d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Complete markdown files cleanup and organization

Browse Source 
- Organized 252 files across project
- Root directory: 187 → 2 files (98.9% reduction)
- Moved configuration guides to docs/04-configuration/
- Moved troubleshooting guides to docs/09-troubleshooting/
- Moved quick start guides to docs/01-getting-started/
- Moved reports to reports/ directory
- Archived temporary files
- Generated comprehensive reports and documentation
- Created maintenance scripts and guides

All files organized according to established standards.
This commit is contained in:
defiQUG
2026-01-06 01:46:25 -08:00
parent 1edcec953c
commit cb47cce074
1327 changed files with 217220 additions and 801 deletions
Download Patch File Download Diff File Expand all files Collapse all files

140
docs/05-network/BESU_MAINNET_VS_CHAIN138_COMPARISON.md Normal file
View File

@@ -0,0 +1,140 @@
# Besu Configuration: Mainnet vs Chain 138 Comparison
**Date**: $(date)
---
## Command Comparison
### Ethereum Mainnet Configuration
```bash
besu \
--network=mainnet \
--sync-mode=FULL \
--rpc-http-enabled \
--rpc-http-api=ETH,NET,WEB3 \
--rpc-http-cors-origins="*" \
--rpc-http-host=0.0.0.0 \
--rpc-http-port=8545
```
**This configuration:**
- ✅ Connects to **Ethereum Mainnet** (chain ID 1)
- ✅ Downloads entire mainnet blockchain
- ✅ No genesis file needed (uses mainnet genesis)
- ✅ Public network with public discovery
- ✅ No permissioning
- ✅ Read-only APIs (ETH, NET, WEB3)
---
### Chain 138 Equivalent Configuration
For your **private/permissioned chain 138** network, the equivalent would be:
```bash
besu \
--data-path=/data/besu \
--genesis-file=/genesis/genesis.json \
--network-id=138 \
--sync-mode=FULL \
--rpc-http-enabled \
--rpc-http-api=ETH,NET,WEB3 \
--rpc-http-cors-origins="*" \
--rpc-http-host=0.0.0.0 \
--rpc-http-port=8545 \
--permissions-nodes-config-file-enabled=true \
--permissions-nodes-config-file=/permissions/permissions-nodes.toml \
--static-nodes-file=/genesis/static-nodes.json \
--discovery-enabled=false \
--p2p-host=0.0.0.0 \
--p2p-port=30303 \
--miner-enabled=false
```
**Key Differences:**
| Setting | Mainnet | Chain 138 |
|---------|---------|-----------|
| Network | `--network=mainnet` | `--network-id=138` |
| Genesis | Auto (mainnet) | `--genesis-file=/genesis/genesis.json` |
| Permissioning | Disabled | **Enabled** (local nodes only) |
| Discovery | Enabled (public) | Disabled (private) |
| Static Nodes | None | Required (`static-nodes.json`) |
| Node Allowlist | None | Required (`permissions-nodes.toml`) |
| Consensus | PoS (mainnet) | QBFT (your network) |
---
## Important Notes
### ❌ Don't Use Mainnet Config for Chain 138
The mainnet configuration you showed **will NOT work** for your chain 138 network because:
1. **`--network=mainnet`** will connect to Ethereum mainnet (chain ID 1), not your chain 138
2. **No genesis file** - mainnet uses hardcoded genesis, your network needs a custom genesis
3. **No permissioning** - mainnet is public, your network is permissioned
4. **Public discovery** - mainnet discovers any node, your network only connects to allowlisted nodes
### ✅ Use Chain 138 Configuration
Your current chain 138 configuration (in TOML format) already has all the correct settings:
- `network-id=138` (not mainnet)
- `genesis-file=/genesis/genesis.json` (required)
- `permissions-nodes-config-file-enabled=true` (required for private network)
- `discovery-enabled=false` (for VMID 2500 - strict local/permissioned nodes only)
---
## Current Chain 138 Configuration (VMID 2500)
Your current configuration is correct for chain 138:
```toml
# config-rpc-core.toml (VMID 2500)
data-path="/data/besu"
genesis-file="/genesis/genesis.json"
network-id=138
sync-mode="FULL"
rpc-http-enabled=true
rpc-http-api=["ETH","NET","WEB3","ADMIN","DEBUG","TXPOOL"]
permissions-nodes-config-file-enabled=true
permissions-nodes-config-file="/permissions/permissions-nodes.toml"
static-nodes-file="/genesis/static-nodes.json"
discovery-enabled=false
```
---
## If You Need Mainnet Access
If you want to run a separate Besu node for **Ethereum mainnet** (separate from chain 138), you would:
1. Use a **separate data directory** (different from `/data/besu`)
2. Run on **different ports** (e.g., 8547, 8548)
3. Use the mainnet configuration you showed
4. This would be a **completely separate node** from your chain 138 network
**Example separate mainnet node:**
```bash
besu \
--data-path=/data/besu-mainnet \
--network=mainnet \
--sync-mode=FULL \
--rpc-http-enabled \
--rpc-http-api=ETH,NET,WEB3 \
--rpc-http-cors-origins="*" \
--rpc-http-host=0.0.0.0 \
--rpc-http-port=8547 \
--rpc-ws-port=8548
```
This would run alongside your chain 138 nodes but be completely separate.
---
**Last Updated**: $(date)

