# DNS → NPMplus → VM Streamlined Architecture Table **Last Updated:** 2026-03-27 **Document Version:** 1.1 **Status:** Active Documentation --- **Date**: 2026-01-20 **Status**: Complete Streamlined Architecture Reference **Purpose**: Cohesive DNS, SSL, and traffic routing table for all services **Current topology:** ER605 was replaced by the UDM Pro (76.53.10.34). Proxmox hosts: 192.168.11.10 (ml110), 192.168.11.11 (r630-01), 192.168.11.12 (r630-02). NPMplus LXC (VMID 10233) has 192.168.11.166 (eth0) and 192.168.11.167 (eth1); **only 192.168.11.167** is used in UDM Pro port forwarding: 76.53.10.36:80 → 192.168.11.167:80, 76.53.10.36:443 → 192.168.11.167:443. --- ## Architecture Flow ``` Internet ↓ Cloudflare DNS (All domains → 76.53.10.36) ↓ UDM Pro Port Forwarding (76.53.10.36:80/443 → 192.168.11.167:80/443) ↓ NPMplus (VMID 10233: 192.168.11.167) - SSL Termination & Routing ↓ Backend VMs (Various IPs) - Services with/without Nginx ``` --- ## Complete Service Mapping (Streamlined) ### d-bis.org Zone (9 Domains) | Domain | SSL Cert | NPMplus Proxy | Backend VM | IP | Port | Has Nginx | Service Type | |--------|----------|---------------|------------|----|----|-----------|--------------| | `explorer.d-bis.org` | 49 | 8 | 5000 (blockscout-1) | 192.168.11.140 | 4000 | ✅ Yes | Blockscout Explorer | | `rpc-http-pub.d-bis.org` | 53 | 10 | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8545 | ❌ No | Besu RPC HTTP | | `rpc-ws-pub.d-bis.org` | 55 | 11 | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8546 | ❌ No | Besu RPC WebSocket | | `rpc.d-bis.org` | Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8545 | ❌ No | Primary RPC HTTP (same as rpc-http-pub) | | `rpc2.d-bis.org` | Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8545 | ❌ No | Secondary RPC HTTP (same as rpc-http-pub) | | `ws.rpc.d-bis.org` | Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8546 | ❌ No | Primary RPC WebSocket (same as rpc-ws-pub) | | `ws.rpc2.d-bis.org` | Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8546 | ❌ No | Secondary RPC WebSocket (same as rpc-ws-pub) | | `rpc-http-prv.d-bis.org` | 52 | 12 | 2101 (besu-rpc-core-1) | 192.168.11.211 | 8545 | ❌ No | Besu RPC HTTP (Private) | | `rpc-ws-prv.d-bis.org` | 54 | 13 | 2101 (besu-rpc-core-1) | 192.168.11.211 | 8546 | ❌ No | Besu RPC WebSocket (Private) | | `dbis-admin.d-bis.org` | 46 | 14 | 10130 (dbis-frontend) | 192.168.11.130 | 80 | ✅ Yes | DBIS Admin Frontend | | `dbis-api.d-bis.org` | 48 | 15 | 10150 (dbis-api-primary) | 192.168.11.155 | 3000 | ❌ No | DBIS API Primary | | `dbis-api-2.d-bis.org` | 47 | 16 | 10151 (dbis-api-secondary) | 192.168.11.156 | 3000 | ❌ No | DBIS API Secondary | | `secure.d-bis.org` | 58 | 17 | 10130 (dbis-frontend) | 192.168.11.130 | 80 | ✅ Yes | DBIS Secure Portal | ### mim4u.org Zone (4 Domains) | Domain | SSL Cert | NPMplus Proxy | Backend VM | IP | Port | Has Nginx | Service Type | |--------|----------|---------------|------------|----|----|-----------|--------------| | `mim4u.org` | 50 | 17 | 7810 (mim-web-1) | 192.168.11.37 | 80 | ✅ Yes | MIM4U Main Site | | `www.mim4u.org` | 50 | 17 (same) | 7810 (mim-web-1) | 192.168.11.37 | 80 | ✅ Yes | MIM4U Main Site | | `secure.mim4u.org` | 59 | 19 | 7810 (mim-web-1) | 192.168.11.37 | 80 | ✅ Yes | MIM4U Secure Portal | | `training.mim4u.org` | 61 | 20 | 7810 (mim-web-1) | 192.168.11.37 | 80 | ✅ Yes | MIM4U Training Portal | ### sankofa.nexus zone (live backends) | Domain | SSL Cert (ex.) | NPMplus Proxy (ex.) | Backend VM | IP | Port | Has Nginx | Service type | Status | |--------|------------------|---------------------|------------|----|------|-----------|--------------|--------| | `sankofa.nexus` | 57 | 21 | 7801 | 192.168.11.51 | 3000 | ❌ No | Sankofa portal | ✅ Live | | `www.sankofa.nexus` | 64 | 22 | 7801 | 192.168.11.51 | 3000 | ❌ No | Sankofa portal (301 apex) | ✅ Live | | `phoenix.sankofa.nexus` | 51 | 23 | 7800 | 192.168.11.50 | 4000 | ❌ No | Phoenix API | ✅ Live | | `www.phoenix.sankofa.nexus` | 63 | 24 | 7800 | 192.168.11.50 | 4000 | ❌ No | Phoenix API (301 apex) | ✅ Live | | `the-order.sankofa.nexus` | 60 | 25 | 10210 | 192.168.11.39 | 80 | ❌ No | Order via HAProxy→portal | ✅ Live | **Note:** SSL cert and NPM proxy **IDs** differ per installation—verify in NPM UI. **IPs/ports** are authoritative vs Blockscout (`.140` is only for `explorer.d-bis.org`). See [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md). ### defi-oracle.io Zone (3 Domains) | Domain | SSL Cert | NPMplus Proxy | Backend VM | IP | Port | Has Nginx | Service Type | |--------|----------|---------------|------------|----|----|-----------|--------------| | `rpc.public-0138.defi-oracle.io` | 56 | 26 | 2400 (thirdweb-rpc-1) | 192.168.11.240 | 443 | ✅ Yes | ThirdWeb RPC (HTTPS) | | `rpc.defi-oracle.io` | Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8545 | ✅ Yes | Defi Oracle HTTP RPC (same as rpc-http-pub) | | `wss.defi-oracle.io` | Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8546 | ✅ Yes | Defi Oracle WebSocket RPC (same as rpc-ws-pub) | --- ## DNS Configuration Summary ### Cloudflare DNS Records | Zone | Records | Type | Target | Proxy Status | SSL Termination | |------|---------|------|--------|--------------|-----------------| | d-bis.org | 13 | A | 76.53.10.36 | DNS Only (Gray) | NPMplus (Let's Encrypt) | | mim4u.org | 4 | A | 76.53.10.36 | DNS Only (Gray) | NPMplus (Let's Encrypt) | | sankofa.nexus | 5 | A | 76.53.10.36 | DNS Only (Gray) | NPMplus (Let's Encrypt) | | defi-oracle.io | 3 | A | 76.53.10.36 | DNS Only (Gray) | NPMplus (Let's Encrypt) | | **TOTAL** | **25** | **A** | **76.53.10.36** | **DNS Only** | **NPMplus** | **Note**: All DNS records use "DNS Only" mode (gray cloud) to bypass Cloudflare proxy. SSL termination is handled by NPMplus using Let's Encrypt certificates (auto-renewing until 2026-04-16). --- ## Port Forwarding Configuration ### UDM Pro Port Forwarding Rules | Public IP:Port | Internal IP:Port | Protocol | Service | Status | |----------------|------------------|----------|---------|--------| | 76.53.10.36:443 | 192.168.11.167:443 | TCP | NPMplus HTTPS | ✅ Active | | 76.53.10.36:80 | 192.168.11.167:80 | TCP | NPMplus HTTP | ✅ Active | **Router**: UDM Pro **Forwarding Type**: Port forwarding configured in UDM Pro firewall rules --- ## NPMplus Configuration ### NPMplus Container Details | Property | Value | |----------|-------| | **VMID** | 10233 | | **Host** | r630-01 (192.168.11.11) | | **Internal IP (eth0)** | 192.168.11.166 | | **Internal IP (eth1)** | 192.168.11.167 | | **NPMplus (canonical)** | 192.168.11.167 | | **Management UI** | `https://192.168.11.167:81` | | **Public IP** | 76.53.10.36 | | **Public Ports** | 80 (HTTP), 443 (HTTPS) | | **Status** | ✅ Running | ### SSL Certificates (19 Active) | Cert ID | Domain(s) | Provider | Expires | Auto-Renewal | |---------|-----------|----------|---------|--------------| | 46 | `dbis-admin.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ | | 47 | `dbis-api-2.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ | | 48 | `dbis-api.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ | | 49 | `explorer.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ | | 50 | `mim4u.org`, `www.mim4u.org` | Let's Encrypt | 2026-04-16 | ✅ | | 51 | `phoenix.sankofa.nexus` | Let's Encrypt | 2026-04-16 | ✅ | | 52 | `rpc-http-prv.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ | | 53 | `rpc-http-pub.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ | | 54 | `rpc-ws-prv.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ | | 55 | `rpc-ws-pub.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ | | 56 | `rpc.public-0138.defi-oracle.io` | Let's Encrypt | 2026-04-16 | ✅ | | 57 | `sankofa.nexus` | Let's Encrypt | 2026-04-16 | ✅ | | 58 | `secure.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ | | 59 | `secure.mim4u.org` | Let's Encrypt | 2026-04-16 | ✅ | | 60 | `the-order.sankofa.nexus` | Let's Encrypt | 2026-04-16 | ✅ | | 61 | `training.mim4u.org` | Let's Encrypt | 2026-04-16 | ✅ | | 62 | `www.mim4u.org` | Let's Encrypt | 2026-04-16 | ✅ | | 63 | `www.phoenix.sankofa.nexus` | Let's Encrypt | 2026-04-16 | ✅ | | 64 | `www.sankofa.nexus` | Let's Encrypt | 2026-04-16 | ✅ | **Total**: 19 SSL certificates, all valid until 2026-04-16 with auto-renewal enabled. --- ## Backend VM Configuration ### VMs with Nginx Web Server (4 VMs) | VMID | IP | Hostname | Host | Status | Nginx Config | Purpose | Domains | |------|----|----------|------|--------|--------------|---------|---------| | 5000 | 192.168.11.140 | blockscout-1 | r630-02 | ✅ Running | `/etc/nginx/sites-available/blockscout` | Blockscout Explorer | `explorer.d-bis.org` | | 7810 | 192.168.11.37 | mim-web-1 | r630-02 | ✅ Running | `/etc/nginx/sites-available/mim4u` | MIM4U Web App | `mim4u.org`, `www.mim4u.org`, `secure.mim4u.org`, `training.mim4u.org` | | 10130 | 192.168.11.130 | dbis-frontend | r630-01 | ✅ Running | TBD | DBIS Admin Frontend | `dbis-admin.d-bis.org`, `secure.d-bis.org` | | 2201 | 192.168.11.221 | besu-rpc-public-1 | r630-02 | ✅ Running | 8545/8546 | Besu RPC | `rpc-http-pub.d-bis.org`, `rpc-ws-pub.d-bis.org`, `rpc.d-bis.org`, `rpc2.d-bis.org`, `ws.rpc.d-bis.org`, `ws.rpc2.d-bis.org`, `rpc.defi-oracle.io`, `wss.defi-oracle.io` | | 2400 | 192.168.11.240 | thirdweb-rpc-1 | ml110 | ✅ Running | TBD | ThirdWeb RPC (HTTPS) | `rpc.public-0138.defi-oracle.io` | ### VMs without Nginx (Direct Service Access) (4 VMs) | VMID | IP | Hostname | Host | Status | Service | Port | Protocol | Domains | |------|----|----------|------|--------|---------|------|----------|---------| | 2101 | 192.168.11.211 | besu-rpc-core-1 | ml110 | ✅ Running | Besu RPC | 8545/8546 | HTTP/WS | `rpc-http-prv.d-bis.org`, `rpc-ws-prv.d-bis.org` | | 2201 | 192.168.11.221 | besu-rpc-public-1 | r630-02 | ✅ Running | Besu RPC | 8545/8546 | HTTP/WS | `rpc-http-pub.d-bis.org`, `rpc-ws-pub.d-bis.org`, `rpc.d-bis.org`, `rpc2.d-bis.org`, `ws.rpc.d-bis.org`, `ws.rpc2.d-bis.org`, `rpc.defi-oracle.io`, `wss.defi-oracle.io` | | 10150 | 192.168.11.155 | dbis-api-primary | r630-01 | ✅ Running | Node.js API | 3000 | HTTP | `dbis-api.d-bis.org` | | 10151 | 192.168.11.156 | dbis-api-secondary | r630-01 | ✅ Running | Node.js API | 3000 | HTTP | `dbis-api-2.d-bis.org` | --- ## Traffic Flow Examples ### Example 1: Web Application (MIM4U) ``` User: https://mim4u.org ↓ DNS: mim4u.org → 76.53.10.36 ↓ Port Forward: 76.53.10.36:443 → 192.168.11.167:443 ↓ NPMplus (192.168.11.167:443): │ ├─ SSL Termination (Cert ID: 50) │ ├─ Proxy Host ID: 17 │ └─ Proxy Pass: http://192.168.11.37:80 ↓ nginx on VMID 7810 (192.168.11.37:80): │ └─ Serve: /var/www/html ↓ Response: HTTPS → User ``` ### Example 2: API Service (DBIS) ``` User: https://dbis-api.d-bis.org ↓ DNS: dbis-api.d-bis.org → 76.53.10.36 ↓ Port Forward: 76.53.10.36:443 → 192.168.11.167:443 ↓ NPMplus (192.168.11.167:443): │ ├─ SSL Termination (Cert ID: 48) │ ├─ Proxy Host ID: 15 │ └─ Proxy Pass: http://192.168.11.155:3000 ↓ Node.js API on VMID 10150 (192.168.11.155:3000): │ └─ Process Request ↓ Response: HTTPS → User ``` ### Example 3: RPC Endpoint (ThirdWeb) ``` User: https://rpc.public-0138.defi-oracle.io ↓ DNS: rpc.public-0138.defi-oracle.io → 76.53.10.36 ↓ Port Forward: 76.53.10.36:443 → 192.168.11.167:443 ↓ NPMplus (192.168.11.167:443): │ ├─ SSL Termination (Cert ID: 56) │ ├─ Proxy Host ID: 26 │ └─ Proxy Pass: https://192.168.11.240:443 ↓ nginx on VMID 2400 (192.168.11.240:443): │ ├─ SSL Termination (Internal) │ └─ Backend: Besu RPC + Translator ↓ Response: HTTPS → User ``` ### Example 4: RPC Service (Direct Besu) ``` User: https://rpc-http-pub.d-bis.org ↓ DNS: rpc-http-pub.d-bis.org → 76.53.10.36 ↓ Port Forward: 76.53.10.36:443 → 192.168.11.167:443 ↓ NPMplus (192.168.11.167:443): │ ├─ SSL Termination (Cert ID: 53) │ ├─ Proxy Host ID: 10 │ └─ Proxy Pass: http://192.168.11.221:8545 ↓ Besu RPC on VMID 2201 (192.168.11.221:8545): │ └─ Process JSON-RPC Request ↓ Response: HTTPS → User ``` --- ## Service Summary Statistics ### By Service Type | Service Type | Count | Domains | VMs with Nginx | VMs Direct Access | |--------------|-------|---------|----------------|-------------------| | Web Applications | 5 | 9 | 3 | 0 | | API Services | 2 | 2 | 0 | 2 | | RPC