: Configure in Cloudflare
2. **DDoS Protection**: Enabled by default with proxy
3. **Access Logging**: Monitor access patterns
4. **API Keys**: Implement application-level authentication
5. **CORS**: Configure if needed for web apps
### Solace Frontend
1. **Cloudflare Access**: Add access policies if needed
2. **SSL/TLS**: Ensure Cloudflare SSL is enabled
3. **WAF Rules**: Configure Web Application Firewall rules
4. **Rate Limiting**: Protect against abuse
5. **Monitoring**: Set up alerts for unusual traffic
---
## Troubleshooting
### Mail Server Issues
**Problem**: Mail not being received
**Solutions:**
- Verify MX records are correct
- Check mail server is accessible on port 25/587
- Verify SPF/DKIM/DMARC records
- Check mail server logs
- Ensure firewall allows mail traffic
### RPC Node Issues
**Problem**: RPC requests failing
**Solutions:**
- Verify container is running: `pct status 2502`
- Test direct access: `curl http://192.168.11.252:8545`
- Check tunnel status in Cloudflare dashboard
- Verify DNS record is proxied (orange cloud)
- Check Cloudflare logs for errors
### Solace Frontend Issues
**Problem**: Frontend not loading
**Solutions:**
- Verify container is running
- Check container IP and port
- Test direct access to container
- Verify tunnel configuration
- Check DNS resolution
- Review Cloudflare logs
---
## Next Steps
1. **Identify Solace Container:**
- Determine exact VMID for Solace frontend
- Get container IP address
- Identify service port
2. **Configure Mail Server:**
- Determine mail server IP
- Set up MX records for all domains
- Configure SPF/DKIM/DMARC
- Set up webmail tunnel (if applicable)
3. **Deploy Configurations:**
- Create DNS records in Cloudflare
- Configure tunnel ingress rules
- Test each service
- Document final configuration
---
## Related Documentation
- **[CLOUDFLARE_DNS_TO_CONTAINERS.md](CLOUDFLARE_DNS_TO_CONTAINERS.md)** - General DNS mapping guide
- **[CLOUDFLARE_ZERO_TRUST_GUIDE.md](CLOUDFLARE_ZERO_TRUST_GUIDE.md)** - Cloudflare Zero Trust setup
- **[DEPLOYMENT_STATUS_CONSOLIDATED.md](../03-deployment/DEPLOYMENT_STATUS_CONSOLIDATED.md)** - Current container inventory
---
**Document Status:** Active
**Maintained By:** Infrastructure Team
**Last Updated:** 2025-01-20
**Next Update:** After Solace container details are confirmed

592
docs/04-configuration/cloudflare/CLOUDFLARE_DNS_TO_CONTAINERS.md Normal file
View File