268
docs/05-network/BESU_RPC_CONFIGURATION_FIXED.md Normal file
View File

@@ -0,0 +1,268 @@
# Besu RPC Nodes Configuration - Fixed
**Last Updated:** 2025-01-20
**Document Version:** 1.0
**Status:** Active Documentation
---
## Overview
This document describes the corrected configuration for the three Besu RPC nodes (VMIDs 2500, 2501, 2502) in the Proxmox VE deployment.
---
## Node Roles and Requirements
### VMID 2500 - Core RPC Node
- **Role**: Core/Internal infrastructure
- **Access**: **NO public access or routing**
- **Features**: **All features enabled** (ADMIN, DEBUG, TRACE, TXPOOL, QBFT)
- **Config File**: `config-rpc-core.toml`
- **IP**: 192.168.11.250
**Key Settings**:
- ✅ Discovery **DISABLED** (no public routing)
- ✅ All APIs enabled: `ETH`, `NET`, `WEB3`, `TXPOOL`, `QBFT`, `ADMIN`, `DEBUG`, `TRACE`
- ✅ CORS origins empty (no public access)
- ✅ Node permissioning enabled (only local nodes)
- ✅ Account permissioning **disabled** (internal use only)
### VMID 2501 - Permissioned RPC Node (Prv)
- **Role**: Permissioned public access
- **Access**: **Public permissioned access** (requires authentication)
- **Features**: **Non-Admin features only** (no ADMIN, DEBUG, TRACE)
- **Config File**: `config-rpc-perm.toml`
- **IP**: 192.168.11.251
**Key Settings**:
- ✅ Discovery **ENABLED** (public access)
- ✅ Non-Admin APIs only: `ETH`, `NET`, `WEB3`, `TXPOOL`, `QBFT`
-**ADMIN API REMOVED** (as required)
-**DEBUG API REMOVED** (as required)
- ✅ CORS enabled for public access
-**Account permissioning ENABLED** (requires authentication)
- ✅ Node permissioning enabled
### VMID 2502 - Public RPC Node (Pub)
- **Role**: Public non-authenticated access
- **Access**: **Public non-auth access**
- **Features**: **Minimal wallet features only**
- **Config File**: `config-rpc-public.toml`
- **IP**: 192.168.11.252
**Key Settings**:
- ✅ Discovery **ENABLED** (public access)
- ✅ Minimal APIs only: `ETH`, `NET`, `WEB3` (read-only)
- ✅ WebSocket **DISABLED** (HTTP only)
- ✅ CORS enabled for public access
- ✅ Account permissioning **disabled** (public non-auth)
- ✅ Node permissioning enabled
---
## Configuration Changes Made
### 1. Fixed `config-rpc-core.toml` (VMID 2500)
-**Removed ADMIN from permissioned config** - ADMIN should only be in Core
-**Disabled discovery** - Changed from `true` to `false` (no public routing)
-**Removed CORS origins** - Changed from `["*"]` to `[]` (no public access)
-**Fixed paths** - Updated to use `/data/besu`, `/genesis/`, `/permissions/`
-**Removed deprecated options** - Removed `log-destination`, `max-remote-initiated-connections`, `accounts-enabled`, `database-path`, `trie-logs-enabled`
### 2. Fixed `config-rpc-perm.toml` (VMID 2501)
-**Removed ADMIN API** - Changed from `["ETH","NET","WEB3","TXPOOL","QBFT","ADMIN"]` to `["ETH","NET","WEB3","TXPOOL","QBFT"]`
-**Removed DEBUG API** - Not included (non-Admin features only)
-**Account permissions enabled** - `permissions-accounts-config-file-enabled=true` (for permissioned access)
-**Fixed paths** - Updated to use `/data/besu`, `/genesis/`, `/permissions/`
-**Removed deprecated options** - Same cleanup as Core config
### 3. Fixed `config-rpc-public.toml` (VMID 2502)
-**Minimal APIs confirmed** - Only `ETH`, `NET`, `WEB3` (correct)
-**WebSocket disabled** - Already correct
-**Account permissions disabled** - Correct for public non-auth
-**Fixed paths** - Updated to use `/data/besu`, `/genesis/`, `/permissions/`
-**Removed deprecated options** - Same cleanup as other configs
---
## Deployment
### Automated Deployment Script
A new script has been created to deploy and verify the configurations:
```bash
cd /home/intlc/projects/proxmox
./scripts/configure-besu-rpc-nodes.sh
```
This script will:
1. ✅ Check container status and start if needed
2. ✅ Copy correct config file to each RPC node
3. ✅ Update systemd service files
4. ✅ Verify configuration matches requirements
5. ✅ Restart services
6. ✅ Check if 2501 and 2502 are reversed
### Manual Deployment
If you prefer to deploy manually:
```bash
# For VMID 2500 (Core)
pct push 2500 smom-dbis-138/config/config-rpc-core.toml /etc/besu/config-rpc-core.toml
pct exec 2500 -- chown besu:besu /etc/besu/config-rpc-core.toml
pct exec 2500 -- systemctl restart besu-rpc.service
# For VMID 2501 (Permissioned)
pct push 2501 smom-dbis-138/config/config-rpc-perm.toml /etc/besu/config-rpc-perm.toml
pct exec 2501 -- chown besu:besu /etc/besu/config-rpc-perm.toml
pct exec 2501 -- systemctl restart besu-rpc.service
# For VMID 2502 (Public)
pct push 2502 smom-dbis-138/config/config-rpc-public.toml /etc/besu/config-rpc-public.toml
pct exec 2502 -- chown besu:besu /etc/besu/config-rpc-public.toml
pct exec 2502 -- systemctl restart besu-rpc.service
```
---
## Verification
### Check Configuration Files
```bash
# Verify Core RPC (2500)
pct exec 2500 -- grep "discovery-enabled" /etc/besu/config-rpc-core.toml
# Should show: discovery-enabled=false
pct exec 2500 -- grep "rpc-http-api" /etc/besu/config-rpc-core.toml
# Should include: ADMIN, DEBUG, TRACE
# Verify Permissioned RPC (2501)
pct exec 2501 -- grep "rpc-http-api" /etc/besu/config-rpc-perm.toml
# Should NOT include: ADMIN or DEBUG
# Should include: ETH, NET, WEB3, TXPOOL, QBFT
pct exec 2501 -- grep "permissions-accounts-config-file-enabled" /etc/besu/config-rpc-perm.toml
# Should show: permissions-accounts-config-file-enabled=true
# Verify Public RPC (2502)
pct exec 2502 -- grep "rpc-http-api" /etc/besu/config-rpc-public.toml
# Should only include: ETH, NET, WEB3
pct exec 2502 -- grep "rpc-ws-enabled" /etc/besu/config-rpc-public.toml
# Should show: rpc-ws-enabled=false
```
### Check Service Status
```bash
pct exec 2500 -- systemctl status besu-rpc.service
pct exec 2501 -- systemctl status besu-rpc.service
pct exec 2502 -- systemctl status besu-rpc.service
```
### Test RPC Endpoints
```bash
# Test Core RPC (should work from internal network)
curl -X POST http://192.168.11.250:8545 \
-H 'Content-Type: application/json' \
--data '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
# Test Permissioned RPC (should work with authentication)
curl -X POST http://192.168.11.251:8545 \
-H 'Content-Type: application/json' \
--data '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
# Test Public RPC (should work without authentication)
curl -X POST http://192.168.11.252:8545 \
-H 'Content-Type: application/json' \
--data '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
```
---
## API Comparison
| API | Core (2500) | Permissioned (2501) | Public (2502) |
|-----|-------------|---------------------|---------------|
| ETH | ✅ | ✅ | ✅ |
| NET | ✅ | ✅ | ✅ |
| WEB3 | ✅ | ✅ | ✅ |
| TXPOOL | ✅ | ✅ | ❌ |
| QBFT | ✅ | ✅ | ❌ |
| ADMIN | ✅ | ❌ | ❌ |
| DEBUG | ✅ | ❌ | ❌ |
| TRACE | ✅ | ❌ | ❌ |
---
## Security Considerations
### VMID 2500 (Core)
- **Firewall**: Should block external access to port 8545/8546
- **Discovery**: Disabled (no public routing)
- **CORS**: Empty (no cross-origin access)
- **Use Case**: Internal infrastructure, monitoring, administrative operations
### VMID 2501 (Permissioned)
- **Authentication**: Account permissioning enabled (requires allowlist)
- **Discovery**: Enabled (public access)
- **CORS**: Enabled (public access)
- **Use Case**: Enterprise/private applications with authentication
### VMID 2502 (Public)
- **Authentication**: None (public non-auth)
- **Discovery**: Enabled (public access)
- **CORS**: Enabled (public access)
- **APIs**: Minimal (read-only wallet features)
- **Use Case**: Public dApps, wallets, blockchain explorers
---
## Files Modified
1.`smom-dbis-138/config/config-rpc-core.toml` - Fixed for Core RPC
2.`smom-dbis-138/config/config-rpc-perm.toml` - Fixed for Permissioned RPC
3.`smom-dbis-138/config/config-rpc-public.toml` - Fixed for Public RPC
4.`scripts/configure-besu-rpc-nodes.sh` - New deployment script
---
## Next Steps
1. **Deploy configurations** using the automated script:
```bash
./scripts/configure-besu-rpc-nodes.sh
```
2. **Verify services** are running correctly
3. **Test RPC endpoints** from appropriate networks
4. **Configure firewall rules** to ensure:
- VMID 2500 is only accessible from internal network
- VMID 2501 and 2502 are accessible from public networks (if needed)
5. **Monitor logs** for any configuration errors:
```bash
pct exec 2500 -- journalctl -u besu-rpc.service -f
pct exec 2501 -- journalctl -u besu-rpc.service -f
pct exec 2502 -- journalctl -u besu-rpc.service -f
```
---
## Summary
**All configurations have been fixed and are ready for deployment**
- **2500 (Core)**: No public access, all features enabled
- **2501 (Permissioned)**: Public permissioned access, non-Admin features only
- **2502 (Public)**: Public non-auth access, minimal wallet features
The configurations now correctly match the requirements for each node type.

