# RPC DNS Configuration for d-bis.org and defi-oracle.io **Last Updated:** 2025-01-23 **Status:** Active Configuration --- ## Overview DNS configuration for RPC endpoints with Nginx SSL termination on port 443. **Architecture:** **d-bis.org domain (Direct A records):** ``` Internet → DNS (A records) → Nginx (port 443) → Besu RPC (8545/8546) ``` **defi-oracle.io domain (Cloudflare Tunnel):** ``` Internet → DNS (CNAME) → Cloudflare Tunnel → VMID 2400 → Nginx (port 443) → Besu RPC (8545/8546) ``` All HTTPS traffic arrives on port 443, and Nginx routes to the appropriate backend port based on the domain name (Server Name Indication - SNI). For VMID 2400, traffic flows through Cloudflare Tunnel first. --- ## DNS Records Configuration ### Cloudflare DNS Records **Important:** A records in DNS do NOT include port numbers. All traffic comes to port 443 (HTTPS), and Nginx handles routing to the backend ports. #### Permissioned/Private RPC (VMID 2101 - 192.168.11.211) - JWT Authentication Required | Type | Name | Target | Proxy | Notes | |------|------|--------|-------|-------| | A | `rpc-http-prv` | `192.168.11.211` | 🟠 Proxied (optional) | HTTP RPC endpoint (JWT auth required) | | A | `rpc-ws-prv` | `192.168.11.211` | 🟠 Proxied (optional) | WebSocket RPC endpoint (JWT auth required) | **DNS Configuration:** ``` Type: A Name: rpc-http-prv Target: 192.168.11.211 TTL: Auto Proxy: 🟠 Proxied (recommended for DDoS protection) Type: A Name: rpc-ws-prv Target: 192.168.11.211 TTL: Auto Proxy: 🟠 Proxied (recommended for DDoS protection) ``` **Note:** These endpoints require JWT token authentication. See [RPC_JWT_AUTHENTICATION.md](RPC_JWT_AUTHENTICATION.md) for details. #### Public RPC (VMID 2201 - 192.168.11.221, RPC_PUBLIC_1) - No Authentication | Type | Name | Target | Proxy | Notes | |------|------|--------|-------|-------| | A | `rpc-http-pub` | `192.168.11.221` | 🟠 Proxied (optional) | HTTP RPC endpoint (public, no auth) | | A | `rpc-ws-pub` | `192.168.11.221` | 🟠 Proxied (optional) | WebSocket RPC endpoint (public, no auth) | **DNS Configuration:** ``` Type: A Name: rpc-http-pub Target: 192.168.11.221 TTL: Auto Proxy: 🟠 Proxied (recommended for DDoS protection) Type: A Name: rpc-ws-pub Target: 192.168.11.221 TTL: Auto Proxy: 🟠 Proxied (recommended for DDoS protection) ``` ### DNS Records Configuration for defi-oracle.io Domain **Note:** The `defi-oracle.io` domain is used specifically for ThirdWeb RPC nodes and Thirdweb listing integration. #### ThirdWeb RPC (VMID 2400 - 192.168.11.240) - defi-oracle.io Domain **Note:** VMID 2400 uses Cloudflare Tunnel, so DNS records use CNAME (not A records). | Type | Name | Domain | Target | Proxy | Notes | |------|------|--------|--------|-------|-------| | CNAME | `rpc.public-0138` | `defi-oracle.io` | `26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com` | 🟠 Proxied | Tunnel endpoint for ThirdWeb RPC | | CNAME | `rpc` | `defi-oracle.io` | `rpc.public-0138.defi-oracle.io` | 🟠 Proxied | Short alias for ThirdWeb RPC | **DNS Configuration:** **Record 1: Tunnel Endpoint** ``` Type: CNAME Name: rpc.public-0138 Domain: defi-oracle.io