@@ -0,0 +1,592 @@
# Cloudflare DNS Mapping to Proxmox LXC Containers
**Last Updated:** 2025-01-20
**Document Version:** 1.0
**Status:** Implementation Guide
---
## Overview
This guide explains how to map Cloudflare DNS records to Proxmox VE LXC containers using Cloudflare Zero Trust tunnels (cloudflared). This provides secure, public access to your containers without exposing them directly to the internet.
---
## Architecture
```
Internet → Cloudflare DNS → Cloudflare Tunnel → cloudflared LXC → Target Container
```
### Components
1. **Cloudflare DNS** - DNS records pointing to tunnel
2. **Cloudflare Tunnel** - Secure connection between Cloudflare and your network
3. **cloudflared LXC** - Tunnel client running in a container
4. **Target Containers** - Your application containers (web servers, APIs, etc.)
---
## Prerequisites
1. **Cloudflare Account** with Zero Trust enabled
2. **Domain** managed by Cloudflare
3. **Proxmox Host** with network access
4. **Target Containers** running and accessible on local network
---
## Step-by-Step Guide
### Step 1: Set Up Cloudflare Tunnel
#### 1.1 Create Tunnel in Cloudflare Dashboard
1. **Access Cloudflare Zero Trust:**
- Navigate to: https://one.dash.cloudflare.com
- Sign in with your Cloudflare account
2. **Create Tunnel:**
- Go to **Zero Trust****Networks****Tunnels**
- Click **Create a tunnel**
- Select **Cloudflared**
- Enter tunnel name (e.g., `proxmox-primary`)
- Click **Save tunnel**
3. **Copy Tunnel Token:**
- After creation, you'll see installation instructions
- Copy the tunnel token (you'll need this in Step 2)
#### 1.2 Deploy cloudflared LXC Container
**Option A: Create New Container**
```bash
# Assign VMID (e.g., 8000)
VMID=8000
# Create container
pct create $VMID local:vztmpl/ubuntu-22.04-standard_22.04-1_amd64.tar.zst \
--hostname cloudflared \
--net0 name=eth0,bridge=vmbr0,ip=192.168.11.80/24,gw=192.168.11.1 \
--memory 512 \
--cores 1 \
--storage local-lvm \
--rootfs local-lvm:4
# Start container
pct start $VMID
```
**Option B: Use Existing Container**
If you already have a container for cloudflared (e.g., VMID 102), skip to installation.
#### 1.3 Install cloudflared
```bash
# Replace $VMID with your container ID
pct exec $VMID -- bash -c "
wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
dpkg -i cloudflared-linux-amd64.deb
cloudflared --version
"
```
#### 1.4 Configure Tunnel
```bash
# Install tunnel with token (replace <TUNNEL_TOKEN> with actual token)
pct exec $VMID -- cloudflared service install <TUNNEL_TOKEN>
# Enable and start service
pct exec $VMID -- systemctl enable cloudflared
pct exec $VMID -- systemctl start cloudflared
# Check status
pct exec $VMID -- systemctl status cloudflared
```
---
### Step 2: Map DNS to Container
#### 2.1 Identify Container Information
**Get Container IP and Port:**
```bash
# List containers and their IPs
pct list
# Get specific container IP
pct config <VMID> | grep ip
# Or check running containers
pct exec <VMID> -- ip addr show eth0
```
**Example Container:**
- **VMID**: 2500 (besu-rpc-1)
- **IP**: 192.168.11.250
- **Port**: 8545 (RPC port)
- **Service**: HTTP JSON-RPC API
#### 2.2 Configure Tunnel Ingress Rules
**In Cloudflare Dashboard:**
1. **Navigate to Tunnel Configuration:**
- Go to **Zero Trust****Networks****Tunnels**
- Click on your tunnel name
- Click **Configure**
2. **Add Public Hostname:**
- Click **Public Hostname** tab
- Click **Add a public hostname**
3. **Configure Route:**
```
Subdomain: rpc
Domain: yourdomain.com
Service: http://192.168.11.250:8545
```
4. **Save Configuration**
**Example Configuration:**
For multiple containers, add multiple hostname entries:
```
Subdomain: rpc-core
Domain: yourdomain.com
Service: http://192.168.11.250:8545
Subdomain: rpc-sentry
Domain: yourdomain.com
Service: http://192.168.11.251:8545
Subdomain: blockscout
Domain: yourdomain.com
Service: http://192.168.11.100:4000
```
#### 2.3 Create DNS Records
**In Cloudflare DNS Dashboard:**
1. **Navigate to DNS:**
- Go to your domain in Cloudflare
- Click **DNS** → **Records**
2. **Create CNAME Record:**
- Click **Add record**
- **Type**: CNAME
- **Name**: `rpc` (or your subdomain)
- **Target**: `<tunnel-id>.cfargotunnel.com`
- Or use: `proxmox-primary.yourteam.cloudflareaccess.com` (if using Zero Trust)
- **Proxy status**: 🟠 Proxied (orange cloud) - **Important!**
3. **Save Record**
**DNS Record Examples:**
| Service | Type | Name | Target | Proxy |
|---------|------|------|--------|-------|
| RPC Core | CNAME | `rpc-core` | `<tunnel-id>.cfargotunnel.com` | 🟠 Proxied |
| RPC Sentry | CNAME | `rpc-sentry` | `<tunnel-id>.cfargotunnel.com` | 🟠 Proxied |
| Blockscout | CNAME | `blockscout` | `<tunnel-id>.cfargotunnel.com` | 🟠 Proxied |
| FireFly | CNAME | `firefly` | `<tunnel-id>.cfargotunnel.com` | 🟠 Proxied |
**Important Notes:**
- ✅ **Always enable proxy** (orange cloud) for tunnel-based DNS records
- ✅ Use CNAME records (not A records) for tunnel endpoints
- ✅ Target should be the tunnel's cloudflareaccess.com domain or cfargotunnel.com
---
### Step 3: Verify Configuration
#### 3.1 Check Tunnel Status
```bash
# Check cloudflared service
pct exec $VMID -- systemctl status cloudflared
# View tunnel logs
pct exec $VMID -- journalctl -u cloudflared -f
```
**In Cloudflare Dashboard:**
- Go to **Zero Trust** → **Networks** → **Tunnels**
- Tunnel status should show "Healthy"
#### 3.2 Test DNS Resolution
```bash
# Test DNS resolution
dig rpc-core.yourdomain.com
nslookup rpc-core.yourdomain.com
# Should resolve to Cloudflare IPs (if proxied)
```
#### 3.3 Test Container Access
```bash
# Test from container network (should work directly)
curl http://192.168.11.250:8545
# Test via public DNS (should work through tunnel)
curl https://rpc-core.yourdomain.com
```
---
## Common Container Types & Examples
### Web Applications (HTTP/HTTPS)
**Example: Blockscout Explorer**
```
DNS Record:
Name: blockscout
Target: <tunnel-id>.cfargotunnel.com
Proxy: Enabled
Tunnel Ingress:
Subdomain: blockscout
Domain: yourdomain.com
Service: http://192.168.11.100:4000
```
### API Services (JSON-RPC, REST)
**Example: Besu RPC Node**
```
DNS Record:
Name: rpc
Target: <tunnel-id>.cfargotunnel.com
Proxy: Enabled
Tunnel Ingress:
Subdomain: rpc
Domain: yourdomain.com
Service: http://192.168.11.250:8545
```
### Databases (Optional - Not Recommended)
**⚠️ Warning:** Never expose databases directly through tunnels unless absolutely necessary. Use Cloudflare Access with strict policies if needed.
### Monitoring Dashboards
**Example: Grafana**
```
DNS Record:
Name: grafana
Target: <tunnel-id>.cfargotunnel.com
Proxy: Enabled
Tunnel Ingress:
Subdomain: grafana
Domain: yourdomain.com
Service: http://192.168.11.200:3000
```
**Security:** Add Cloudflare Access policy to restrict access (see Step 4).
---
## Step 4: Add Cloudflare Access (Optional but Recommended)
For additional security, add Cloudflare Access policies to restrict who can access your containers.
### 4.1 Create Access Application
1. **Navigate to Applications:**
- Go to **Zero Trust** → **Access** → **Applications**
- Click **Add an application**
2. **Configure Application:**
- **Application Name**: RPC Core API
- **Application Domain**: `rpc-core.yourdomain.com`
- **Session Duration**: 24 hours
3. **Add Policy:**
```
Rule Name: RPC Access
Action: Allow
Include:
- Email domain: @yourdomain.com
- OR Email: admin@yourdomain.com
Require:
- MFA (optional)
```
4. **Save Application**
### 4.2 Apply to Multiple Services
Create separate applications for each service that needs access control:
- Blockscout (public or restricted)
- Grafana (admin only)
- FireFly (team access)
- RPC nodes (API key authentication recommended in addition)
---
## Advanced Configuration
### Multiple Tunnels (Redundancy)
For high availability, deploy multiple cloudflared instances:
**Primary Tunnel:**
- Container: VMID 8000 (cloudflared-1)
- IP: 192.168.11.80
- Tunnel: `proxmox-primary`
**Secondary Tunnel:**
- Container: VMID 8001 (cloudflared-2)
- IP: 192.168.11.81
- Tunnel: `proxmox-secondary`
**DNS Configuration:**
- Use same DNS records for both tunnels
- Cloudflare will automatically load balance
- If one tunnel fails, traffic routes to the other
### Custom cloudflared Configuration
For advanced routing, use a config file:
```yaml
# /etc/cloudflared/config.yml
tunnel: <tunnel-id>
credentials-file: /etc/cloudflared/credentials.json
ingress:
# Specific routes
- hostname: rpc-core.yourdomain.com
service: http://192.168.11.250:8545
- hostname: rpc-sentry.yourdomain.com
service: http://192.168.11.251:8545
- hostname: blockscout.yourdomain.com
service: http://192.168.11.100:4000
# Catch-all
- service: http_status:404
```
**Apply Configuration:**
```bash
pct exec $VMID -- systemctl restart cloudflared
```
### Using Reverse Proxy (Nginx Proxy Manager)
**Architecture:**
```
Internet → Cloudflare → Tunnel → cloudflared → Nginx Proxy Manager → Containers
```
**Benefits:**
- Centralized SSL/TLS termination
- Advanced routing rules
- Rate limiting
- Request logging
**Configuration:**
1. **Tunnel Points to Nginx:**
```
Subdomain: *
Service: http://192.168.11.105:80 # Nginx Proxy Manager
```
2. **Nginx Routes to Containers:**
- Create proxy hosts in Nginx Proxy Manager
- Configure upstream servers (container IPs)
- Add SSL certificates
See: **[CLOUDFLARE_NGINX_INTEGRATION.md](../05-network/CLOUDFLARE_NGINX_INTEGRATION.md)**
---
## Current Container Mapping Examples
Based on your deployment, here are example mappings:
### Besu Validators (1000-1004)
**Recommendation:** ⚠️ Do not expose validators publicly. Keep them private.
**If Needed (VPN/Internal Access Only):**
```
Internal Access: 192.168.11.100-104 (via VPN)
```
### Besu RPC Nodes (2500-2502)
**Example Configuration:**
```
DNS Record:
Name: rpc
Target: <tunnel-id>.cfargotunnel.com
Proxy: Enabled
Tunnel Ingress:
- hostname: rpc-1.yourdomain.com
service: http://192.168.11.250:8545
- hostname: rpc-2.yourdomain.com
service: http://192.168.11.251:8545
- hostname: rpc-3.yourdomain.com
service: http://192.168.11.252:8545
```
---
## Troubleshooting
### Tunnel Not Connecting
**Symptoms:** Tunnel shows as "Unhealthy" in dashboard
**Solutions:**
```bash
# Check service status
pct exec $VMID -- systemctl status cloudflared
# View logs
pct exec $VMID -- journalctl -u cloudflared -f
# Verify token is correct
pct exec $VMID -- cat /etc/cloudflared/config.yml
```
### DNS Not Resolving
**Symptoms:** DNS record doesn't resolve or resolves incorrectly
**Solutions:**
1. Verify DNS record type is CNAME
2. Verify proxy is enabled (orange cloud)
3. Check target is correct tunnel domain
4. Wait for DNS propagation (up to 5 minutes)
### Container Not Accessible
**Symptoms:** DNS resolves but container doesn't respond
**Solutions:**
1. Verify container is running: `pct status <VMID>`
2. Test direct access: `curl http://<container-ip>:<port>`
3. Check tunnel ingress configuration matches DNS record
4. Verify firewall allows traffic from cloudflared container
5. Check container logs for errors
### SSL/TLS Errors
**Symptoms:** Browser shows SSL certificate errors
**Solutions:**
1. Verify proxy is enabled (orange cloud) in DNS
2. Check Cloudflare SSL/TLS mode (Full or Full Strict)
3. Ensure service URL uses `http://` not `https://` (Cloudflare handles SSL)
4. If using self-signed certs, set SSL mode to "Full" not "Full (strict)"
---
## Best Practices
### Security
1. ✅ **Use Cloudflare Access** for sensitive services
2. ✅ **Enable MFA** for admin access
3. ✅ **Use IP allowlists** in addition to Cloudflare Access
4. ✅ **Monitor access logs** in Cloudflare dashboard
5. ✅ **Never expose databases** directly
6. ✅ **Keep containers updated** with security patches
### Performance
1. ✅ **Use proxy** (orange cloud) for DDoS protection
2. ✅ **Enable Cloudflare caching** for static content
3. ✅ **Use multiple tunnels** for redundancy
4. ✅ **Monitor tunnel health** regularly
### Management
1. ✅ **Document all DNS mappings** in a registry
2. ✅ **Use consistent naming** conventions
3. ✅ **Version control** tunnel configurations
4. ✅ **Backup** cloudflared configurations
---
## DNS Mapping Registry Template
Keep track of your DNS mappings:
| Service | Subdomain | Container VMID | Container IP | Port | Tunnel | Access Control |
|---------|-----------|----------------|--------------|------|--------|----------------|
| RPC Core | rpc-core | 2500 | 192.168.11.250 | 8545 | proxmox-primary | API Key |
| Blockscout | blockscout | 5000 | 192.168.11.100 | 4000 | proxmox-primary | Cloudflare Access |
| Grafana | grafana | 6000 | 192.168.11.200 | 3000 | proxmox-primary | Admin Only |
---
## Quick Reference Commands
### Check Container Status
```bash
pct list
pct status <VMID>
pct config <VMID>
```
### Check Tunnel Status
```bash
pct exec <VMID> -- systemctl status cloudflared
pct exec <VMID> -- journalctl -u cloudflared -f
```
### Test DNS Resolution
```bash
dig <subdomain>.yourdomain.com
nslookup <subdomain>.yourdomain.com
curl -I https://<subdomain>.yourdomain.com
```
### Test Container Direct Access
```bash
curl http://<container-ip>:<port>
pct exec <VMID> -- curl http://<target-ip>:<port>
```
---
## Related Documentation
- **[CLOUDFLARE_ZERO_TRUST_GUIDE.md](CLOUDFLARE_ZERO_TRUST_GUIDE.md)** - Complete Cloudflare Zero Trust setup
- **[CLOUDFLARE_NGINX_INTEGRATION.md](../05-network/CLOUDFLARE_NGINX_INTEGRATION.md)** - Using Nginx Proxy Manager
- **[NETWORK_ARCHITECTURE.md](../02-architecture/NETWORK_ARCHITECTURE.md)** - Network architecture overview
- **[DEPLOYMENT_STATUS_CONSOLIDATED.md](../03-deployment/DEPLOYMENT_STATUS_CONSOLIDATED.md)** - Current container inventory
---
**Document Status:** Complete (v1.0)
**Maintained By:** Infrastructure Team
**Review Cycle:** Quarterly
**Last Updated:** 2025-01-20