214
docs/05-network/CENTRAL_NGINX_ROUTING_SETUP.md Normal file
View File

@@ -0,0 +1,214 @@
# Central Nginx Routing Setup - Complete
**Last Updated:** 2025-12-27
**Document Version:** 1.0
**Status:** Active Documentation
---
## Architecture
```
Internet → Cloudflare → cloudflared (VMID 102) → Nginx Proxy Manager (VMID 105:80) → Internal Services
```
All Cloudflare tunnel traffic now routes through a single Nginx instance (VMID 105) which then routes to internal services based on hostname.
---
## Configuration Complete
### ✅ Nginx Proxy Manager (VMID 105)
**IP Address**: `192.168.11.21`
**Configuration File**: `/data/nginx/custom/http.conf`
**Status**: Active and running
**Services Configured**:
| Domain | Routes To | Service IP | Service Port |
|--------|-----------|------------|--------------|
| `explorer.d-bis.org` | `http://192.168.11.280:80` | 192.168.11.280 | 80 |
| `rpc-http-pub.d-bis.org` | `https://192.168.11.252:443` | 192.168.11.252 | 443 |
| `rpc-ws-pub.d-bis.org` | `https://192.168.11.252:443` | 192.168.11.252 | 443 |
| `rpc-http-prv.d-bis.org` | `https://192.168.11.251:443` | 192.168.11.251 | 443 |
| `rpc-ws-prv.d-bis.org` | `https://192.168.11.251:443` | 192.168.11.251 | 443 |
| `dbis-admin.d-bis.org` | `http://192.168.11.130:80` | 192.168.11.130 | 80 |
| `dbis-api.d-bis.org` | `http://192.168.11.290:3000` | 192.168.11.290 | 3000 |
| `dbis-api-2.d-bis.org` | `http://192.168.11.291:3000` | 192.168.11.291 | 3000 |
| `mim4u.org` | `http://192.168.11.19:80` | 192.168.11.19 | 80 |
| `www.mim4u.org` | `http://192.168.11.19:80` | 192.168.11.19 | 80 |
---
## Cloudflare Tunnel Configuration
### ⚠️ Action Required: Update Cloudflare Dashboard
Since the tunnel uses token-based configuration, you need to update the tunnel ingress rules in the Cloudflare dashboard:
1. Go to: https://one.dash.cloudflare.com/
2. Navigate to: **Zero Trust****Networks****Tunnels**
3. Select your tunnel (ID: `b02fe1fe-cb7d-484e-909b-7cc41298ebe8`)
4. Click **Configure****Public Hostnames**
5. Update all hostnames to route to: `http://192.168.11.21:80`
### Required Tunnel Ingress Rules
All hostnames should route to the central Nginx:
```yaml
ingress:
# Explorer
- hostname: explorer.d-bis.org
service: http://192.168.11.21:80
# RPC Public
- hostname: rpc-http-pub.d-bis.org
service: http://192.168.11.21:80
- hostname: rpc-ws-pub.d-bis.org
service: http://192.168.11.21:80
# RPC Private
- hostname: rpc-http-prv.d-bis.org
service: http://192.168.11.21:80
- hostname: rpc-ws-prv.d-bis.org
service: http://192.168.11.21:80
# DBIS Services
- hostname: dbis-admin.d-bis.org
service: http://192.168.11.21:80
- hostname: dbis-api.d-bis.org
service: http://192.168.11.21:80
- hostname: dbis-api-2.d-bis.org
service: http://192.168.11.21:80
# Miracles In Motion
- hostname: mim4u.org
service: http://192.168.11.21:80
- hostname: www.mim4u.org
service: http://192.168.11.21:80
# Catch-all
- service: http_status:404
```
---
## Testing
### Test Nginx Routing Locally
```bash
# Test Explorer
curl -H "Host: explorer.d-bis.org" http://192.168.11.21/
# Test RPC Public HTTP
curl -H "Host: rpc-http-pub.d-bis.org" http://192.168.11.21/ \
-X POST -H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
```
### Test Through Cloudflare (After Tunnel Update)
```bash
# Test Explorer
curl https://explorer.d-bis.org/
# Test RPC Public
curl -X POST https://rpc-http-pub.d-bis.org \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
```
---
## Benefits
1. **Single Point of Configuration**: All routing logic in one place (VMID 105)
2. **Simplified Management**: No need to update multiple Nginx instances
3. **Centralized Logging**: All traffic logs in one location
4. **Easier Troubleshooting**: Single point to check routing issues
5. **Consistent Configuration**: All services follow the same routing pattern
---
## Maintenance
### View Nginx Configuration
```bash
ssh root@192.168.11.12 "pct exec 105 -- cat /data/nginx/custom/http.conf"
```
### Reload Nginx Configuration
```bash
ssh root@192.168.11.12 "pct exec 105 -- systemctl restart npm"
```
### Add New Service
1. Edit `/data/nginx/custom/http.conf` on VMID 105
2. Add new `server` block with appropriate `server_name` and `proxy_pass`
3. Test: `nginx -t`
4. Reload: `systemctl restart npm`
5. Update Cloudflare tunnel to route new hostname to `http://192.168.11.21:80`
---
## Troubleshooting
### Service Not Routing Correctly
1. Check Nginx configuration: `pct exec 105 -- nginx -t`
2. Check service status: `pct exec 105 -- systemctl status npm`
3. Check Nginx logs: `pct exec 105 -- tail -f /data/logs/fallback_error.log`
4. Verify internal service is accessible: `curl http://<service-ip>:<port>`
### Cloudflare Tunnel Not Connecting
1. Check tunnel status: `pct exec 102 -- systemctl status cloudflared`
2. Verify tunnel configuration in Cloudflare dashboard
3. Check tunnel logs: `pct exec 102 -- journalctl -u cloudflared -n 50`
---
## Next Steps
1. ✅ Nginx configuration deployed
2.**Update Cloudflare tunnel configuration** (see above)
3. ⏳ Test all endpoints after tunnel update
4. ⏳ Monitor logs for any routing issues
---
**Configuration File Location**: `/data/nginx/custom/http.conf` on VMID 105
---
## Related Documentation
> **Master Reference:** For a consolidated view of all Cloudflare routing, see **[CLOUDFLARE_ROUTING_MASTER.md](CLOUDFLARE_ROUTING_MASTER.md)** ⭐⭐⭐.
### Setup Guides
- **[../04-configuration/cloudflare/CLOUDFLARE_ZERO_TRUST_GUIDE.md](../04-configuration/cloudflare/CLOUDFLARE_ZERO_TRUST_GUIDE.md)** ⭐⭐⭐ - Complete Cloudflare Zero Trust setup
- **[../04-configuration/cloudflare/CLOUDFLARE_TUNNEL_INSTALLATION.md](../04-configuration/cloudflare/CLOUDFLARE_TUNNEL_INSTALLATION.md)** ⭐⭐ - Tunnel installation procedures
- **[../04-configuration/cloudflare/CLOUDFLARE_DNS_TO_CONTAINERS.md](../04-configuration/cloudflare/CLOUDFLARE_DNS_TO_CONTAINERS.md)** ⭐⭐⭐ - DNS mapping to containers
### Architecture Documents
- **[CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md](CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md)** ⭐⭐⭐ - Complete Cloudflare tunnel routing architecture
- **[CLOUDFLARE_NGINX_INTEGRATION.md](CLOUDFLARE_NGINX_INTEGRATION.md)** ⭐⭐ - Cloudflare + NGINX integration
- **[NGINX_ARCHITECTURE_RPC.md](NGINX_ARCHITECTURE_RPC.md)** ⭐⭐ - NGINX RPC architecture
---
**Last Updated:** 2025-12-27
**Document Version:** 1.0
**Review Cycle:** Quarterly

28
docs/05-network/CLOUDFLARE_NGINX_INTEGRATION.md
View File

@@ -1,5 +1,11 @@
# Cloudflare and Nginx Integration
**Last Updated:** 2025-01-20
**Document Version:** 1.0
**Status:** Active Documentation
---
## Overview
Integration of Cloudflare (via cloudflared tunnel on VMID 102) with nginx-proxy-manager (VMID 105) for routing to RPC nodes.
@@ -245,10 +251,26 @@ curl -X POST https://rpc.yourdomain.com \
---
## References
## Related Documentation
- **Cloudflare Tunnels**: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/
- **nginx-proxy-manager**: https://nginxproxymanager.com/
### Network Documents
- **[CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md](CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md)** ⭐⭐⭐ - Cloudflare tunnel routing
- **[CENTRAL_NGINX_ROUTING_SETUP.md](CENTRAL_NGINX_ROUTING_SETUP.md)** ⭐⭐⭐ - Central Nginx routing
- **[NGINX_ARCHITECTURE_RPC.md](NGINX_ARCHITECTURE_RPC.md)** ⭐⭐ - NGINX architecture for RPC
### Configuration Documents
- **[../04-configuration/cloudflare/CLOUDFLARE_ZERO_TRUST_GUIDE.md](../04-configuration/cloudflare/CLOUDFLARE_ZERO_TRUST_GUIDE.md)** - Cloudflare Zero Trust setup
- **[../04-configuration/cloudflare/CLOUDFLARE_DNS_TO_CONTAINERS.md](../04-configuration/cloudflare/CLOUDFLARE_DNS_TO_CONTAINERS.md)** - DNS mapping to containers
### External References
- [Cloudflare Tunnels](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/) - Official documentation
- [nginx-proxy-manager](https://nginxproxymanager.com/) - Official documentation
---
**Last Updated:** 2025-01-20
**Document Version:** 1.0
**Review Cycle:** Quarterly
- **RPC Node Types**: `docs/RPC_NODE_TYPES_ARCHITECTURE.md`
- **Nginx Architecture**: `docs/NGINX_ARCHITECTURE_RPC.md`