Target: 26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com TTL: Auto Proxy: 🟠 Proxied (required for tunnel) ``` **Record 2: Short Alias** ``` Type: CNAME Name: rpc Domain: defi-oracle.io Target: rpc.public-0138.defi-oracle.io TTL: Auto Proxy: 🟠 Proxied (required for tunnel) ``` **Full FQDNs:** - `rpc.public-0138.defi-oracle.io` (primary endpoint) - `rpc.defi-oracle.io` (HTTP RPC short alias) - `wss.defi-oracle.io` (WebSocket RPC) **Alternative: DNS-only (NPMplus)** — When using NPMplus (no tunnel), create A records in Cloudflare (DNS Only / gray cloud): | Type | Name | Target | Proxy | |------|------|--------|-------| | A | `rpc` | 76.53.10.36 | DNS Only | | A | `wss` | 76.53.10.36 | DNS Only | Then NPMplus (192.168.11.167) receives traffic and proxies to 192.168.11.240:443 for both `rpc.defi-oracle.io` and `wss.defi-oracle.io`. Request Let's Encrypt certificates in NPMplus for both hostnames. **DNS Structure (tunnel):** ``` rpc.defi-oracle.io ↓ (CNAME) rpc.public-0138.defi-oracle.io ↓ (CNAME) 26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com ↓ (Cloudflare Tunnel) 192.168.11.240 (VMID 2400) ``` **Note:** This endpoint is used for the Thirdweb listing for ChainID 138. Traffic flows through Cloudflare Tunnel to VMID 2400, where Nginx handles SSL termination and routes to Besu RPC (port 8545 for HTTP, port 8546 for WebSocket). --- ## How It Works ### Request Flow 1. **Client** makes request to `https://rpc-http-prv.d-bis.org` (permissioned) or `https://rpc-http-pub.d-bis.org` (public) 2. **DNS** resolves to appropriate IP (A record) 3. **HTTPS connection** established on port 443 (standard HTTPS port) 4. **Nginx** receives request on port 443 5. **Nginx** uses Server Name Indication (SNI) to identify domain: - `rpc-http-pub.d-bis.org` → proxies to `127.0.0.1:8545` (HTTP RPC) - `rpc-ws-pub.d-bis.org` → proxies to `127.0.0.1:8546` (WebSocket RPC) - `rpc-http-prv.d-bis.org` → proxies to `127.0.0.1:8545` (HTTP RPC) - `rpc-ws-prv.d-bis.org` → proxies to `127.0.0.1:8546` (WebSocket RPC) - `rpc.public-0138.defi-oracle.io` → Cloudflare Tunnel → VMID 2400 → proxies to `127.0.0.1:8545` (HTTP RPC) or `127.0.0.1:8546` (WebSocket RPC) - `rpc.defi-oracle.io` → CNAME → `rpc.public-0138.defi-oracle.io` → Cloudflare Tunnel → VMID 2400 → proxies to `127.0.0.1:8545` (HTTP RPC) or `127.0.0.1:8546` (WebSocket RPC) - With DNS-only: `rpc.defi-oracle.io` / `wss.defi-oracle.io` → A 76.53.10.36 → NPMplus → VMID 2400:443 6. **Besu RPC** processes request and returns response 7. **Nginx** forwards response back to client ### Port Mapping | Domain | DNS Target | Nginx Port | Backend Port | Service | Auth | |--------|------------|------------|-------------|---------|------| | `rpc-http-prv.d-bis.org` | `192.168.11.211` | 443 (HTTPS) | 8545 | HTTP RPC | ✅ JWT Required | | `rpc-ws-prv.d-bis.org` | `192.168.11.211` | 443 (HTTPS) | 8546 | WebSocket RPC | ✅ JWT Required | | `rpc-http-pub.d-bis.org` | `192.168.11.221` | 443 (HTTPS) | 8545 | HTTP RPC | ❌ No Auth | | `rpc-ws-pub.d-bis.org` | `192.168.11.221` | 443 (HTTPS) | 8546 | WebSocket RPC | ❌ No Auth | | `rpc.public-0138.defi-oracle.io` | Cloudflare Tunnel → `192.168.11.240` | 443 (HTTPS) | 8545/8546 | HTTP/WS RPC | ❌ No Auth | | `rpc.defi-oracle.io` | CNAME → `rpc.public-0138` → Cloudflare Tunnel → `192.168.11.240` (or A 76.53.10.36 → NPMplus) | 443 (HTTPS) | 8545/8546 | HTTP/WS RPC | ❌ No Auth | | `wss.defi-oracle.io` | A 76.53.10.36 → NPMplus → `192.168.11.240:443` | 443 (HTTPS) | 8545/8546 | WebSocket RPC | ❌ No Auth | **Note:** DNS A records only contain IP addresses. Port numbers are handled by: - **Port 443**: Standard HTTPS port (handled automatically by browsers/clients) - **Backend ports (8545/8546)**: Configured in Nginx server blocks --- ## Testing ### Test DNS Resolution ```bash # Test DNS resolution dig rpc-http-pub.d-bis.org nslookup rpc-http-pub.d-bis.org # Should resolve to: 192.168.11.211 ``` ### Test HTTPS Endpoints ```bash # Test HTTP RPC endpoint (port 443) curl -k https://rpc-http-pub.d-bis.org/health curl -k -X POST https://rpc-http-pub.d-bis.org \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}' # Test WebSocket RPC endpoint (port 443) # Use wscat or similar WebSocket client wscat -c wss://rpc-ws-pub.d-bis.org ``` ### Test Direct IP Access (for troubleshooting) ```bash # Test Nginx directly on container IP curl -k https://192.168.11.211/health curl -k https://192.168.11.221/health # Test backend Besu RPC directly (bypassing Nginx) curl -X POST http://192.168.11.211:8545 \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}' ``` --- ## Cloudflare Proxy Settings ### When to Use Proxy (🟠 Proxied) **Recommended for:** - DDoS protection - CDN caching (though RPC responses shouldn't be cached) - SSL/TLS termination at Cloudflare edge - Hiding origin server IP **Considerations:** - Cloudflare may cache some responses (disable caching for RPC) - Additional latency (usually minimal) - WebSocket support requires Cloudflare WebSocket passthrough ### When to Use DNS Only (❌ DNS only) **Use when:** - Direct IP access needed - Cloudflare proxy causes issues - Testing/debugging - Internal network access --- ## Nginx Configuration Summary The Nginx configuration on each container: **VMID 2501 (Permissioned RPC):** - Listens on port 443 (HTTPS) - `rpc-http-prv.d-bis.org` → proxies to `127.0.0.1:8545` (JWT auth required) - `rpc-ws-prv.d-bis.org` → proxies to `127.0.0.1:8546` (JWT auth required) **VMID 2502 (Public RPC):** - Listens on port 443 (HTTPS) - `rpc-http-pub.d-bis.org` → proxies to `127.0.0.1:8545` (no auth) - `rpc-ws-pub.d-bis.org` → proxies to `127.0.0.1:8546` (no auth) **VMID 2400 (ThirdWeb RPC - Cloudflare Tunnel):** - Cloudflare Tunnel endpoint: `26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com` - Nginx listens on port 443 (HTTPS) inside container - `rpc.public-0138.defi-oracle.io` → Cloudflare Tunnel → proxies to `127.0.0.1:8545` (HTTP RPC, no auth) or `127.0.0.1:8546` (WebSocket RPC, no auth) - `rpc.defi-oracle.io` → CNAME → `rpc.public-0138.defi-oracle.io` → Cloudflare Tunnel → proxies to `127.0.0.1:8545` (HTTP RPC, no auth) or `127.0.0.1:8546` (WebSocket RPC, no auth) - Uses `defi-oracle.io` domain (Cloudflare Tunnel) for Thirdweb