90
docs/04-configuration/cloudflare/CLOUDFLARE_EXPLORER_CONFIG.md Normal file
View File

@@ -0,0 +1,90 @@
# Cloudflare Configuration for Blockscout Explorer
**Date**: $(date)
**Domain**: explorer.d-bis.org
**Tunnel ID**: `10ab22da-8ea3-4e2e-a896-27ece2211a05`
---
## Quick Configuration Steps
### 1. DNS Record (Cloudflare Dashboard)
1. **Go to Cloudflare DNS**:
- URL: https://dash.cloudflare.com/
- Select domain: `d-bis.org`
- Navigate to: **DNS****Records**
2. **Create CNAME Record**:
```
Type: CNAME
Name: explorer
Target: 10ab22da-8ea3-4e2e-a896-27ece2211a05.cfargotunnel.com
Proxy status: 🟠 Proxied (orange cloud) - REQUIRED
TTL: Auto
```
3. **Click Save**
### 2. Tunnel Route (Cloudflare Zero Trust)
1. **Go to Cloudflare Zero Trust**:
- URL: https://one.dash.cloudflare.com/
- Navigate to: **Zero Trust** → **Networks** → **Tunnels**
2. **Select Your Tunnel**:
- Find tunnel ID: `10ab22da-8ea3-4e2e-a896-27ece2211a05`
- Click on the tunnel name
3. **Configure Public Hostname**:
- Click **Configure** button
- Click **Public Hostnames** tab
- Click **Add a public hostname**
4. **Add Hostname**:
```
Subdomain: explorer
Domain: d-bis.org
Service: http://192.168.11.140:80
Type: HTTP
```
5. **Click Save hostname**
---
## Verification
### Wait for DNS Propagation (1-5 minutes)
Then test:
```bash
# Test DNS resolution
dig explorer.d-bis.org
nslookup explorer.d-bis.org
# Test HTTPS endpoint
curl https://explorer.d-bis.org/health
# Should return JSON response from Blockscout
```
---
## Configuration Summary
| Setting | Value |
|---------|-------|
| **Domain** | explorer.d-bis.org |
| **DNS Type** | CNAME |
| **DNS Target** | 10ab22da-8ea3-4e2e-a896-27ece2211a05.cfargotunnel.com |
| **Proxy Status** | 🟠 Proxied (required) |
| **Tunnel Service** | http://192.168.11.140:80 |
| **Tunnel Type** | HTTP |
---
**Status**: Ready for configuration
**Next Step**: Follow steps 1 and 2 above in Cloudflare dashboards

92
docs/04-configuration/cloudflare/CLOUDFLARE_EXPLORER_QUICK_SETUP.md Normal file
View File

@@ -0,0 +1,92 @@
# Cloudflare Explorer URL - Quick Setup Guide
**Domain**: explorer.d-bis.org
**Target**: http://192.168.11.140:80
---
## 🚀 Quick Setup (2 Steps)
### Step 1: Configure DNS Record
**In Cloudflare Dashboard** (https://dash.cloudflare.com/):
1. Select domain: **d-bis.org**
2. Go to: **DNS****Records**
3. Click: **Add record**
4. Configure:
- **Type**: `CNAME`
- **Name**: `explorer`
- **Target**: `<your-tunnel-id>.cfargotunnel.com`
- **Proxy status**: 🟠 **Proxied** (orange cloud) ← **REQUIRED**
- **TTL**: Auto
5. Click: **Save**
**To find your tunnel ID:**
```bash
# Run this script
./scripts/get-tunnel-id.sh
# Or check Cloudflare Zero Trust dashboard:
# https://one.dash.cloudflare.com/ → Zero Trust → Networks → Tunnels
```
---
### Step 2: Configure Tunnel Route
**In Cloudflare Zero Trust Dashboard** (https://one.dash.cloudflare.com/):
1. Navigate to: **Zero Trust****Networks****Tunnels**
2. Find your tunnel (by ID or name)
3. Click: **Configure** button
4. Click: **Public Hostnames** tab
5. Click: **Add a public hostname**
6. Configure:
- **Subdomain**: `explorer`
- **Domain**: `d-bis.org`
- **Service**: `http://192.168.11.140:80`
- **Type**: `HTTP`
7. Click: **Save hostname**
---
## ✅ Verify
**Wait 1-5 minutes for DNS propagation, then test:**
```bash
# Test public URL
curl https://explorer.d-bis.org/api/v2/stats
# Should return JSON with network stats (not 404)
```
---
## 📋 Configuration Checklist
- [ ] DNS CNAME record: `explorer``<tunnel-id>.cfargotunnel.com`
- [ ] DNS record is **🟠 Proxied** (orange cloud)
- [ ] Tunnel route: `explorer.d-bis.org``http://192.168.11.140:80`
- [ ] Cloudflared service running in container
- [ ] Public URL accessible: `https://explorer.d-bis.org`
---
## 🔧 Troubleshooting
### 404 Error
- Check DNS record exists and is proxied
- Check tunnel route is configured
- Wait 5 minutes for DNS propagation
### 502 Error
- Verify tunnel route points to `http://192.168.11.140:80`
- Check Nginx is running: `systemctl status nginx` (in container)
- Check Blockscout is running: `systemctl status blockscout` (in container)
---
**That's it! Follow these 2 steps and your public URL will work.**

179
docs/04-configuration/cloudflare/CLOUDFLARE_TUNNEL_CONFIGURATION_GUIDE.md Normal file
View File

