# DNS Conflict Resolution Plan ## Critical Issue Summary **Problem**: 9 hostnames pointing to the same Cloudflare tunnel (`10ab22da-8ea3-4e2e-a896-27ece2211a05`) without proper ingress rules. **Impact**: Services failing, routing conflicts, difficult troubleshooting. ## Root Cause Analysis ### DNS Zone File Shows: ``` 9 hostnames → 10ab22da-8ea3-4e2e-a896-27ece2211a05.cfargotunnel.com ``` ### Current Tunnel Status - **Tunnel ID**: `10ab22da-8ea3-4e2e-a896-27ece2211a05` - **Status**: ⚠️ DOWN (needs configuration) - **Location**: Should be in VMID 102 on r630-02 - **Target**: Should route to central Nginx at `192.168.11.21:80` ### Affected Services | Hostname | Service | Expected Target | |----------|---------|-----------------| | `dbis-admin.d-bis.org` | Admin UI | `http://192.168.11.21:80` | | `dbis-api.d-bis.org` | API v1 | `http://192.168.11.21:80` | | `dbis-api-2.d-bis.org` | API v2 | `http://192.168.11.21:80` | | `mim4u.org.d-bis.org` | MIM4U Site | `http://192.168.11.21:80` | | `www.mim4u.org.d-bis.org` | MIM4U WWW | `http://192.168.11.21:80` | | `rpc-http-prv.d-bis.org` | Private HTTP RPC | `http://192.168.11.21:80` | | `rpc-http-pub.d-bis.org` | Public HTTP RPC | `http://192.168.11.21:80` | | `rpc-ws-prv.d-bis.org` | Private WS RPC | `http://192.168.11.21:80` | | `rpc-ws-pub.d-bis.org` | Public WS RPC | `http://192.168.11.21:80` | ## Resolution Steps ### Step 1: Verify Tunnel Configuration Location ```bash # Check if tunnel config exists in VMID 102 ssh root@192.168.11.12 "pct exec 102 -- ls -la /etc/cloudflared/ | grep 10ab22da" ``` ### Step 2: Create/Update Tunnel Configuration The tunnel needs a complete ingress configuration file: **File**: `/etc/cloudflared/tunnel-services.yml` (in VMID 102) ```yaml tunnel: 10ab22da-8ea3-4e2e-a896-27ece2211a05 credentials-file: /etc/cloudflared/credentials-services.json ingress: # Admin Interface - hostname: dbis-admin.d-bis.org service: http://192.168.11.21:80 originRequest: httpHostHeader: dbis-admin.d-bis.org # API Endpoints - hostname: dbis-api.d-bis.org service: http://192.168.11.21:80 originRequest: httpHostHeader: dbis-api.d-bis.org - hostname: dbis-api-2.d-bis.org service: http://192.168.11.21:80 originRequest: httpHostHeader: dbis-api-2.d-bis.org # MIM4U Services - hostname: mim4u.org.d-bis.org service: http://192.168.11.21:80 originRequest: httpHostHeader: mim4u.org.d-bis.org - hostname: www.mim4u.org.d-bis.org service: http://192.168.11.21:80 originRequest: httpHostHeader: www.mim4u.org.d-bis.org # RPC Endpoints - HTTP - hostname: rpc-http-prv.d-bis.org service: http://192.168.11.21:80 originRequest: httpHostHeader: rpc-http-prv.d-bis.org - hostname: rpc-http-pub.d-bis.org service: http://192.168.11.21:80 originRequest: httpHostHeader: rpc-http-pub.d-bis.org # RPC Endpoints - WebSocket - hostname: rpc-ws-prv.d-bis.org service: http://192.168.11.21:80 originRequest: httpHostHeader: rpc-ws-prv.d-bis.org - hostname: rpc-ws-pub.d-bis.org service: http://192.168.11.21:80 originRequest: httpHostHeader: rpc-ws-pub.d-bis.org # Catch-all (MUST be last) - service: http_status:404 # Metrics metrics: 127.0.0.1:9090 # Logging loglevel: info # Grace period gracePeriod: 30s ``` ### Step 3: Create Systemd Service **File**: `/etc/systemd/system/cloudflared-services.service` ```ini [Unit] Description=Cloudflare Tunnel for Services (RPC, API, Admin, MIM4U) After=network.target [Service] TimeoutStartSec=0 Type=notify ExecStart=/usr/local/bin/cloudflared --config /etc/cloudflared/tunnel-services.yml tunnel run Restart=on-failure RestartSec=5s [Install] WantedBy=multi-user.target ``` ### Step 4: Fix TTL Values In Cloudflare Dashboard: 1. Go to **DNS** → **Records** 2. For each CNAME record, change TTL from **1** to **300** (5 minutes) or **Auto** 3. Save changes **Affected Records**: - All 9 CNAME records pointing to `10ab22da-8ea3-4e2e-a896-27ece2211a05.cfargotunnel.com` ### Step 5: Verify Nginx Configuration Ensure Nginx on `192.168.11.21:80` has server blocks for all hostnames: ```nginx # Example server block server { listen 80; server_name dbis-admin.d-bis.org; location / { proxy_pass http://; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } } ``` ## Automated Fix Script Create a script to deploy the fix: ```bash #!