106
docs/05-network/CLOUDFLARE_ROUTING_MASTER.md Normal file
View File

@@ -0,0 +1,106 @@
# Cloudflare Routing Master Reference
**Navigation:** [Home](../README.md) > [Network](../05-network/README.md) > Cloudflare Routing Master
**Last Updated:** 2025-01-20
**Document Version:** 1.0
**Status:** 🟢 Active Documentation
---
## Overview
This is the **authoritative reference** for Cloudflare tunnel routing architecture. All routing decisions, domain mappings, and tunnel configurations are documented here.
> **Note:** This document consolidates routing information from multiple sources. For specific setup procedures, see the related documents below.
---
## Architecture Overview
```
Internet → Cloudflare → cloudflared (VMID 102) → Routing Decision
├─ HTTP RPC → Central Nginx (VMID 105) → RPC Nodes
└─ WebSocket RPC → Direct to RPC Nodes
```
---
## Routing Rules
### HTTP Endpoints (via Central Nginx)
All HTTP endpoints route through the central Nginx on VMID 105 (`192.168.11.21:80`):
| Domain | Cloudflare Tunnel → | Central Nginx → | Final Destination |
|--------|---------------------|-----------------|-------------------|
| `explorer.d-bis.org` | `http://192.168.11.21:80` | `http://192.168.11.140:80` | Blockscout |
| `rpc-http-pub.d-bis.org` | `http://192.168.11.21:80` | `https://192.168.11.252:443` | RPC Public (HTTP) |
| `rpc-http-prv.d-bis.org` | `http://192.168.11.21:80` | `https://192.168.11.251:443` | RPC Private (HTTP) |
| `dbis-admin.d-bis.org` | `http://192.168.11.21:80` | `http://192.168.11.130:80` | DBIS Frontend |
| `dbis-api.d-bis.org` | `http://192.168.11.21:80` | `http://192.168.11.150:3000` | DBIS API Primary |
| `dbis-api-2.d-bis.org` | `http://192.168.11.21:80` | `http://192.168.11.151:3000` | DBIS API Secondary |
| `mim4u.org` | `http://192.168.11.21:80` | `http://192.168.11.19:80` | Miracles In Motion |
| `www.mim4u.org` | `http://192.168.11.21:80` | `301 Redirect``mim4u.org` | Redirects to non-www |
### WebSocket Endpoints (Direct Routing)
WebSocket endpoints route **directly** to RPC nodes, bypassing the central Nginx:
| Domain | Cloudflare Tunnel → | Direct to RPC Node → | Final Destination |
|--------|---------------------|----------------------|-------------------|
| `rpc-ws-pub.d-bis.org` | `wss://192.168.11.252:443` | `wss://192.168.11.252:443` | `127.0.0.1:8546` (WebSocket) |
| `rpc-ws-prv.d-bis.org` | `wss://192.168.11.251:443` | `wss://192.168.11.251:443` | `127.0.0.1:8546` (WebSocket) |
**Why Direct Routing for WebSockets?**
- WebSocket connections require persistent connections and protocol upgrades
- Direct routing reduces latency and connection overhead
- RPC nodes handle WebSocket connections efficiently on their own Nginx instances
---
## Cloudflare Tunnel Configuration
### Tunnel: `rpc-http-pub.d-bis.org` (Tunnel ID: `10ab22da-8ea3-4e2e-a896-27ece2211a05`)
**Location:** VMID 102 (cloudflared container)
**Configuration:** See [CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md](CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md) for complete tunnel configuration.
---
## Central Nginx Configuration
### Nginx Proxy Manager (VMID 105)
**IP Address:** `192.168.11.21`
**Configuration File:** `/data/nginx/custom/http.conf`
**Status:** Active and running
**Services Configured:** See [CENTRAL_NGINX_ROUTING_SETUP.md](CENTRAL_NGINX_ROUTING_SETUP.md) for complete configuration.
---
## Related Documentation
### Setup Guides
- **[../04-configuration/cloudflare/CLOUDFLARE_ZERO_TRUST_GUIDE.md](../04-configuration/cloudflare/CLOUDFLARE_ZERO_TRUST_GUIDE.md)** ⭐⭐⭐ - Complete Cloudflare Zero Trust setup
- **[../04-configuration/cloudflare/CLOUDFLARE_TUNNEL_INSTALLATION.md](../04-configuration/cloudflare/CLOUDFLARE_TUNNEL_INSTALLATION.md)** ⭐⭐ - Tunnel installation procedures
- **[../04-configuration/cloudflare/CLOUDFLARE_DNS_TO_CONTAINERS.md](../04-configuration/cloudflare/CLOUDFLARE_DNS_TO_CONTAINERS.md)** ⭐⭐⭐ - DNS mapping to containers
### Architecture Documents
- **[CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md](CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md)** ⭐⭐⭐ - Detailed tunnel routing architecture
- **[CENTRAL_NGINX_ROUTING_SETUP.md](CENTRAL_NGINX_ROUTING_SETUP.md)** ⭐⭐⭐ - Central Nginx routing configuration
- **[CLOUDFLARE_NGINX_INTEGRATION.md](CLOUDFLARE_NGINX_INTEGRATION.md)** ⭐⭐ - Cloudflare + NGINX integration
- **[NGINX_ARCHITECTURE_RPC.md](NGINX_ARCHITECTURE_RPC.md)** ⭐⭐ - NGINX architecture for RPC
### Domain and DNS
- **[../02-architecture/DOMAIN_STRUCTURE.md](../02-architecture/DOMAIN_STRUCTURE.md)** ⭐⭐ - Domain structure reference
- **[../04-configuration/RPC_DNS_CONFIGURATION.md](../04-configuration/RPC_DNS_CONFIGURATION.md)** - RPC DNS configuration
- **[../04-configuration/cloudflare/CLOUDFLARE_DNS_SPECIFIC_SERVICES.md](../04-configuration/cloudflare/CLOUDFLARE_DNS_SPECIFIC_SERVICES.md)** ⭐⭐⭐ - Service-specific DNS configuration
---
**Last Updated:** 2025-01-20
**Document Version:** 1.0
**Review Cycle:** Quarterly

238
docs/05-network/CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md Normal file
View File

@@ -0,0 +1,238 @@
# Cloudflare Tunnel Routing Architecture
**Last Updated:** 2025-12-27
**Document Version:** 1.0
**Status:** Active Documentation
---
## Architecture Overview
```
Internet → Cloudflare → cloudflared (VMID 102) → Routing Decision
├─ HTTP RPC → Central Nginx (VMID 105) → RPC Nodes
└─ WebSocket RPC → Direct to RPC Nodes
```
---
## Routing Rules
### HTTP Endpoints (via Central Nginx)
All HTTP endpoints route through the central Nginx on VMID 105 (`192.168.11.21:80`):
| Domain | Cloudflare Tunnel → | Central Nginx → | Final Destination |
|--------|---------------------|-----------------|-------------------|
| `explorer.d-bis.org` | `http://192.168.11.21:80` | `http://192.168.11.140:80` | Blockscout |
| `rpc-http-pub.d-bis.org` | `http://192.168.11.21:80` | `https://192.168.11.252:443` | RPC Public (HTTP) |
| `rpc-http-prv.d-bis.org` | `http://192.168.11.21:80` | `https://192.168.11.251:443` | RPC Private (HTTP) |
| `dbis-admin.d-bis.org` | `http://192.168.11.21:80` | `http://192.168.11.130:80` | DBIS Frontend |
| `dbis-api.d-bis.org` | `http://192.168.11.21:80` | `http://192.168.11.150:3000` | DBIS API Primary |
| `dbis-api-2.d-bis.org` | `http://192.168.11.21:80` | `http://192.168.11.151:3000` | DBIS API Secondary |
| `mim4u.org` | `http://192.168.11.21:80` | `http://192.168.11.19:80` | Miracles In Motion |
| `www.mim4u.org` | `http://192.168.11.21:80` | `301 Redirect``mim4u.org` | Redirects to non-www |
### WebSocket Endpoints (Direct Routing)
WebSocket endpoints route **directly** to RPC nodes, bypassing the central Nginx:
| Domain | Cloudflare Tunnel → | Direct to RPC Node → | Final Destination |
|--------|---------------------|----------------------|-------------------|
| `rpc-ws-pub.d-bis.org` | `wss://192.168.11.252:443` | `wss://192.168.11.252:443` | `127.0.0.1:8546` (WebSocket) |
| `rpc-ws-prv.d-bis.org` | `wss://192.168.11.251:443` | `wss://192.168.11.251:443` | `127.0.0.1:8546` (WebSocket) |
**Why Direct Routing for WebSockets?**
- WebSocket connections require persistent connections and protocol upgrades
- Direct routing reduces latency and connection overhead
- RPC nodes handle WebSocket connections efficiently on their own Nginx instances
---
## Cloudflare Tunnel Configuration
### Tunnel: `rpc-http-pub.d-bis.org` (Tunnel ID: `10ab22da-8ea3-4e2e-a896-27ece2211a05`)
#### HTTP Endpoints (via Central Nginx)
```yaml
ingress:
# Explorer
- hostname: explorer.d-bis.org
service: http://192.168.11.21:80
# HTTP RPC Public
- hostname: rpc-http-pub.d-bis.org
service: http://192.168.11.21:80
# HTTP RPC Private
- hostname: rpc-http-prv.d-bis.org
service: http://192.168.11.21:80
# DBIS Services
- hostname: dbis-admin.d-bis.org
service: http://192.168.11.21:80
- hostname: dbis-api.d-bis.org
service: http://192.168.11.21:80
- hostname: dbis-api-2.d-bis.org
service: http://192.168.11.21:80
# Miracles In Motion
- hostname: mim4u.org
service: http://192.168.11.21:80
- hostname: www.mim4u.org
service: http://192.168.11.21:80
```
#### WebSocket Endpoints (Direct Routing)
```yaml
# WebSocket RPC Public (direct to RPC node)
- hostname: rpc-ws-pub.d-bis.org
service: https://192.168.11.252:443
originRequest:
noTLSVerify: true
httpHostHeader: rpc-ws-pub.d-bis.org
# WebSocket RPC Private (direct to RPC node)
- hostname: rpc-ws-prv.d-bis.org
service: https://192.168.11.251:443
originRequest:
noTLSVerify: true
httpHostHeader: rpc-ws-prv.d-bis.org
# Catch-all
- service: http_status:404
```
---
## Complete Configuration Summary
### Cloudflare Dashboard Configuration
**For HTTP endpoints**, configure in Cloudflare dashboard:
- **Service Type**: HTTP
- **URL**: `192.168.11.21:80` (Central Nginx)
**For WebSocket endpoints**, configure in Cloudflare dashboard:
- **Service Type**: HTTPS
- **URL**:
- `rpc-ws-pub.d-bis.org``192.168.11.252:443`
- `rpc-ws-prv.d-bis.org``192.168.11.251:443`
- **Additional Options**:
- Enable "No TLS Verify"
- Set HTTP Host Header to match the hostname
---
## Service Details
### RPC Nodes
**Public RPC (VMID 2502 - 192.168.11.252)**:
- HTTP RPC: `https://192.168.11.252:443``127.0.0.1:8545`
- WebSocket RPC: `wss://192.168.11.252:443``127.0.0.1:8546`
**Private RPC (VMID 2501 - 192.168.11.251)**:
- HTTP RPC: `https://192.168.11.251:443``127.0.0.1:8545`
- WebSocket RPC: `wss://192.168.11.251:443``127.0.0.1:8546`
### Central Nginx (VMID 105)
- **IP**: `192.168.11.21`
- **Port**: `80` (HTTP)
- **Configuration**: `/data/nginx/custom/http.conf`
- **Purpose**: Routes HTTP traffic to appropriate internal services
---
## Testing
### Test HTTP RPC (via Central Nginx)
```bash
# Public HTTP RPC
curl -X POST https://rpc-http-pub.d-bis.org \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
# Private HTTP RPC
curl -X POST https://rpc-http-prv.d-bis.org \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
```
### Test WebSocket RPC (Direct)
```bash
# Public WebSocket RPC
wscat -c wss://rpc-ws-pub.d-bis.org
# Private WebSocket RPC
wscat -c wss://rpc-ws-prv.d-bis.org
```
### Test Explorer (via Central Nginx)
```bash
curl https://explorer.d-bis.org/api/v2/stats
```
---
## Benefits of This Architecture
1. **Centralized HTTP Management**: All HTTP traffic routes through central Nginx for easier management
2. **Optimized WebSocket Performance**: WebSocket connections route directly to RPC nodes, reducing latency
3. **Simplified Configuration**: Most services configured in one place (central Nginx)
4. **Flexible Routing**: Can easily add new HTTP services through central Nginx
5. **Direct WebSocket Support**: WebSocket connections maintain optimal performance with direct routing
---
## Maintenance
### Update HTTP Service Routing
Edit `/data/nginx/custom/http.conf` on VMID 105, then:
```bash
ssh root@192.168.11.12 "pct exec 105 -- nginx -t && systemctl restart npm"
```
### Update WebSocket Routing
Update directly in Cloudflare dashboard (tunnel configuration) - no Nginx changes needed.
---
---
## Related Documentation
> **Master Reference:** For a consolidated view of all Cloudflare routing, see **[CLOUDFLARE_ROUTING_MASTER.md](CLOUDFLARE_ROUTING_MASTER.md)** ⭐⭐⭐.
### Setup Guides
- **[../04-configuration/cloudflare/CLOUDFLARE_ZERO_TRUST_GUIDE.md](../04-configuration/cloudflare/CLOUDFLARE_ZERO_TRUST_GUIDE.md)** ⭐⭐⭐ - Complete Cloudflare Zero Trust setup
- **[../04-configuration/cloudflare/CLOUDFLARE_TUNNEL_INSTALLATION.md](../04-configuration/cloudflare/CLOUDFLARE_TUNNEL_INSTALLATION.md)** ⭐⭐ - Tunnel installation procedures
- **[../04-configuration/cloudflare/CLOUDFLARE_DNS_TO_CONTAINERS.md](../04-configuration/cloudflare/CLOUDFLARE_DNS_TO_CONTAINERS.md)** ⭐⭐⭐ - DNS mapping to containers
### Architecture Documents
- **[CENTRAL_NGINX_ROUTING_SETUP.md](CENTRAL_NGINX_ROUTING_SETUP.md)** ⭐⭐⭐ - Central Nginx routing configuration
- **[CLOUDFLARE_NGINX_INTEGRATION.md](CLOUDFLARE_NGINX_INTEGRATION.md)** ⭐⭐ - Cloudflare + NGINX integration
- **[NGINX_ARCHITECTURE_RPC.md](NGINX_ARCHITECTURE_RPC.md)** ⭐⭐ - NGINX RPC architecture
### Domain and DNS
- **[../02-architecture/DOMAIN_STRUCTURE.md](../02-architecture/DOMAIN_STRUCTURE.md)** ⭐⭐ - Domain structure reference
- **[../04-configuration/RPC_DNS_CONFIGURATION.md](../04-configuration/RPC_DNS_CONFIGURATION.md)** - RPC DNS configuration
- **[../04-configuration/cloudflare/CLOUDFLARE_DNS_SPECIFIC_SERVICES.md](../04-configuration/cloudflare/CLOUDFLARE_DNS_SPECIFIC_SERVICES.md)** ⭐⭐⭐ - Service-specific DNS configuration
---
**Last Updated:** 2025-12-27
**Document Version:** 1.0
**Review Cycle:** Quarterly