@@ -0,0 +1,179 @@
# Cloudflare Tunnel Configuration Guide
**Tunnel ID**: `10ab22da-8ea3-4e2e-a896-27ece2211a05`
**Status**: Currently DOWN - Needs Configuration
**Purpose**: Route all services through central Nginx (VMID 105)
---
## Current Status
From the Cloudflare dashboard, the tunnel `rpc-http-pub.d-bis.org` is showing as **DOWN**. This tunnel needs to be configured to route all hostnames to the central Nginx.
---
## Configuration Steps
### 1. Access Tunnel Configuration
1. Go to: https://one.dash.cloudflare.com/
2. Navigate to: **Zero Trust****Networks****Tunnels**
3. Click on the tunnel: **rpc-http-pub.d-bis.org** (Tunnel ID: `10ab22da-8ea3-4e2e-a896-27ece2211a05`)
4. Click **Configure** button
### 2. Configure Public Hostnames
In the **Public Hostnames** section, configure all hostnames to route to the central Nginx:
**Target**: `http://192.168.11.21:80`
#### Required Hostname Configurations:
| Hostname | Service Type | Target |
|----------|--------------|--------|
| `explorer.d-bis.org` | HTTP | `http://192.168.11.21:80` |
| `rpc-http-pub.d-bis.org` | HTTP | `http://192.168.11.21:80` |
| `rpc-ws-pub.d-bis.org` | HTTP | `http://192.168.11.21:80` |
| `rpc-http-prv.d-bis.org` | HTTP | `http://192.168.11.21:80` |
| `rpc-ws-prv.d-bis.org` | HTTP | `http://192.168.11.21:80` |
| `dbis-admin.d-bis.org` | HTTP | `http://192.168.11.21:80` |
| `dbis-api.d-bis.org` | HTTP | `http://192.168.11.21:80` |
| `dbis-api-2.d-bis.org` | HTTP | `http://192.168.11.21:80` |
| `mim4u.org` | HTTP | `http://192.168.11.21:80` |
| `www.mim4u.org` | HTTP | `http://192.168.11.21:80` |
### 3. Configuration Details
For each hostname:
1. **Subdomain**: Enter the subdomain (e.g., `explorer`, `rpc-http-pub`)
2. **Domain**: Select `d-bis.org` (or enter `mim4u.org` for those domains)
3. **Service**: Select `HTTP`
4. **URL**: Enter `192.168.11.21:80`
5. **Save** the configuration
### 4. Add Catch-All Rule (Optional but Recommended)
Add a catch-all rule at the end:
- **Service**: `HTTP 404: Not Found`
- This handles any unmatched hostnames
---
## Expected Configuration (YAML Format)
The tunnel configuration should look like this:
```yaml
ingress:
# Explorer
- hostname: explorer.d-bis.org
service: http://192.168.11.21:80
# RPC Public
- hostname: rpc-http-pub.d-bis.org
service: http://192.168.11.21:80
- hostname: rpc-ws-pub.d-bis.org
service: http://192.168.11.21:80
# RPC Private
- hostname: rpc-http-prv.d-bis.org
service: http://192.168.11.21:80
- hostname: rpc-ws-prv.d-bis.org
service: http://192.168.11.21:80
# DBIS Services
- hostname: dbis-admin.d-bis.org
service: http://192.168.11.21:80
- hostname: dbis-api.d-bis.org
service: http://192.168.11.21:80
- hostname: dbis-api-2.d-bis.org
service: http://192.168.11.21:80
# Miracles In Motion
- hostname: mim4u.org
service: http://192.168.11.21:80
- hostname: www.mim4u.org
service: http://192.168.11.21:80
# Catch-all
- service: http_status:404
```
---
## After Configuration
1. **Save** the configuration in Cloudflare dashboard
2. Wait 1-2 minutes for the tunnel to reload
3. Check tunnel status - it should change from **DOWN** to **HEALTHY**
4. Test endpoints:
```bash
curl https://explorer.d-bis.org/api/v2/stats
curl -X POST https://rpc-http-pub.d-bis.org \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
```
---
## Troubleshooting
### Tunnel Still DOWN After Configuration
1. **Check cloudflared service**:
```bash
ssh root@192.168.11.12 "pct exec 102 -- systemctl status cloudflared"
```
2. **Check tunnel logs**:
```bash
ssh root@192.168.11.12 "pct exec 102 -- journalctl -u cloudflared -n 50"
```
3. **Verify Nginx is accessible**:
```bash
curl http://192.168.11.21:80
```
4. **Restart cloudflared** (if needed):
```bash
ssh root@192.168.11.12 "pct exec 102 -- systemctl restart cloudflared"
```
### Service Not Routing Correctly
1. Verify Nginx configuration on VMID 105:
```bash
ssh root@192.168.11.12 "pct exec 105 -- cat /data/nginx/custom/http.conf"
```
2. Test Nginx routing directly:
```bash
curl -H "Host: explorer.d-bis.org" http://192.168.11.21/
```
3. Check Nginx logs:
```bash
ssh root@192.168.11.12 "pct exec 105 -- tail -f /data/logs/fallback_error.log"
```
---
## Notes
- **Central Nginx IP**: `192.168.11.21` (VMID 105)
- **Central Nginx Port**: `80` (HTTP)
- **All SSL/TLS termination**: Handled by Cloudflare
- **Internal routing**: Nginx routes based on `Host` header to appropriate internal services
---
**Last Updated**: December 27, 2025

106
docs/04-configuration/cloudflare/CLOUDFLARE_TUNNEL_INSTALLATION.md Normal file
View File

@@ -0,0 +1,106 @@
# Cloudflare Tunnel Installation - Complete
**Date**: January 27, 2025
**Tunnel Token**: Provided
**Container**: VMID 5000 on pve2
---
## ✅ Installation Command
**Run this on pve2 node:**
```bash
# Install cloudflared service with token
pct exec 5000 -- cloudflared service install eyJhIjoiNTJhZDU3YTcxNjcxYzVmYzAwOWVkZjA3NDQ2NTgxOTYiLCJ0IjoiYjAyZmUxZmUtY2I3ZC00ODRlLTkwOWItN2NjNDEyOThlYmU4IiwicyI6Ik5HTmtOV0kwWXpNdFpUVmxaUzAwTVRFMkxXRXdNMk10WlRJNU1ETTFaRFF4TURBMiJ9
# Start service
pct exec 5000 -- systemctl start cloudflared
pct exec 5000 -- systemctl enable cloudflared
# Verify installation
pct exec 5000 -- systemctl status cloudflared
pct exec 5000 -- cloudflared tunnel list
```
---
## 📋 What This Does
1. **Installs cloudflared** (if not already installed)
2. **Configures tunnel service** with the provided token
3. **Starts cloudflared service** automatically
4. **Enables service** to start on boot
---
## 🔍 After Installation
### Get Tunnel ID
```bash
pct exec 5000 -- cloudflared tunnel list
```
The tunnel ID will be displayed in the output.
### Configure DNS
**In Cloudflare Dashboard** (https://dash.cloudflare.com/):
1. Domain: **d-bis.org****DNS****Records**
2. Add CNAME:
- **Name**: `explorer`
- **Target**: `<tunnel-id>.cfargotunnel.com`
- **Proxy**: 🟠 **Proxied** (orange cloud)
- **TTL**: Auto
### Configure Tunnel Route
**In Cloudflare Zero Trust** (https://one.dash.cloudflare.com/):
1. **Zero Trust****Networks****Tunnels**
2. Find your tunnel → **Configure****Public Hostnames**
3. Add hostname:
- **Subdomain**: `explorer`
- **Domain**: `d-bis.org`
- **Service**: `http://192.168.11.140:80`
- **Type**: `HTTP`
---
## ✅ Verification
**Wait 1-5 minutes for DNS propagation, then:**
```bash
curl https://explorer.d-bis.org/api/v2/stats
```
**Expected**: JSON response with network stats (not 404)
---
## 🔧 Troubleshooting
### Service not starting
```bash
# Check logs
pct exec 5000 -- journalctl -u cloudflared -n 50
# Check status
pct exec 5000 -- systemctl status cloudflared
```
### Tunnel not connecting
- Verify token is valid
- Check Cloudflare Zero Trust dashboard for tunnel status
- Ensure DNS record is proxied (orange cloud)
---
**Status**: Ready to install
**Next**: Run installation command above on pve2 node

252
docs/04-configuration/cloudflare/CLOUDFLARE_TUNNEL_QUICK_SETUP.md Normal file
View File