Services | 5 | 5 | 1 | 4 | | Blockchain Explorer | 1 | 1 | 1 | 0 | | **TOTAL** | **13** | **17** | **5** | **6** | **Note**: Sankofa domains (5) are not included in totals as services are not deployed. ### By Zone | Zone | Domains | SSL Certs | Active Services | Issues | |------|---------|-----------|-----------------|--------| | d-bis.org | 9 | 9 | 9 | None | | mim4u.org | 4 | 4 | 4 | None | | sankofa.nexus | 5 | 5 | 0 | ⚠️ Services not deployed | | defi-oracle.io | 1 | 1 | 1 | None | | **TOTAL** | **19** | **19** | **14** | **5 issues** | --- ## Issues and Action Items ### ⚠️ Critical Issues 1. **Sankofa Nexus Services NOT Deployed** - All 5 Sankofa domains currently route to Blockscout (192.168.11.140) - Sankofa services need to be deployed before these domains can work correctly - **Action Required**: Deploy Sankofa services and update NPMplus routing ### 📋 Recommended Improvements 1. **Documentation** - ⚠️ Document nginx config file paths for VMID 10130 and 2400 - ⚠️ Document custom nginx configurations for all VMs with nginx 2. **Monitoring** - Set up certificate expiration alerts (all certs expire 2026-04-16) - Monitor backend VM health - Track DNS resolution status 3. **Security** - ✅ All SSL certificates auto-renewing - ✅ HSTS enabled on all domains - ✅ Security headers configured --- ## Quick Reference Commands ### Test DNS Resolution ```bash dig +short mim4u.org dig +short explorer.d-bis.org dig +short rpc-http-pub.d-bis.org ``` ### Test SSL Certificates ```bash curl -vI https://mim4u.org 2>&1 | grep -E "(certificate|SSL|TLS)" curl -vI https://explorer.d-bis.org 2>&1 | grep -E "(certificate|SSL|TLS)" ``` ### Test Backend Services ```bash # Test Blockscout curl -I http://192.168.11.140:80 # Test MIM4U curl -I http://192.168.11.37:80 # Test DBIS API curl -I http://192.168.11.155:3000 # Test RPC curl -X POST http://192.168.11.221:8545 \ -H 'Content-Type: application/json' \ -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}' ``` ### Check NPMplus Status ```bash # From Proxmox host ssh root@192.168.11.11 "pct exec 10233 -- docker ps --filter 'name=npmplus'" # Check NPMplus logs ssh root@192.168.11.11 "pct exec 10233 -- docker logs npmplus --tail 50" ``` ### Check VM Status ```bash # Check specific VM ssh root@192.168.11.12 "pct status 7810" # Check nginx status on VM ssh root@192.168.11.12 "pct exec 7810 -- systemctl status nginx" ``` --- ## Related Documentation - **Comprehensive Architecture**: `docs/04-configuration/DNS_NPMPLUS_VM_COMPREHENSIVE_ARCHITECTURE.md` - **VMID Endpoints**: `docs/04-configuration/ALL_VMIDS_ENDPOINTS.md` - **NPMplus Setup**: `docs/04-configuration/NPMPLUS_COMPLETE_SETUP_SUMMARY.md` - **NPMplus Service Mapping**: `docs/04-configuration/NPMPLUS_SERVICE_MAPPING_COMPLETE.md` - **MIM4U DNS Config**: `reports/VMID_7810_DNS_NPMPLUS_CONFIGURATION.md` - **Cloudflare DNS**: `docs/04-configuration/cloudflare/CLOUDFLARE_DNS_SPECIFIC_SERVICES.md` --- **Last Updated**: 2026-01-20 **Maintained By**: Infrastructure Team **Status**: ✅ Complete Streamlined Architecture Reference