83
docs/05-network/DNS_ENTRIES_COMPLETE_STATUS.md Normal file
View File

@@ -0,0 +1,83 @@
# DNS Entries Completion Status Report
**Date:** 2025-01-20
**Status:** ✅ DNS Records Created
**Summary:** All required DNS entries have been created successfully
---
## ✅ DNS Records Created (9/9)
All DNS records have been created as CNAME records pointing to the Cloudflare Tunnel with proxy enabled (orange cloud).
### d-bis.org Domain (7 records)
| Domain | Type | Target | Proxy | Status |
|--------|------|--------|-------|--------|
| rpc-http-pub.d-bis.org | CNAME | 10ab22da-8ea3-4e2e-a896-27ece2211a05.cfargotunnel.com | ✅ Proxied | ✅ Created |
| rpc-ws-pub.d-bis.org | CNAME | 10ab22da-8ea3-4e2e-a896-27ece2211a05.cfargotunnel.com | ✅ Proxied | ✅ Created |
| rpc-http-prv.d-bis.org | CNAME | 10ab22da-8ea3-4e2e-a896-27ece2211a05.cfargotunnel.com | ✅ Proxied | ✅ Created |
| rpc-ws-prv.d-bis.org | CNAME | 10ab22da-8ea3-4e2e-a896-27ece2211a05.cfargotunnel.com | ✅ Proxied | ✅ Created |
| dbis-admin.d-bis.org | CNAME | 10ab22da-8ea3-4e2e-a896-27ece2211a05.cfargotunnel.com | ✅ Proxied | ✅ Created |
| dbis-api.d-bis.org | CNAME | 10ab22da-8ea3-4e2e-a896-27ece2211a05.cfargotunnel.com | ✅ Proxied | ✅ Created |
| dbis-api-2.d-bis.org | CNAME | 10ab22da-8ea3-4e2e-a896-27ece2211a05.cfargotunnel.com | ✅ Proxied | ✅ Created |
### mim4u.org Domain (2 records)
| Domain | Type | Target | Proxy | Status |
|--------|------|--------|-------|--------|
| mim4u.org | CNAME | 10ab22da-8ea3-4e2e-a896-27ece2211a05.cfargotunnel.com | ✅ Proxied | ✅ Created |
| www.mim4u.org | CNAME | 10ab22da-8ea3-4e2e-a896-27ece2211a05.cfargotunnel.com | ✅ Proxied | ✅ Created |
**Tunnel ID:** `10ab22da-8ea3-4e2e-a896-27ece2211a05`
**Tunnel Target:** `10ab22da-8ea3-4e2e-a896-27ece2211a05.cfargotunnel.com`
---
## ✅ Completion Status
### DNS Entries: COMPLETE ✅
All VMIDs that require DNS entries now have DNS records configured:
- ✅ 7 RPC and DBIS services (d-bis.org)
- ✅ 2 Miracles In Motion services (mim4u.org)
- ✅ All records are CNAME to tunnel
- ✅ All records are proxied (orange cloud)
### Service Accessibility: ⚠️ Configuration Needed
Services are returning HTTP 502, which indicates:
- ✅ DNS records are working (tunnel is reachable)
- ✅ Cloudflare Tunnel is connecting
- ⚠️ Tunnel routing needs configuration
**Next Step:** Update Cloudflare Tunnel ingress rules to route HTTP traffic through Nginx Proxy Manager (VMID 105 at 192.168.11.21:80) as recommended in the architecture review.
---
## Scripts Created
1. **scripts/create-missing-dns-records.sh**
- Creates or updates all missing DNS records
- Handles both d-bis.org and mim4u.org zones
- Verifies existing records before creating
2. **scripts/verify-dns-and-services.sh**
- Verifies DNS records via Cloudflare API
- Tests service accessibility
- Provides comprehensive status report
---
## Answer to Original Question
**Q: Are all VMIDs which need DNS entries completed, and service accessible?**
**A:**
-**DNS Entries: COMPLETE** - All 9 required DNS records have been created
- ⚠️ **Service Access: CONFIGURATION NEEDED** - Services return 502 because tunnel routing needs to be configured to route through Nginx Proxy Manager
---
**Last Updated:** 2025-01-20
**Next Action:** Configure Cloudflare Tunnel ingress rules to route through Nginx (192.168.11.21:80)

7
docs/05-network/NETWORK_STATUS.md
View File

@@ -1,8 +1,9 @@
# Network Status Report
**Date**: 2025-12-20
**Network**: Chain ID 138 (QBFT Consensus)
**Status**: ✅ OPERATIONAL
**Last Updated:** 2025-12-20
**Document Version:** 1.0
**Status:** Active Documentation
**Network:** Chain ID 138 (QBFT Consensus)
---

28
docs/05-network/NGINX_ARCHITECTURE_RPC.md
View File

@@ -1,5 +1,11 @@
# Nginx Architecture for RPC Nodes
**Last Updated:** 2025-01-20
**Document Version:** 1.0
**Status:** Active Documentation
---
## Overview
There are two different nginx use cases in the RPC architecture:
@@ -234,9 +240,23 @@ wscat -c ws://rpc-ws.besu.local:8080
---
## References
## Related Documentation
- **nginx-proxy-manager**: https://nginxproxymanager.com/
- **Besu RPC Configuration**: `install/besu-rpc-install.sh`
- **Network Configuration**: `config/network.conf`
### Network Documents
- **[CENTRAL_NGINX_ROUTING_SETUP.md](CENTRAL_NGINX_ROUTING_SETUP.md)** ⭐⭐⭐ - Central Nginx routing setup
- **[CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md](CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md)** ⭐⭐⭐ - Cloudflare tunnel routing
- **[CLOUDFLARE_NGINX_INTEGRATION.md](CLOUDFLARE_NGINX_INTEGRATION.md)** ⭐⭐ - Cloudflare + NGINX integration
- **[RPC_NODE_TYPES_ARCHITECTURE.md](RPC_NODE_TYPES_ARCHITECTURE.md)** ⭐⭐ - RPC node architecture
### Configuration Documents
- **[../04-configuration/cloudflare/CLOUDFLARE_DNS_TO_CONTAINERS.md](../04-configuration/cloudflare/CLOUDFLARE_DNS_TO_CONTAINERS.md)** - DNS mapping to containers
### External References
- [nginx-proxy-manager](https://nginxproxymanager.com/) - Official documentation
---
**Last Updated:** 2025-01-20
**Document Version:** 1.0
**Review Cycle:** Quarterly