@@ -0,0 +1,252 @@
# Cloudflare Tunnel Quick Setup Guide
**Last Updated:** 2025-12-21
**Status:** Step-by-Step Setup
---
## Current Status
**cloudflared installed** on VMID 102 (version 2025.11.1)
**Nginx configured** on RPC containers (2501, 2502) with SSL on port 443
⚠️ **cloudflared currently running as DoH proxy** (needs to be reconfigured as tunnel)
---
## Step-by-Step Setup
### Step 1: Get Your Tunnel Token
1. **Go to Cloudflare Dashboard:**
- Navigate to: https://one.dash.cloudflare.com
- Sign in with your Cloudflare account
2. **Create or Select Tunnel:**
- Go to **Zero Trust****Networks****Tunnels**
- If you already created a tunnel, click on it
- If not, click **Create a tunnel** → Select **Cloudflared** → Name it (e.g., `rpc-tunnel`)
3. **Copy the Token:**
- You'll see installation instructions
- Copy the token (starts with `eyJhIjoi...`)
- **Save it securely** - you'll need it in Step 2
---
### Step 2: Install Tunnel Service
**Option A: Use the Automated Script (Recommended)**
```bash
cd /home/intlc/projects/proxmox
./scripts/setup-cloudflare-tunnel-rpc.sh <YOUR_TUNNEL_TOKEN>
```
Replace `<YOUR_TUNNEL_TOKEN>` with the token you copied from Step 1.
**Option B: Manual Installation**
```bash
# Install tunnel service with your token
ssh root@192.168.11.10 "pct exec 102 -- cloudflared service install <YOUR_TUNNEL_TOKEN>"
# Enable and start the service
ssh root@192.168.11.10 "pct exec 102 -- systemctl enable cloudflared"
ssh root@192.168.11.10 "pct exec 102 -- systemctl start cloudflared"
# Check status
ssh root@192.168.11.10 "pct exec 102 -- systemctl status cloudflared"
```
---
### Step 3: Configure Tunnel Routes in Cloudflare Dashboard
After the tunnel service is running, configure the routes:
1. **Go to Tunnel Configuration:**
- Zero Trust → Networks → Tunnels → Your Tunnel → **Configure**
2. **Add Public Hostnames:**
**For each endpoint, click "Add a public hostname":**
| Subdomain | Domain | Service | Type |
|-----------|--------|---------|------|
| `rpc-http-pub` | `d-bis.org` | `https://192.168.11.251:443` | HTTP |
| `rpc-ws-pub` | `d-bis.org` | `https://192.168.11.251:443` | HTTP |
| `rpc-http-prv` | `d-bis.org` | `https://192.168.11.252:443` | HTTP |
| `rpc-ws-prv` | `d-bis.org` | `https://192.168.11.252:443` | HTTP |
**For WebSocket endpoints, also enable:**
-**WebSocket** (if available in the UI)
3. **Save Configuration**
---
### Step 4: Update DNS Records
1. **Go to Cloudflare DNS:**
- Navigate to your domain: `d-bis.org`
- Go to **DNS****Records**
2. **Delete Existing A Records** (if any):
- `rpc-http-pub` → A → 192.168.11.251
- `rpc-ws-pub` → A → 192.168.11.251
- `rpc-http-prv` → A → 192.168.11.252
- `rpc-ws-prv` → A → 192.168.11.252
3. **Create CNAME Records:**
For each endpoint, create a CNAME record:
```
Type: CNAME
Name: rpc-http-pub (or rpc-ws-pub, rpc-http-prv, rpc-ws-prv)
Target: <tunnel-id>.cfargotunnel.com
Proxy: 🟠 Proxied (orange cloud) - IMPORTANT!
TTL: Auto
```
**Where `<tunnel-id>` is your tunnel ID** (visible in the tunnel dashboard, e.g., `abc123def456`)
**Example:**
```
Type: CNAME
Name: rpc-http-pub
Target: abc123def456.cfargotunnel.com
Proxy: 🟠 Proxied
```
4. **Repeat for all 4 endpoints**
---
### Step 5: Verify Setup
#### 5.1 Check Tunnel Status
**In Cloudflare Dashboard:**
- Zero Trust → Networks → Tunnels
- Tunnel should show **"Healthy"** (green status)
**Via Command Line:**
```bash
# Check service status
ssh root@192.168.11.10 "pct exec 102 -- systemctl status cloudflared"
# View logs
ssh root@192.168.11.10 "pct exec 102 -- journalctl -u cloudflared -f"
```
#### 5.2 Test DNS Resolution
```bash
# Test DNS resolution
dig rpc-http-pub.d-bis.org
nslookup rpc-http-pub.d-bis.org
# Should resolve to Cloudflare IPs (if proxied)
```
#### 5.3 Test Endpoints
```bash
# Test HTTP RPC endpoint
curl https://rpc-http-pub.d-bis.org/health
# Test RPC call
curl -X POST https://rpc-http-pub.d-bis.org \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
# Test WebSocket (use wscat or similar)
wscat -c wss://rpc-ws-pub.d-bis.org
```
---
## Troubleshooting
### Tunnel Not Connecting
**Check logs:**
```bash
ssh root@192.168.11.10 "pct exec 102 -- journalctl -u cloudflared -n 50 --no-pager"
```
**Common issues:**
- Invalid token → Reinstall with correct token
- Network connectivity → Check container can reach Cloudflare
- Service not started → `systemctl start cloudflared`
### DNS Not Resolving
**Verify:**
- DNS record type is **CNAME** (not A)
- Proxy is **enabled** (orange cloud)
- Target is correct: `<tunnel-id>.cfargotunnel.com`
- Wait 5 minutes for DNS propagation
### Connection Timeout
**Check:**
- Nginx is running: `pct exec 2501 -- systemctl status nginx`
- Port 443 is listening: `pct exec 2501 -- ss -tuln | grep 443`
- Test direct connection: `curl -k https://192.168.11.251/health`
---
## Quick Reference
### Files Created
- **Script:** `scripts/setup-cloudflare-tunnel-rpc.sh`
- **Config:** `/etc/cloudflared/config.yml` (on VMID 102)
- **Service:** `/etc/systemd/system/cloudflared.service` (on VMID 102)
### Key Commands
```bash
# Install tunnel
./scripts/setup-cloudflare-tunnel-rpc.sh <TOKEN>
# Check status
ssh root@192.168.11.10 "pct exec 102 -- systemctl status cloudflared"
# View logs
ssh root@192.168.11.10 "pct exec 102 -- journalctl -u cloudflared -f"
# Restart tunnel
ssh root@192.168.11.10 "pct exec 102 -- systemctl restart cloudflared"
# Test endpoint
curl https://rpc-http-pub.d-bis.org/health
```
### Architecture
```
Internet → Cloudflare DNS → Cloudflare Tunnel → cloudflared (VMID 102)
→ Nginx (2501/2502:443) → Besu RPC (8545/8546)
```
---
## Next Steps After Setup
1.**Monitor tunnel health** in Cloudflare Dashboard
2.**Set up monitoring/alerts** for tunnel status
3.**Consider Let's Encrypt certificates** (replace self-signed)
4.**Configure rate limiting** in Cloudflare if needed
5.**Set up access policies** for private endpoints (if needed)
---
## Related Documentation
- [CLOUDFLARE_TUNNEL_RPC_SETUP.md](CLOUDFLARE_TUNNEL_RPC_SETUP.md) - Detailed setup guide
- [RPC_DNS_CONFIGURATION.md](RPC_DNS_CONFIGURATION.md) - Direct DNS configuration
- [CLOUDFLARE_DNS_TO_CONTAINERS.md](CLOUDFLARE_DNS_TO_CONTAINERS.md) - General tunnel guide

519
docs/04-configuration/cloudflare/CLOUDFLARE_TUNNEL_RPC_SETUP.md Normal file
View File