listing integration --- ## Troubleshooting ### DNS Not Resolving ```bash # Check DNS resolution dig rpc-http-pub.d-bis.org nslookup rpc-http-pub.d-bis.org # Verify DNS records in Cloudflare dashboard ``` ### Connection Refused ```bash # Check if Nginx is running ssh root@192.168.11.10 "pct exec 2501 -- systemctl status nginx" # Check if port 443 is listening ssh root@192.168.11.10 "pct exec 2501 -- ss -tuln | grep 443" # Check Nginx configuration ssh root@192.168.11.10 "pct exec 2501 -- nginx -t" ``` ### SSL Certificate Issues ```bash # Check SSL certificate ssh root@192.168.11.10 "pct exec 2501 -- openssl x509 -in /etc/nginx/ssl/rpc.crt -text -noout" # Test SSL connection openssl s_client -connect rpc-http-pub.d-bis.org:443 -servername rpc-http-pub.d-bis.org ``` ### Backend Connection Issues ```bash # Test backend Besu RPC directly curl -X POST http://192.168.11.211:8545 \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}' # Check Besu service status ssh root@192.168.11.10 "pct exec 2501 -- systemctl status besu-rpc" ``` --- ## Related Documentation - [CLOUDFLARE_DNS_SPECIFIC_SERVICES.md](cloudflare/CLOUDFLARE_DNS_SPECIFIC_SERVICES.md) - General DNS configuration - [NGINX_ARCHITECTURE_RPC.md](../05-network/NGINX_ARCHITECTURE_RPC.md) - Nginx architecture details - [CLOUDFLARE_NGINX_INTEGRATION.md](../05-network/CLOUDFLARE_NGINX_INTEGRATION.md) - Cloudflare + Nginx integration --- ## Quick Reference **DNS Records to Create:** **d-bis.org domain:** ``` rpc-http-prv.d-bis.org → A → 192.168.11.211 (Permissioned, JWT auth required) rpc-ws-prv.d-bis.org → A → 192.168.11.211 (Permissioned, JWT auth required) rpc-http-pub.d-bis.org → A → 192.168.11.221 (Public, no auth) rpc-ws-pub.d-bis.org → A → 192.168.11.221 (Public, no auth) ``` **defi-oracle.io domain (ThirdWeb RPC - Cloudflare Tunnel):** ``` rpc.public-0138.defi-oracle.io → CNAME → 26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com (Tunnel endpoint) rpc.defi-oracle.io → CNAME → rpc.public-0138.defi-oracle.io (Short alias) ``` **defi-oracle.io domain (DNS-only + NPMplus):** ``` rpc.defi-oracle.io → A → 76.53.10.36 (HTTP RPC; NPMplus → 192.168.11.240:443) wss.defi-oracle.io → A → 76.53.10.36 (WebSocket RPC; NPMplus → 192.168.11.240:443) ``` **Endpoints:** **d-bis.org domain:** - `https://rpc-http-prv.d-bis.org` → Permissioned HTTP RPC (port 443 → 8545, JWT auth required) - `wss://rpc-ws-prv.d-bis.org` → Permissioned WebSocket RPC (port 443 → 8546, JWT auth required) - `https://rpc-http-pub.d-bis.org` → Public HTTP RPC (port 443 → 8545, no auth) - `wss://rpc-ws-pub.d-bis.org` → Public WebSocket RPC (port 443 → 8546, no auth) **defi-oracle.io domain (ThirdWeb RPC - Cloudflare Tunnel):** - `https://rpc.public-0138.defi-oracle.io` → ThirdWeb HTTP RPC (Cloudflare Tunnel → port 443 → 8545, no auth) - `wss://rpc.public-0138.defi-oracle.io` → ThirdWeb WebSocket RPC (Cloudflare Tunnel → port 443 → 8546, no auth) - `https://rpc.defi-oracle.io` → Defi Oracle HTTP RPC (A 76.53.10.36 → NPMplus → 8545, or CNAME to tunnel) - `wss://wss.defi-oracle.io` → Defi Oracle WebSocket RPC (A 76.53.10.36 → NPMplus → 8546, no auth)