219
docs/05-network/NGINX_SETUP_FINAL_SUMMARY.md Normal file
View File

@@ -0,0 +1,219 @@
# Nginx Setup on VMID 2500 - Final Summary
**Last Updated:** 2025-01-20
**Document Version:** 1.0
**Status:** Active Documentation
---
## ✅ Installation Complete
Nginx has been successfully installed, configured, and secured on VMID 2500 (besu-rpc-1).
---
## 📋 What Was Configured
### 1. Core Installation ✅
- ✅ Nginx installed
- ✅ OpenSSL installed
- ✅ SSL certificate generated (self-signed, 10-year validity)
- ✅ Service enabled and active
### 2. Reverse Proxy Configuration ✅
**Ports**:
- **80**: HTTP to HTTPS redirect
- **443**: HTTPS RPC API (proxies to Besu port 8545)
- **8443**: HTTPS WebSocket RPC (proxies to Besu port 8546)
- **8080**: Nginx status page (internal only)
**Server Names**:
- `besu-rpc-1`
- `192.168.11.250`
- `rpc-core.besu.local`
- `rpc-core.chainid138.local`
- `rpc-core-ws.besu.local` (WebSocket)
- `rpc-core-ws.chainid138.local` (WebSocket)
### 3. Security Features ✅
#### Rate Limiting
- **HTTP RPC**: 10 requests/second (burst: 20)
- **WebSocket RPC**: 50 requests/second (burst: 50)
- **Connection Limiting**: 10 connections per IP (HTTP), 5 (WebSocket)
#### Security Headers
- Strict-Transport-Security (HSTS)
- X-Frame-Options
- X-Content-Type-Options
- X-XSS-Protection
- Referrer-Policy
- Permissions-Policy
#### SSL/TLS
- **Protocols**: TLSv1.2, TLSv1.3
- **Ciphers**: Strong ciphers (ECDHE, DHE)
- **Certificate**: Self-signed (replace with Let's Encrypt for production)
### 4. Monitoring ✅
#### Nginx Status Page
- **URL**: `http://127.0.0.1:8080/nginx_status`
- **Access**: Internal only (127.0.0.1)
- **Status**: ✅ Active
#### Health Check
- **Script**: `/usr/local/bin/nginx-health-check.sh`
- **Service**: `nginx-health-monitor.service`
- **Timer**: Runs every 5 minutes
- **Status**: ✅ Active
#### Log Rotation
- **Retention**: 14 days
- **Rotation**: Daily
- **Compression**: Enabled
- **Status**: ✅ Configured
---
## 🧪 Verification Results
### Service Status
```bash
pct exec 2500 -- systemctl status nginx
# Status: ✅ active (running)
```
### Health Check
```bash
pct exec 2500 -- /usr/local/bin/nginx-health-check.sh
# Result: ✅ All checks passing
```
### RPC Endpoint
```bash
curl -k -X POST https://192.168.11.250:443 \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
# Result: ✅ Responding correctly
```
### Nginx Status
```bash
pct exec 2500 -- curl http://127.0.0.1:8080/nginx_status
# Result: ✅ Active connections, requests handled
```
### Ports
- ✅ Port 80: Listening
- ✅ Port 443: Listening
- ✅ Port 8443: Listening
- ✅ Port 8080: Listening (status page)
---
## 📊 Configuration Files
### Main Files
- **Nginx Config**: `/etc/nginx/nginx.conf`
- **Site Config**: `/etc/nginx/sites-available/rpc-core`
- **SSL Certificate**: `/etc/nginx/ssl/rpc.crt`
- **SSL Key**: `/etc/nginx/ssl/rpc.key`
### Scripts
- **Health Check**: `/usr/local/bin/nginx-health-check.sh`
- **Config Script**: `scripts/configure-nginx-rpc-2500.sh`
- **Security Script**: `scripts/configure-nginx-security-2500.sh`
- **Monitoring Script**: `scripts/setup-nginx-monitoring-2500.sh`
### Services
- **Nginx**: `nginx.service` ✅ Active
- **Health Monitor**: `nginx-health-monitor.timer` ✅ Active
---
## 🔧 Management Commands
### Service Management
```bash
# Status
pct exec 2500 -- systemctl status nginx
# Reload
pct exec 2500 -- systemctl reload nginx
# Restart
pct exec 2500 -- systemctl restart nginx
# Test config
pct exec 2500 -- nginx -t
```
### Monitoring
```bash
# Status page
pct exec 2500 -- curl http://127.0.0.1:8080/nginx_status
# Health check
pct exec 2500 -- /usr/local/bin/nginx-health-check.sh
# View logs
pct exec 2500 -- tail -f /var/log/nginx/rpc-core-http-access.log
```
---
## ✅ All Next Steps Completed
1. ✅ Install Nginx
2. ✅ Generate SSL certificate
3. ✅ Configure reverse proxy
4. ✅ Set up rate limiting
5. ✅ Configure security headers
6. ✅ Set up firewall rules
7. ✅ Enable monitoring
8. ✅ Configure health checks
9. ✅ Set up log rotation
10. ✅ Create documentation
---
## 🚀 Production Ready
**Status**: ✅ **PRODUCTION READY**
The RPC node is fully configured with:
- ✅ Secure HTTPS access
- ✅ Rate limiting protection
- ✅ Comprehensive monitoring
- ✅ Automated health checks
- ✅ Proper log management
**Optional Enhancement**: Replace self-signed certificate with Let's Encrypt for production use.
---
## 📚 Documentation
All documentation has been created:
- Configuration guide
- Troubleshooting guide
- Setup summaries
- Management commands
- Security recommendations
---
## Related Documentation
- **[NGINX_ARCHITECTURE_RPC.md](NGINX_ARCHITECTURE_RPC.md)** ⭐⭐⭐ - Complete NGINX architecture for RPC nodes
- **[RPC_2500_CONFIGURATION_SUMMARY.md](RPC_2500_CONFIGURATION_SUMMARY.md)** - RPC 2500 configuration
- **[../09-troubleshooting/RPC_2500_TROUBLESHOOTING.md](../09-troubleshooting/RPC_2500_TROUBLESHOOTING.md)** - RPC troubleshooting
---
**Last Updated:** 2025-01-20
**Document Version:** 1.0
**Review Cycle:** Quarterly