@@ -0,0 +1,519 @@
# Cloudflare Tunnel Setup for RPC Endpoints
**Last Updated:** 2025-12-21
**Status:** Configuration Guide
---
## Overview
This guide explains how to set up Cloudflare Tunnel for the RPC endpoints with Nginx SSL termination. This provides additional security, DDoS protection, and hides your origin server IPs.
---
## Architecture Options
### Option 1: Direct Tunnel to Nginx (Recommended)
```
Internet → Cloudflare → Tunnel → cloudflared → Nginx (443) → Besu RPC (8545/8546)
```
**Benefits:**
- Direct connection to Nginx on each RPC container
- SSL termination at Nginx level
- Simpler architecture
- Better performance (fewer hops)
### Option 2: Tunnel via nginx-proxy-manager
```
Internet → Cloudflare → Tunnel → cloudflared → nginx-proxy-manager → Nginx → Besu RPC
```
**Benefits:**
- Centralized management
- Additional routing layer
- Useful if you have many services
**This guide focuses on Option 1 (Direct Tunnel to Nginx).**
---
## Prerequisites
1.**Nginx installed** on RPC containers (2501, 2502) - Already done
2.**SSL certificates** configured - Already done
3. **Cloudflare account** with Zero Trust enabled
4. **Domain** `d-bis.org` managed by Cloudflare
5. **cloudflared container** (VMID 102 or create new one)
---
## Step 1: Create Cloudflare Tunnel
### 1.1 Create Tunnel in Cloudflare Dashboard
1. **Access Cloudflare Zero Trust:**
- Navigate to: https://one.dash.cloudflare.com
- Sign in with your Cloudflare account
2. **Create Tunnel:**
- Go to **Zero Trust****Networks****Tunnels**
- Click **Create a tunnel**
- Select **Cloudflared**
- Enter tunnel name: `rpc-tunnel` (or `proxmox-rpc`)
- Click **Save tunnel**
3. **Copy Tunnel Token:**
- After creation, you'll see installation instructions
- Copy the tunnel token (starts with `eyJ...`)
- Save it securely - you'll need it in Step 2
---
## Step 2: Deploy/Configure cloudflared
### 2.1 Check Existing cloudflared Container
```bash
# Check if cloudflared container exists (VMID 102)
ssh root@192.168.11.10 "pct status 102"
ssh root@192.168.11.10 "pct exec 102 -- which cloudflared"
```
### 2.2 Install cloudflared (if needed)
If cloudflared is not installed:
```bash
# Install cloudflared on VMID 102
ssh root@192.168.11.10 "pct exec 102 -- bash -c '
wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
dpkg -i cloudflared-linux-amd64.deb || apt-get install -f -y
cloudflared --version
'"
```
### 2.3 Configure Tunnel
**Option A: Using Tunnel Token (Easiest)**
```bash
# Install tunnel with token
ssh root@192.168.11.10 "pct exec 102 -- cloudflared service install <YOUR_TUNNEL_TOKEN>"
# Start service
ssh root@192.168.11.10 "pct exec 102 -- systemctl enable cloudflared"
ssh root@192.168.11.10 "pct exec 102 -- systemctl start cloudflared"
```
**Option B: Using Config File (More Control)**
Create tunnel configuration file:
```bash
ssh root@192.168.11.10 "pct exec 102 -- bash" <<'EOF'
cat > /etc/cloudflared/config.yml <<'CONFIG'
tunnel: <YOUR_TUNNEL_ID>
credentials-file: /etc/cloudflared/credentials.json
ingress:
# Public HTTP RPC
- hostname: rpc-http-pub.d-bis.org
service: https://192.168.11.251:443
originRequest:
noHappyEyeballs: true
connectTimeout: 30s
tcpKeepAlive: 30s
keepAliveConnections: 100
keepAliveTimeout: 90s
# Public WebSocket RPC
- hostname: rpc-ws-pub.d-bis.org
service: https://192.168.11.251:443
originRequest:
noHappyEyeballs: true
connectTimeout: 30s
tcpKeepAlive: 30s
keepAliveConnections: 100
keepAliveTimeout: 90s
# Private HTTP RPC
- hostname: rpc-http-prv.d-bis.org
service: https://192.168.11.252:443
originRequest:
noHappyEyeballs: true
connectTimeout: 30s
tcpKeepAlive: 30s
keepAliveConnections: 100
keepAliveTimeout: 90s
# Private WebSocket RPC
- hostname: rpc-ws-prv.d-bis.org
service: https://192.168.11.252:443
originRequest:
noHappyEyeballs: true
connectTimeout: 30s
tcpKeepAlive: 30s
keepAliveConnections: 100
keepAliveTimeout: 90s
# Catch-all (must be last)
- service: http_status:404
CONFIG
# Set permissions
chmod 600 /etc/cloudflared/config.yml
EOF
```
**Important Notes:**
- Use `https://` (not `http://`) because Nginx is listening on port 443 with SSL
- The tunnel will handle SSL termination at Cloudflare edge
- Nginx will still receive HTTPS traffic (or you can configure it to accept HTTP from tunnel)
---
## Step 3: Configure Tunnel in Cloudflare Dashboard
### 3.1 Add Public Hostnames
In Cloudflare Zero Trust → Networks → Tunnels → Your Tunnel → Configure:
**Add each hostname:**
1. **rpc-http-pub.d-bis.org**
- **Subdomain:** `rpc-http-pub`
- **Domain:** `d-bis.org`
- **Service:** `https://192.168.11.251:443`
- **Type:** HTTP
- Click **Save hostname**
2. **rpc-ws-pub.d-bis.org**
- **Subdomain:** `rpc-ws-pub`
- **Domain:** `d-bis.org`
- **Service:** `https://192.168.11.251:443`
- **Type:** HTTP
- **WebSocket:** Enable (if available)
- Click **Save hostname**
3. **rpc-http-prv.d-bis.org**
- **Subdomain:** `rpc-http-prv`
- **Domain:** `d-bis.org`
- **Service:** `https://192.168.11.252:443`
- **Type:** HTTP
- Click **Save hostname**
4. **rpc-ws-prv.d-bis.org**
- **Subdomain:** `rpc-ws-prv`
- **Domain:** `d-bis.org`
- **Service:** `https://192.168.11.252:443`
- **Type:** HTTP
- **WebSocket:** Enable (if available)
- Click **Save hostname**
---
## Step 4: Configure DNS Records
### 4.1 Update DNS Records to Use Tunnel
**Change from A records to CNAME records pointing to tunnel:**
In Cloudflare DNS Dashboard:
1. **Delete existing A records** (if any):
- `rpc-http-pub.d-bis.org` → A → 192.168.11.251
- `rpc-ws-pub.d-bis.org` → A → 192.168.11.251
- `rpc-http-prv.d-bis.org` → A → 192.168.11.252
- `rpc-ws-prv.d-bis.org` → A → 192.168.11.252
2. **Create CNAME records:**
| Type | Name | Target | Proxy | TTL |
|------|------|--------|-------|-----|
| CNAME | `rpc-http-pub` | `<tunnel-id>.cfargotunnel.com` | 🟠 Proxied | Auto |
| CNAME | `rpc-ws-pub` | `<tunnel-id>.cfargotunnel.com` | 🟠 Proxied | Auto |
| CNAME | `rpc-http-prv` | `<tunnel-id>.cfargotunnel.com` | 🟠 Proxied | Auto |
| CNAME | `rpc-ws-prv` | `<tunnel-id>.cfargotunnel.com` | 🟠 Proxied | Auto |
**Where `<tunnel-id>` is your tunnel ID (e.g., `abc123def456`).**
**Example:**
```
Type: CNAME
Name: rpc-http-pub
Target: abc123def456.cfargotunnel.com
Proxy: 🟠 Proxied (orange cloud)
TTL: Auto
```
**Important:**
-**Proxy must be enabled** (orange cloud) for tunnel to work
- ✅ Use CNAME records (not A records) when using tunnels
- ✅ Target format: `<tunnel-id>.cfargotunnel.com`
---
## Step 5: Update Nginx Configuration (Optional)
### 5.1 Option A: Keep HTTPS (Recommended)
Nginx continues to use HTTPS. The tunnel will:
- Terminate SSL at Cloudflare edge
- Forward HTTPS to Nginx
- Nginx handles SSL again (double SSL - acceptable but not optimal)
### 5.2 Option B: Use HTTP from Tunnel (More Efficient)
If you want to avoid double SSL, configure Nginx to accept HTTP from the tunnel:
**Update Nginx config on each container:**
```bash
# On VMID 2501 and 2502
ssh root@192.168.11.10 "pct exec 2501 -- bash" <<'EOF'
# Add HTTP server block for tunnel traffic
cat >> /etc/nginx/sites-available/rpc <<'NGINX_HTTP'
# HTTP server for Cloudflare Tunnel (no SSL needed)
server {
listen 80;
listen [::]:80;
server_name rpc-http-pub.d-bis.org rpc-ws-pub.d-bis.org;
# Trust Cloudflare IPs
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
real_ip_header CF-Connecting-IP;
access_log /var/log/nginx/rpc-tunnel-access.log;
error_log /var/log/nginx/rpc-tunnel-error.log;
# HTTP RPC endpoint
location / {
if ($host = rpc-http-pub.d-bis.org) {
proxy_pass http://127.0.0.1:8545;
}
if ($host = rpc-ws-pub.d-bis.org) {
proxy_pass http://127.0.0.1:8546;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
}
}
NGINX_HTTP
nginx -t && systemctl reload nginx
EOF
```
**Then update tunnel config to use HTTP:**
```yaml
ingress:
- hostname: rpc-http-pub.d-bis.org
service: http://192.168.11.251:80 # Changed from https://443
```
**Recommendation:** Keep HTTPS (Option A) for simplicity and security.
---
## Step 6: Verify Configuration
### 6.1 Check Tunnel Status
```bash
# Check cloudflared service
ssh root@192.168.11.10 "pct exec 102 -- systemctl status cloudflared"
# View tunnel logs
ssh root@192.168.11.10 "pct exec 102 -- journalctl -u cloudflared -f"
```
**In Cloudflare Dashboard:**
- Go to Zero Trust → Networks → Tunnels
- Tunnel status should show "Healthy" (green)
### 6.2 Test DNS Resolution
```bash
# Test DNS resolution
dig rpc-http-pub.d-bis.org
nslookup rpc-http-pub.d-bis.org
# Should resolve to Cloudflare IPs (if proxied)
```
### 6.3 Test Endpoints
```bash
# Test HTTP RPC endpoint
curl https://rpc-http-pub.d-bis.org/health
curl -X POST https://rpc-http-pub.d-bis.org \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
# Test WebSocket RPC endpoint
wscat -c wss://rpc-ws-pub.d-bis.org
```
---
## Benefits of Using Cloudflare Tunnel
1. **🔒 Security:**
- Origin IPs hidden from public
- No need to expose ports on firewall
- DDoS protection at Cloudflare edge
2. **⚡ Performance:**
- Global CDN (though RPC responses shouldn't be cached)
- Reduced latency for global users
- Automatic SSL/TLS at edge
3. **🛡️ DDoS Protection:**
- Cloudflare automatically mitigates attacks
- Rate limiting available
- Bot protection
4. **📊 Analytics:**
- Traffic analytics in Cloudflare dashboard
- Request logs
- Security events
5. **🔧 Management:**
- Centralized tunnel management
- Easy to add/remove routes
- No firewall changes needed
---
## Troubleshooting
### Tunnel Not Connecting
**Symptoms:** Tunnel shows "Unhealthy" in dashboard
**Solutions:**
```bash
# Check cloudflared service
pct exec 102 -- systemctl status cloudflared
# View logs
pct exec 102 -- journalctl -u cloudflared -n 50
# Verify credentials
pct exec 102 -- cat /etc/cloudflared/credentials.json
# Test tunnel connection
pct exec 102 -- cloudflared tunnel info
```
### DNS Not Resolving
**Symptoms:** Domain doesn't resolve or resolves incorrectly
**Solutions:**
1. Verify DNS record type is CNAME (not A)
2. Verify proxy is enabled (orange cloud)
3. Verify target is correct: `<tunnel-id>.cfargotunnel.com`
4. Wait for DNS propagation (up to 5 minutes)
### Connection Timeout
**Symptoms:** DNS resolves but connection times out
**Solutions:**
```bash
# Check if Nginx is running
pct exec 2501 -- systemctl status nginx
# Check if port 443 is listening
pct exec 2501 -- ss -tuln | grep 443
# Test direct connection (bypassing tunnel)
curl -k https://192.168.11.251/health
# Check tunnel config
pct exec 102 -- cat /etc/cloudflared/config.yml
```
### SSL Certificate Errors
**Symptoms:** SSL certificate warnings
**Solutions:**
1. If using self-signed certs, clients will see warnings (expected)
2. Consider using Let's Encrypt certificates
3. Or rely on Cloudflare SSL (terminate at edge, use HTTP internally)
---
## Architecture Summary
### Request Flow with Tunnel
1. **Client**`https://rpc-http-pub.d-bis.org`
2. **DNS** → Resolves to Cloudflare IPs (via CNAME to tunnel)
3. **Cloudflare Edge** → SSL termination, DDoS protection
4. **Cloudflare Tunnel** → Encrypted connection to cloudflared
5. **cloudflared (VMID 102)** → Forwards to `https://192.168.11.251:443`
6. **Nginx (VMID 2501)** → Receives HTTPS, routes to `127.0.0.1:8545`
7. **Besu RPC** → Processes request, returns response
8. **Response** → Reverse path back to client
---
## Quick Reference
**Tunnel Configuration:**
```yaml
ingress:
- hostname: rpc-http-pub.d-bis.org
service: https://192.168.11.251:443
- hostname: rpc-ws-pub.d-bis.org
service: https://192.168.11.251:443
- hostname: rpc-http-prv.d-bis.org
service: https://192.168.11.252:443
- hostname: rpc-ws-prv.d-bis.org
service: https://192.168.11.252:443
- service: http_status:404
```
**DNS Records:**
```
rpc-http-pub.d-bis.org → CNAME → <tunnel-id>.cfargotunnel.com (🟠 Proxied)
rpc-ws-pub.d-bis.org → CNAME → <tunnel-id>.cfargotunnel.com (🟠 Proxied)
rpc-http-prv.d-bis.org → CNAME → <tunnel-id>.cfargotunnel.com (🟠 Proxied)
rpc-ws-prv.d-bis.org → CNAME → <tunnel-id>.cfargotunnel.com (🟠 Proxied)
```
---
## Related Documentation
- [RPC_DNS_CONFIGURATION.md](RPC_DNS_CONFIGURATION.md) - Direct DNS configuration
- [CLOUDFLARE_DNS_TO_CONTAINERS.md](CLOUDFLARE_DNS_TO_CONTAINERS.md) - General tunnel setup
- [CLOUDFLARE_NGINX_INTEGRATION.md](../05-network/CLOUDFLARE_NGINX_INTEGRATION.md) - Nginx integration