/bin/bash # fix-shared-tunnel.sh PROXMOX_HOST="192.168.11.12" VMID="102" TUNNEL_ID="10ab22da-8ea3-4e2e-a896-27ece2211a05" echo "Fixing shared tunnel configuration..." # 1. Create config file ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- bash -c 'cat > /etc/cloudflared/tunnel-services.yml << \"EOF\" tunnel: ${TUNNEL_ID} credentials-file: /etc/cloudflared/credentials-services.json ingress: - hostname: dbis-admin.d-bis.org service: http://192.168.11.21:80 originRequest: httpHostHeader: dbis-admin.d-bis.org - hostname: dbis-api.d-bis.org service: http://192.168.11.21:80 originRequest: httpHostHeader: dbis-api.d-bis.org - hostname: dbis-api-2.d-bis.org service: http://192.168.11.21:80 originRequest: httpHostHeader: dbis-api-2.d-bis.org - hostname: mim4u.org.d-bis.org service: http://192.168.11.21:80 originRequest: httpHostHeader: mim4u.org.d-bis.org - hostname: www.mim4u.org.d-bis.org service: http://192.168.11.21:80 originRequest: httpHostHeader: www.mim4u.org.d-bis.org - hostname: rpc-http-prv.d-bis.org service: http://192.168.11.21:80 originRequest: httpHostHeader: rpc-http-prv.d-bis.org - hostname: rpc-http-pub.d-bis.org service: http://192.168.11.21:80 originRequest: httpHostHeader: rpc-http-pub.d-bis.org - hostname: rpc-ws-prv.d-bis.org service: http://192.168.11.21:80 originRequest: httpHostHeader: rpc-ws-prv.d-bis.org - hostname: rpc-ws-pub.d-bis.org service: http://192.168.11.21:80 originRequest: httpHostHeader: rpc-ws-pub.d-bis.org - service: http_status:404 metrics: 127.0.0.1:9090 loglevel: info gracePeriod: 30s EOF'" # 2. Create systemd service ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- bash -c 'cat > /etc/systemd/system/cloudflared-services.service << \"EOF\" [Unit] Description=Cloudflare Tunnel for Services After=network.target [Service] TimeoutStartSec=0 Type=notify ExecStart=/usr/local/bin/cloudflared --config /etc/cloudflared/tunnel-services.yml tunnel run Restart=on-failure RestartSec=5s [Install] WantedBy=multi-user.target EOF'" # 3. Reload systemd and start service ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- systemctl daemon-reload" ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- systemctl enable cloudflared-services.service" ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- systemctl start cloudflared-services.service" # 4. Check status ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- systemctl status cloudflared-services.service" echo "Done! Check tunnel status in Cloudflare dashboard." ``` ## Testing After applying the fix: ```bash # Test each hostname for host in dbis-admin dbis-api dbis-api-2 mim4u.org www.mim4u.org rpc-http-prv rpc-http-pub rpc-ws-prv rpc-ws-pub; do echo "Testing ${host}.d-bis.org..." curl -I "https://${host}.d-bis.org" 2>&1 | head -1 done ``` ## Verification Checklist - [ ] Tunnel configuration file created - [ ] Systemd service created and enabled - [ ] Tunnel service running - [ ] All 9 hostnames accessible - [ ] TTL values updated in Cloudflare - [ ] Nginx routing correctly - [ ] No 404 errors for valid hostnames ## Long-term Recommendations 1. **Separate Tunnels**: Consider splitting into separate tunnels: - RPC tunnel (4 hostnames) - API tunnel (3 hostnames) - Web tunnel (2 hostnames) 2. **TTL Standardization**: Use consistent TTL values (300 or 3600) 3. **Monitoring**: Set up alerts for tunnel health 4. **Documentation**: Document all tunnel configurations ## Summary **Issue**: 9 hostnames sharing one tunnel without proper ingress rules **Fix**: Create complete ingress configuration with all hostnames **Status**: ⚠️ Requires manual configuration **Priority**: 🔴 HIGH - Services are likely failing