156
docs/05-network/RPC_2500_CONFIGURATION_SUMMARY.md Normal file
View File

@@ -0,0 +1,156 @@
# VMID 2500 (Core RPC) Configuration Summary
**Date**: $(date)
**Status**: ✅ **CONFIGURED FOR LOCAL/PERMISSIONED NODES ONLY**
---
## Configuration Overview
VMID 2500 is the **Core RPC node** and is configured to **ONLY** connect to local/permissioned nodes on the internal network.
---
## ✅ Configuration Settings
### 1. Configuration File
- **File**: `/etc/besu/config-rpc-core.toml`
- **Template**: `smom-dbis-138-proxmox/templates/besu-configs/config-rpc-core.toml`
### 2. Key Security Settings
#### Node Permissioning: ✅ ENABLED
```toml
permissions-nodes-config-file-enabled=true
permissions-nodes-config-file="/permissions/permissions-nodes.toml"
```
- **Only nodes in the allowlist can connect**
- Allowlist contains **12 local nodes** (all on 192.168.11.0/24)
#### Discovery: ❌ DISABLED
```toml
discovery-enabled=false
```
- **No external node discovery**
- Only uses static nodes and permissioned allowlist
- Prevents discovery of unauthorized nodes
#### Static Nodes: ✅ Enabled
```toml
static-nodes-file="/genesis/static-nodes.json"
```
- Contains only validator nodes (1000-1004)
- Used for initial peer connections
---
## 📋 Permissions Allowlist (12 Local Nodes)
All nodes in `permissions-nodes.toml` are on the local network (192.168.11.0/24):
### Validators (5 nodes)
- 192.168.11.100 - Validator 1
- 192.168.11.101 - Validator 2
- 192.168.11.102 - Validator 3
- 192.168.11.103 - Validator 4
- 192.168.11.104 - Validator 5
### Sentries (4 nodes)
- 192.168.11.150 - Sentry 1
- 192.168.11.151 - Sentry 2
- 192.168.11.152 - Sentry 3
- 192.168.11.153 - Sentry 4
### RPC Nodes (3 nodes)
- 192.168.11.250 - Core RPC (this node)
- 192.168.11.251 - Permissioned RPC
- 192.168.11.252 - Public RPC
**Total**: 12 nodes (all local/permissioned)
---
## 🔧 RPC APIs Enabled
As a Core RPC node, VMID 2500 has **full API access** for internal/core infrastructure:
```toml
rpc-http-api=["ETH","NET","WEB3","ADMIN","DEBUG","TXPOOL"]
rpc-ws-api=["ETH","NET","WEB3","ADMIN","DEBUG","TXPOOL"]
```
**APIs**:
- `ETH` - Ethereum protocol methods
- `NET` - Network information
- `WEB3` - Web3 client version
- `ADMIN` - Administrative methods
- `DEBUG` - Debug/trace methods
- `TXPOOL` - Transaction pool methods
---
## 🔒 Security Features
1. **No External Discovery**: `discovery-enabled=false` prevents discovery of external nodes
2. **Strict Allowlisting**: Only 12 explicitly listed nodes can connect
3. **Local Network Only**: All allowed nodes are on 192.168.11.0/24
4. **Defense in Depth**: Multiple layers of security (permissioning + disabled discovery)
---
## 📝 Files Modified/Created
1.**Created**: `smom-dbis-138-proxmox/templates/besu-configs/config-rpc-core.toml`
- Template for Core RPC node configuration
- Discovery disabled
- Full APIs enabled
2.**Updated**: `scripts/fix-rpc-2500.sh`
- Uses `config-rpc-core.toml` for VMID 2500
- Ensures discovery is disabled
- Verifies permissioning settings
3.**Documentation**:
- `docs/05-network/RPC_2500_LOCAL_NODES_ONLY.md` - Detailed configuration guide
- `docs/05-network/RPC_2500_CONFIGURATION_SUMMARY.md` - This summary
---
## ✅ Verification Checklist
To verify VMID 2500 is configured correctly:
```bash
# 1. Check discovery is disabled
pct exec 2500 -- grep "discovery-enabled" /etc/besu/config-rpc-core.toml
# Expected: discovery-enabled=false
# 2. Check permissioning is enabled
pct exec 2500 -- grep "permissions-nodes-config-file-enabled" /etc/besu/config-rpc-core.toml
# Expected: permissions-nodes-config-file-enabled=true
# 3. Verify permissions file contains only local nodes
pct exec 2500 -- cat /permissions/permissions-nodes.toml | grep -o "192.168.11\.[0-9]*" | sort -u | wc -l
# Expected: 12 (5 validators + 4 sentries + 3 RPC)
# 4. Check connected peers (should only be local network)
curl -X POST http://192.168.11.250:8545 \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"admin_peers","params":[],"id":1}' | jq '.result[].remoteAddress'
# Expected: Only 192.168.11.x addresses
```
---
## 📚 Related Documentation
- [RPC 2500 Local Nodes Only](./RPC_2500_LOCAL_NODES_ONLY.md)
- [RPC Node Types Architecture](./RPC_NODE_TYPES_ARCHITECTURE.md)
- [RPC 2500 Troubleshooting](../09-troubleshooting/RPC_2500_TROUBLESHOOTING.md)
- [Besu Allowlist Runbook](../06-besu/BESU_ALLOWLIST_RUNBOOK.md)
---
**Last Updated**: $(date)
**Configuration Status**: ✅ Complete - VMID 2500 only connects to local/permissioned nodes

132
docs/05-network/RPC_2500_LOCAL_NODES_ONLY.md Normal file
View File

@@ -0,0 +1,132 @@
# VMID 2500 (Core RPC) - Local/Permissioned Nodes Only Configuration
**Date**: $(date)
**VMID**: 2500
**IP**: 192.168.11.250
**Purpose**: Core RPC node restricted to local/permissioned nodes only
---
## Configuration Overview
VMID 2500 is the **Core RPC node** and should **ONLY** connect to local/permissioned nodes on the internal network (192.168.11.0/24).
### Key Configuration Settings
1. **Node Permissioning**: ✅ ENABLED
- `permissions-nodes-config-file-enabled=true`
- `permissions-nodes-config-file="/permissions/permissions-nodes.toml"`
- Only nodes listed in this file can connect
2. **Discovery**: ❌ DISABLED
- `discovery-enabled=false`
- Prevents discovery of external nodes
- Only uses static nodes and permissioned nodes allowlist
3. **Static Nodes**: ✅ Enabled
- `static-nodes-file="/genesis/static-nodes.json"`
- Contains only validator nodes (1000-1004)
---
## Permissions Allowlist
The `permissions-nodes.toml` file should contain **ONLY** local network nodes:
### Validators (1000-1004)
- 192.168.11.100 - Validator 1
- 192.168.11.101 - Validator 2
- 192.168.11.102 - Validator 3
- 192.168.11.103 - Validator 4
- 192.168.11.104 - Validator 5
### Sentries (1500-1503)
- 192.168.11.150 - Sentry 1
- 192.168.11.151 - Sentry 2
- 192.168.11.152 - Sentry 3
- 192.168.11.153 - Sentry 4
### RPC Nodes (2500-2502)
- 192.168.11.250 - Core RPC (this node)
- 192.168.11.251 - Permissioned RPC
- 192.168.11.252 - Public RPC
**Total**: 12 nodes (all on 192.168.11.0/24 local network)
---
## Configuration File
**Location**: `/etc/besu/config-rpc-core.toml`
**Key Settings**:
```toml
# Permissioning - ONLY local/permissioned nodes
permissions-nodes-config-file-enabled=true
permissions-nodes-config-file="/permissions/permissions-nodes.toml"
# Discovery - DISABLED for strict control
discovery-enabled=false
# Static nodes - only validators
static-nodes-file="/genesis/static-nodes.json"
# Full RPC APIs enabled (for internal/core infrastructure)
rpc-http-api=["ETH","NET","WEB3","ADMIN","DEBUG","TXPOOL"]
rpc-ws-api=["ETH","NET","WEB3","ADMIN","DEBUG","TXPOOL"]
```
---
## Verification
### Check Permissioning is Enabled
```bash
pct exec 2500 -- grep "permissions-nodes-config-file-enabled" /etc/besu/config-rpc-core.toml
# Should show: permissions-nodes-config-file-enabled=true
```
### Check Discovery is Disabled
```bash
pct exec 2500 -- grep "discovery-enabled" /etc/besu/config-rpc-core.toml
# Should show: discovery-enabled=false
```
### Verify Permissions File Contains Only Local Nodes
```bash
pct exec 2500 -- cat /permissions/permissions-nodes.toml | grep -o "192.168.11\.[0-9]*" | sort -u
# Should show only 192.168.11.x addresses (local network)
```
### Check Connected Peers
```bash
curl -X POST http://192.168.11.250:8545 \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"admin_peers","params":[],"id":1}' | jq '.result[].remoteAddress'
# Should show only 192.168.11.x addresses
```
---
## Security Benefits
1. **No External Discovery**: With `discovery-enabled=false`, the node cannot discover nodes outside the permissioned allowlist
2. **Strict Allowlisting**: Only nodes explicitly listed in `permissions-nodes.toml` can connect
3. **Local Network Only**: All allowed nodes are on the 192.168.11.0/24 network
4. **Defense in Depth**: Even if discovery were enabled, permissioning would still block unauthorized nodes
---
## Related Documentation
- [RPC Node Types Architecture](./RPC_NODE_TYPES_ARCHITECTURE.md)
- [Besu Allowlist Runbook](../06-besu/BESU_ALLOWLIST_RUNBOOK.md)
- [RPC 2500 Troubleshooting](../09-troubleshooting/RPC_2500_TROUBLESHOOTING.md)
---
**Last Updated**: $(date)

16
docs/05-network/RPC_NODE_TYPES_ARCHITECTURE.md
View File

@@ -200,6 +200,22 @@ You **cannot** failover from one type to another because:
## Script Updates Required
---
## Related Documentation
- **[RPC_TEMPLATE_TYPES.md](RPC_TEMPLATE_TYPES.md)** ⭐⭐⭐ - RPC template types reference
- **[NGINX_ARCHITECTURE_RPC.md](NGINX_ARCHITECTURE_RPC.md)** ⭐⭐ - NGINX architecture for RPC
- **[RPC_2500_CONFIGURATION_SUMMARY.md](RPC_2500_CONFIGURATION_SUMMARY.md)** - RPC 2500 configuration
- **[CLOUDFLARE_NGINX_INTEGRATION.md](CLOUDFLARE_NGINX_INTEGRATION.md)** - Cloudflare + NGINX integration
- **[../06-besu/BESU_NODES_FILE_REFERENCE.md](../06-besu/BESU_NODES_FILE_REFERENCE.md)** - Besu nodes file reference
---
**Last Updated:** 2025-01-20
**Document Version:** 1.0
**Review Cycle:** Quarterly
### Updated: `scripts/copy-besu-config-with-nodes.sh`
The script has been updated to map each VMID to its specific RPC type and config file:

302
docs/05-network/RPC_PUBLIC_ENDPOINT_ROUTING.md Normal file
View File

@@ -0,0 +1,302 @@
# Public RPC Endpoint Routing Architecture
**Last Updated:** 2025-01-27
**Document Version:** 1.0
**Status:** Active Documentation
---
## Architecture Overview
The public RPC endpoints route through multiple layers:
```
Internet → Cloudflare (DNS/SSL) → Cloudflared Tunnel → Nginx → Besu RPC
```
---
## Endpoint Routing
### HTTP RPC Endpoint
**URL**: `https://rpc-http-pub.d-bis.org`
**Routing Path**:
1. **Cloudflare DNS/SSL**: `rpc-http-pub.d-bis.org` resolves to Cloudflare IPs
2. **Cloudflare Edge**: SSL termination, DDoS protection
3. **Cloudflared Tunnel**: Encrypted tunnel from Cloudflare to internal network
4. **Nginx** (VMID 2500): Receives request, proxies to Besu RPC
5. **Besu RPC**: `http://192.168.11.250:8545` (VMID 2500)
**Configuration**:
- **Should NOT require authentication** (public endpoint)
- **Must accept requests without JWT tokens** (for MetaMask compatibility)
### WebSocket RPC Endpoint
**URL**: `wss://rpc-ws-pub.d-bis.org`
**Routing Path**:
1. **Cloudflare DNS/SSL**: `rpc-ws-pub.d-bis.org` resolves to Cloudflare IPs
2. **Cloudflare Edge**: SSL termination, WebSocket support
3. **Cloudflared Tunnel**: Encrypted tunnel from Cloudflare to internal network
4. **Nginx** (VMID 2500): Receives WebSocket upgrade, proxies to Besu RPC
5. **Besu RPC**: `ws://192.168.11.250:8546` (VMID 2500)
**Configuration**:
- **Should NOT require authentication** (public endpoint)
- **Must accept WebSocket connections without JWT tokens**
---
## Components
### 1. Cloudflare DNS/SSL
- **DNS**: `rpc-http-pub.d-bis.org` → CNAME to Cloudflared tunnel
- **SSL**: Terminated at Cloudflare edge
- **DDoS Protection**: Enabled (if proxied)
### 2. Cloudflared Tunnel
**Location**: VMID 102 (or wherever cloudflared is running)
**Configuration**: Routes traffic from Cloudflare to Nginx on VMID 2500
**Example Config**:
```yaml
ingress:
- hostname: rpc-http-pub.d-bis.org
service: http://192.168.11.250:443 # Nginx on VMID 2500
- hostname: rpc-ws-pub.d-bis.org
service: http://192.168.11.250:443 # Nginx on VMID 2500
```
### 3. Nginx (VMID 2500)
**IP**: `192.168.11.250`
**Purpose**: Reverse proxy to Besu RPC
**Requirements**:
- **MUST NOT require JWT authentication** for public endpoints
- Must proxy to `127.0.0.1:8545` (HTTP RPC)
- Must proxy to `127.0.0.1:8546` (WebSocket RPC)
- Must handle WebSocket upgrades correctly
### 4. Besu RPC (VMID 2500)
**HTTP RPC**: `127.0.0.1:8545` (internally) / `192.168.11.250:8545` (network)
**WebSocket RPC**: `127.0.0.1:8546` (internally) / `192.168.11.250:8546` (network)
**Chain ID**: 138 (0x8a in hex)
---
## Nginx Configuration Requirements
### Public HTTP RPC Endpoint
```nginx
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name rpc-http-pub.d-bis.org;
# SSL certificates
ssl_certificate /etc/nginx/ssl/rpc-http-pub.crt;
ssl_certificate_key /etc/nginx/ssl/rpc-http-pub.key;
# Trust Cloudflare IPs for real IP
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
real_ip_header CF-Connecting-IP;
access_log /var/log/nginx/rpc-http-pub-access.log;
error_log /var/log/nginx/rpc-http-pub-error.log;
# Proxy to Besu RPC - NO AUTHENTICATION
location / {
proxy_pass http://127.0.0.1:8545;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# CORS headers (if needed)
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
add_header Access-Control-Allow-Headers "Content-Type, Authorization";
# NO JWT authentication here!
}
}
```
### Public WebSocket RPC Endpoint
```nginx
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name rpc-ws-pub.d-bis.org;
# SSL certificates
ssl_certificate /etc/nginx/ssl/rpc-ws-pub.crt;
ssl_certificate_key /etc/nginx/ssl/rpc-ws-pub.key;
# Trust Cloudflare IPs for real IP
set_real_ip_from 173.245.48.0/20;
# ... (same Cloudflare IP ranges as above)
real_ip_header CF-Connecting-IP;
access_log /var/log/nginx/rpc-ws-pub-access.log;
error_log /var/log/nginx/rpc-ws-pub-error.log;
# Proxy to Besu WebSocket RPC - NO AUTHENTICATION
location / {
proxy_pass http://127.0.0.1:8546;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket timeouts
proxy_read_timeout 86400;
proxy_send_timeout 86400;
# NO JWT authentication here!
}
}
```
---
## Common Issues
### Issue 1: "Could not fetch chain ID" Error in MetaMask
**Symptom**: MetaMask shows error when trying to connect to the network.
**Root Cause**: Nginx is requiring JWT authentication for the public endpoint.
**Fix**: Remove JWT authentication from the Nginx configuration for `rpc-http-pub.d-bis.org`.
**Check**:
```bash
ssh root@192.168.11.10 "pct exec 2500 -- nginx -T | grep -A 30 'rpc-http-pub'"
```
Look for:
- `auth_request` directives (remove them)
- Lua JWT validation scripts (remove them)
### Issue 2: Cloudflared Tunnel Not Routing Correctly
**Symptom**: Requests don't reach Nginx.
**Fix**: Verify Cloudflared tunnel configuration is routing to `192.168.11.250:443`.
**Check**:
```bash
# Check cloudflared config (adjust VMID if different)
ssh root@192.168.11.10 "pct exec 102 -- cat /etc/cloudflared/config.yml"
```
### Issue 3: Nginx Not Listening on Port 443
**Symptom**: Connection refused errors.
**Fix**: Ensure Nginx is listening on port 443 and SSL certificates are configured.
**Check**:
```bash
ssh root@192.168.11.10 "pct exec 2500 -- ss -tuln | grep 443"
ssh root@192.168.11.10 "pct exec 2500 -- systemctl status nginx"
```
---
## Testing
### Test HTTP RPC Endpoint
```bash
curl -X POST https://rpc-http-pub.d-bis.org \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
```
**Expected Response**:
```json
{"jsonrpc":"2.0","id":1,"result":"0x8a"}
```
### Test WebSocket RPC Endpoint
```bash
wscat -c wss://rpc-ws-pub.d-bis.org
```
Then send:
```json
{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}
```
---
## Verification Checklist
- [ ] Cloudflare DNS resolves `rpc-http-pub.d-bis.org` correctly
- [ ] Cloudflared tunnel is running and routing to `192.168.11.250:443`
- [ ] Nginx on VMID 2500 is running and listening on port 443
- [ ] Nginx configuration for `rpc-http-pub.d-bis.org` does NOT require JWT
- [ ] Nginx proxies to `127.0.0.1:8545` correctly
- [ ] Besu RPC on VMID 2500 is running and responding on port 8545
- [ ] `eth_chainId` request returns `0x8a` without authentication
- [ ] MetaMask can connect to the network successfully
---
## Related Documentation
### Network Documents
- **[CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md](CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md)** ⭐⭐⭐ - Cloudflare tunnel routing
- **[CENTRAL_NGINX_ROUTING_SETUP.md](CENTRAL_NGINX_ROUTING_SETUP.md)** ⭐⭐⭐ - Central Nginx routing
- **[NGINX_ARCHITECTURE_RPC.md](NGINX_ARCHITECTURE_RPC.md)** ⭐⭐ - NGINX architecture for RPC
- **[RPC_NODE_TYPES_ARCHITECTURE.md](RPC_NODE_TYPES_ARCHITECTURE.md)** ⭐⭐ - RPC node types
### Configuration Documents
- **[../04-configuration/RPC_DNS_CONFIGURATION.md](../04-configuration/RPC_DNS_CONFIGURATION.md)** - RPC DNS configuration
- **[../04-configuration/cloudflare/CLOUDFLARE_DNS_TO_CONTAINERS.md](../04-configuration/cloudflare/CLOUDFLARE_DNS_TO_CONTAINERS.md)** - DNS mapping to containers
### Troubleshooting
- **[../09-troubleshooting/METAMASK_TROUBLESHOOTING_GUIDE.md](../09-troubleshooting/METAMASK_TROUBLESHOOTING_GUIDE.md)** - MetaMask troubleshooting
---
**Last Updated:** 2025-01-27
**Document Version:** 1.0
**Review Cycle:** Quarterly
- [Cloudflare Tunnel RPC Setup](./04-configuration/CLOUDFLARE_TUNNEL_RPC_SETUP.md)
- [RPC JWT Authentication](./04-configuration/RPC_JWT_AUTHENTICATION.md)
---
**Last Updated**: 2025-01-27

13
docs/05-network/RPC_TEMPLATE_TYPES.md
View File

@@ -224,5 +224,16 @@ The comprehensive validation script (`validate-deployment-comprehensive.sh`) che
---
**Last Updated**: $(date)
## Related Documentation
- **[RPC_NODE_TYPES_ARCHITECTURE.md](RPC_NODE_TYPES_ARCHITECTURE.md)** ⭐⭐⭐ - RPC node types architecture
- **[NGINX_ARCHITECTURE_RPC.md](NGINX_ARCHITECTURE_RPC.md)** ⭐⭐ - NGINX architecture for RPC
- **[RPC_2500_CONFIGURATION_SUMMARY.md](RPC_2500_CONFIGURATION_SUMMARY.md)** - RPC 2500 configuration
- **[../06-besu/BESU_NODES_FILE_REFERENCE.md](../06-besu/BESU_NODES_FILE_REFERENCE.md)** - Besu nodes file reference
---
**Last Updated:** 2025-01-20
**Document Version:** 1.0
**Review Cycle:** Quarterly