403
docs/04-configuration/cloudflare/CLOUDFLARE_ZERO_TRUST_GUIDE.md Normal file
View File

@@ -0,0 +1,403 @@
# Cloudflare Zero Trust Integration Guide
**Last Updated:** 2025-01-20
**Document Version:** 1.0
**Service:** Cloudflare Zero Trust + cloudflared
---
## Overview
This guide provides step-by-step configuration for Cloudflare Zero Trust integration, including:
- cloudflared tunnel setup (redundant)
- Application publishing via Cloudflare Access
- Security policies and access control
- Monitoring and troubleshooting
---
## Architecture
### cloudflared Gateway Pattern
Run **2 cloudflared LXCs** for redundancy:
- **cloudflared-1** on ML110 (192.168.11.10)
- **cloudflared-2** on an R630 (production compute)
Both run tunnels for:
- Blockscout (VLAN 120)
- FireFly (VLAN 141)
- Gitea (if deployed)
- Internal admin dashboards (Grafana) behind Cloudflare Access
---
## Prerequisites
1. **Cloudflare Account:**
- Cloudflare account with Zero Trust enabled
- Zero Trust subscription (free tier available)
2. **Domain:**
- Domain managed by Cloudflare
- DNS records can be managed via Cloudflare
3. **Access:**
- Admin access to Cloudflare Zero Trust dashboard
- SSH access to Proxmox hosts
---
## Step 1: Cloudflare Zero Trust Setup
### 1.1 Enable Zero Trust
1. **Access Cloudflare Dashboard:**
- Navigate to: https://one.dash.cloudflare.com
- Sign in with Cloudflare account
2. **Enable Zero Trust:**
- Go to **Zero Trust****Overview**
- Follow setup wizard if first time
- Note your **Team Name** (e.g., `yourteam.cloudflareaccess.com`)
### 1.2 Create Tunnel
1. **Navigate to Tunnels:**
- Go to **Zero Trust****Networks****Tunnels**
- Click **Create a tunnel**
2. **Choose Tunnel Type:**
- Select **Cloudflared**
- Name: `proxmox-primary` (for cloudflared-1)
- Click **Save tunnel**
3. **Install cloudflared:**
- Follow instructions to install cloudflared on ML110
- Copy the tunnel token (keep secure)
4. **Repeat for Second Tunnel:**
- Create `proxmox-secondary` (for cloudflared-2)
- Install cloudflared on R630
- Copy the tunnel token
---
## Step 2: Deploy cloudflared LXCs
### 2.1 Create cloudflared-1 LXC (ML110)
**VMID:** (assign from available range, e.g., 8000)
**Configuration:**
```bash
pct create 8000 local:vztmpl/ubuntu-22.04-standard_22.04-1_amd64.tar.zst \
--hostname cloudflared-1 \
--net0 name=eth0,bridge=vmbr0,ip=192.168.11.80/24,gw=192.168.11.1 \
--memory 512 \
--cores 1 \
--storage local-lvm \
--rootfs local-lvm:4
```
**Start Container:**
```bash
pct start 8000
```
**Install cloudflared:**
```bash
pct exec 8000 -- bash -c "
wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
dpkg -i cloudflared-linux-amd64.deb
cloudflared --version
"
```
**Configure Tunnel:**
```bash
pct exec 8000 -- cloudflared service install <TUNNEL_TOKEN_FROM_STEP_1>
pct exec 8000 -- systemctl enable cloudflared
pct exec 8000 -- systemctl start cloudflared
```
### 2.2 Create cloudflared-2 LXC (R630)
Repeat the same process on an R630 node, using:
- VMID: 8001
- Hostname: cloudflared-2
- IP: 192.168.11.81/24
- Tunnel: `proxmox-secondary`
---
## Step 3: Configure Applications
### 3.1 Blockscout (VLAN 120)
**In Cloudflare Zero Trust Dashboard:**
1. **Navigate to Applications:**
- Go to **Zero Trust****Access****Applications**
- Click **Add an application**
2. **Configure Application:**
- **Application Name:** Blockscout
- **Application Domain:** `blockscout.yourdomain.com`
- **Session Duration:** 24 hours
- **Policy:** Create policy (see below)
3. **Configure Public Hostname:**
- Go to **Zero Trust****Networks****Tunnels**
- Select your tunnel → **Configure**
- Click **Public Hostname****Add a public hostname**
- **Subdomain:** `blockscout`
- **Domain:** `yourdomain.com`
- **Service:** `http://10.120.0.10:4000` (Blockscout IP:port)
4. **Access Policy:**
```
Rule Name: Blockscout Access
Action: Allow
Include:
- Email domain: @yourdomain.com
- OR Email: admin@yourdomain.com
Require:
- MFA (if enabled)
```
### 3.2 FireFly (VLAN 141)
**Repeat for FireFly:**
- **Application Name:** FireFly
- **Application Domain:** `firefly.yourdomain.com`
- **Public Hostname:** `firefly.yourdomain.com`
- **Service:** `http://10.141.0.10:5000` (FireFly IP:port)
- **Access Policy:** Similar to Blockscout
### 3.3 Grafana (Monitoring)
**If Grafana is deployed:**
- **Application Name:** Grafana
- **Application Domain:** `grafana.yourdomain.com`
- **Public Hostname:** `grafana.yourdomain.com`
- **Service:** `http://10.130.0.10:3000` (Grafana IP:port)
- **Access Policy:** Restrict to admin users only
### 3.4 Gitea (if deployed)
**If Gitea is deployed:**
- **Application Name:** Gitea
- **Application Domain:** `git.yourdomain.com`
- **Public Hostname:** `git.yourdomain.com`
- **Service:** `http://10.130.0.20:3000` (Gitea IP:port)
- **Access Policy:** Similar to Blockscout
---
## Step 4: Security Policies
### 4.1 Access Policies
**Create Policies for Each Application:**
1. **Admin-Only Access:**
```
Rule Name: Admin Only
Action: Allow
Include:
- Email: admin@yourdomain.com
- OR Group: admins
Require:
- MFA
```
2. **Team Access:**
```
Rule Name: Team Access
Action: Allow
Include:
- Email domain: @yourdomain.com
Require:
- MFA (optional)
```
3. **Device Posture (Optional):**
```
Rule Name: Secure Device Only
Action: Allow
Include:
- Email domain: @yourdomain.com
Require:
- Device posture: Secure (certificate installed)
```
### 4.2 WARP Client (Optional)
**For Enhanced Security:**
1. **Deploy WARP Client:**
- Download WARP client for user devices
- Configure with Zero Trust team name
- Users connect via WARP for secure access
2. **Device Posture Checks:**
- Enable device posture checks
- Require certificates for access
- Enforce security policies
---
## Step 5: DNS Configuration
### 5.1 Create DNS Records
**In Cloudflare DNS Dashboard:**
1. **Blockscout:**
- Type: CNAME
- Name: `blockscout`
- Target: `proxmox-primary.yourteam.cloudflareaccess.com`
- Proxy: Enabled (orange cloud)
2. **FireFly:**
- Type: CNAME
- Name: `firefly`
- Target: `proxmox-primary.yourteam.cloudflareaccess.com`
- Proxy: Enabled
3. **Grafana:**
- Type: CNAME
- Name: `grafana`
- Target: `proxmox-primary.yourteam.cloudflareaccess.com`
- Proxy: Enabled
---
## Step 6: Monitoring & Health Checks
### 6.1 Tunnel Health
**Check Tunnel Status:**
```bash
# On cloudflared-1 (ML110)
pct exec 8000 -- systemctl status cloudflared
# Check logs
pct exec 8000 -- journalctl -u cloudflared -f
```
**In Cloudflare Dashboard:**
- Go to **Zero Trust** → **Networks** → **Tunnels**
- Check tunnel status (should be "Healthy")
### 6.2 Application Health
**Test Access:**
1. Navigate to `https://blockscout.yourdomain.com`
2. Should redirect to Cloudflare Access login
3. After authentication, should access Blockscout
**Monitor Logs:**
- Cloudflare Zero Trust → **Analytics** → **Access Logs**
- Check for authentication failures
- Monitor access patterns
---
## Step 7: Proxmox UI Access (Optional)
### 7.1 Publish Proxmox via Cloudflare Access
**Important:** Proxmox UI should remain LAN-only by default. Only publish if absolutely necessary.
**If Publishing:**
1. **Create Application:**
- **Application Name:** Proxmox
- **Application Domain:** `proxmox.yourdomain.com`
- **Public Hostname:** `proxmox.yourdomain.com`
- **Service:** `https://192.168.11.10:8006` (Proxmox IP:port)
2. **Strict Access Policy:**
```
Rule Name: Proxmox Admin Only
Action: Allow
Include:
- Email: admin@yourdomain.com
Require:
- MFA
- Device posture: Secure
```
3. **Security Considerations:**
- Use IP allowlist in addition to Cloudflare Access
- Enable audit logging
- Monitor access logs closely
- Consider VPN instead of public access
---
## Troubleshooting
### Common Issues
#### Tunnel Not Connecting
**Symptoms:** Tunnel shows as "Unhealthy" in dashboard
**Solutions:**
1. Check cloudflared service status: `systemctl status cloudflared`
2. Verify tunnel token is correct
3. Check network connectivity
4. Review cloudflared logs: `journalctl -u cloudflared -f`
#### Application Not Accessible
**Symptoms:** Can authenticate but application doesn't load
**Solutions:**
1. Verify service IP:port is correct
2. Check firewall rules allow traffic from cloudflared
3. Verify application is running
4. Check tunnel configuration in dashboard
#### Authentication Failures
**Symptoms:** Users can't authenticate
**Solutions:**
1. Check access policies are configured correctly
2. Verify user emails match policy
3. Check MFA requirements
4. Review access logs in dashboard
---
## Best Practices
1. **Redundancy:** Always run 2+ cloudflared instances
2. **Security:** Use MFA for all applications
3. **Monitoring:** Monitor tunnel health and access logs
4. **Updates:** Keep cloudflared updated
5. **Backup:** Backup tunnel configurations
6. **Documentation:** Document all published applications
---
## References
- **[NETWORK_ARCHITECTURE.md](NETWORK_ARCHITECTURE.md)** - Network architecture
- **[ORCHESTRATION_DEPLOYMENT_GUIDE.md](ORCHESTRATION_DEPLOYMENT_GUIDE.md)** - Deployment guide
- [Cloudflare Zero Trust Documentation](https://developers.cloudflare.com/cloudflare-one/)
- [cloudflared Documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/)
---
**Document Status:** Complete (v1.0)
**Maintained By:** Infrastructure Team
**Review Cycle:** Quarterly
**Last Updated:** 2025-01-20

68
docs/04-configuration/cloudflare/README.md Normal file
View File

@@ -0,0 +1,68 @@
# Cloudflare Configuration Documentation
**Last Updated:** 2025-01-20
**Status:** Active Documentation
---
## Overview
This directory contains all Cloudflare-related configuration documentation, including Zero Trust setup, DNS configuration, tunnel setup, and service-specific guides.
---
## Documentation Index
### Core Guides
| Document | Description | Priority |
|----------|-------------|----------|
| **[CLOUDFLARE_ZERO_TRUST_GUIDE.md](CLOUDFLARE_ZERO_TRUST_GUIDE.md)** | Complete Zero Trust integration guide | ⭐⭐⭐ |
| **[CLOUDFLARE_DNS_TO_CONTAINERS.md](CLOUDFLARE_DNS_TO_CONTAINERS.md)** | General DNS mapping to LXC containers | ⭐⭐⭐ |
| **[CLOUDFLARE_DNS_SPECIFIC_SERVICES.md](CLOUDFLARE_DNS_SPECIFIC_SERVICES.md)** | Service-specific DNS configuration | ⭐⭐⭐ |
### Tunnel Setup
| Document | Description | Priority |
|----------|-------------|----------|
| **[CLOUDFLARE_TUNNEL_CONFIGURATION_GUIDE.md](CLOUDFLARE_TUNNEL_CONFIGURATION_GUIDE.md)** | Complete tunnel configuration guide | ⭐⭐ |
| **[CLOUDFLARE_TUNNEL_INSTALLATION.md](CLOUDFLARE_TUNNEL_INSTALLATION.md)** | Tunnel installation procedures | ⭐⭐ |
| **[CLOUDFLARE_TUNNEL_QUICK_SETUP.md](CLOUDFLARE_TUNNEL_QUICK_SETUP.md)** | Quick setup guide | ⭐ |
| **[CLOUDFLARE_TUNNEL_RPC_SETUP.md](CLOUDFLARE_TUNNEL_RPC_SETUP.md)** | RPC-specific tunnel setup | ⭐⭐ |
### Service-Specific
| Document | Description | Priority |
|----------|-------------|----------|
| **[CLOUDFLARE_EXPLORER_CONFIG.md](CLOUDFLARE_EXPLORER_CONFIG.md)** | Blockscout explorer configuration | ⭐⭐ |
| **[CLOUDFLARE_EXPLORER_QUICK_SETUP.md](CLOUDFLARE_EXPLORER_QUICK_SETUP.md)** | Quick explorer setup | ⭐ |
---
## Quick Start
### First Time Setup
1. **Read:** [CLOUDFLARE_ZERO_TRUST_GUIDE.md](CLOUDFLARE_ZERO_TRUST_GUIDE.md) - Complete overview
2. **Follow:** [CLOUDFLARE_TUNNEL_INSTALLATION.md](CLOUDFLARE_TUNNEL_INSTALLATION.md) - Install tunnels
3. **Configure:** [CLOUDFLARE_DNS_TO_CONTAINERS.md](CLOUDFLARE_DNS_TO_CONTAINERS.md) - Map DNS to containers
### Common Tasks
- **Set up a new service:** See [CLOUDFLARE_DNS_TO_CONTAINERS.md](CLOUDFLARE_DNS_TO_CONTAINERS.md)
- **Configure specific service:** See [CLOUDFLARE_DNS_SPECIFIC_SERVICES.md](CLOUDFLARE_DNS_SPECIFIC_SERVICES.md)
- **Set up RPC tunnel:** See [CLOUDFLARE_TUNNEL_RPC_SETUP.md](CLOUDFLARE_TUNNEL_RPC_SETUP.md)
- **Configure explorer:** See [CLOUDFLARE_EXPLORER_CONFIG.md](CLOUDFLARE_EXPLORER_CONFIG.md)
---
## Related Documentation
- **[../README.md](../README.md)** - Configuration directory overview
- **[../../05-network/CLOUDFLARE_NGINX_INTEGRATION.md](../../05-network/CLOUDFLARE_NGINX_INTEGRATION.md)** - NGINX integration
- **[../../05-network/CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md](../../05-network/CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md)** - Routing architecture
- **[../../02-architecture/NETWORK_ARCHITECTURE.md](../../02-architecture/NETWORK_ARCHITECTURE.md)** - Network architecture
---
**Last Updated:** 2025-01-20