# Nginx Configuration for RPC-01 (VMID 2500) **Last Updated:** 2026-01-31 **Document Version:** 1.0 **Status:** Active Documentation **Container:** besu-rpc-1 (Core RPC Node) **VMID:** 2500 **IP:** 192.168.11.250 --- ## โœ… Installation Complete Nginx has been installed and configured as a reverse proxy for Besu RPC endpoints. --- ## ๐Ÿ“‹ Configuration Summary ### Ports Configured | Port | Protocol | Purpose | Backend | |------|----------|--------|---------| | 80 | HTTP | HTTP to HTTPS redirect | N/A | | 443 | HTTPS | HTTP RPC API | localhost:8545 | | 8443 | HTTPS | WebSocket RPC API | localhost:8546 | ### Server Names - `besu-rpc-1` - `192.168.11.250` - `rpc-core.besu.local` - `rpc-core.chainid138.local` - `rpc-core-ws.besu.local` (WebSocket only) - `rpc-core-ws.chainid138.local` (WebSocket only) --- ## ๐Ÿ”ง Configuration Details ### HTTP RPC (Port 443) **Location**: `/etc/nginx/sites-available/rpc-core` **Features**: - SSL/TLS encryption (TLS 1.2 and 1.3) - Proxies to Besu HTTP RPC on port 8545 - Extended timeouts (300s) for RPC calls - Disabled buffering for real-time responses - CORS headers for web application access - Security headers (HSTS, X-Frame-Options, etc.) - Health check endpoint at `/health` - Metrics endpoint at `/metrics` (proxies to port 9545) ### WebSocket RPC (Port 8443) **Features**: - SSL/TLS encryption - Proxies to Besu WebSocket RPC on port 8546 - WebSocket upgrade headers - Extended timeouts (86400s) for persistent connections - Health check endpoint at `/health` ### SSL Certificate **Location**: `/etc/nginx/ssl/` - Certificate: `/etc/nginx/ssl/rpc.crt` - Private Key: `/etc/nginx/ssl/rpc.key` - Type: Self-signed (valid for 10 years) - CN: `besu-rpc-1` **Note**: Replace with Let's Encrypt certificate for production use. --- ## ๐Ÿงช Testing ### Test Health Endpoint ```bash # From container pct exec 2500 -- curl -k https://localhost:443/health # From external curl -k https://192.168.11.250:443/health ``` **Expected**: `healthy` ### Test HTTP RPC ```bash # From container pct exec 2500 -- curl -k -X POST https://localhost:443 \ -H 'Content-Type: application/json' \ -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}' # From external curl -k -X POST https://192.168.11.250:443 \ -H 'Content-Type: application/json' \ -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}' ``` **Expected**: JSON response with current block number ### Test WebSocket RPC ```bash # Using wscat (if installed) wscat -c wss://192.168.11.250:8443 # Or using websocat websocat wss://192.168.11.250:8443 ``` ### Test Metrics Endpoint ```bash curl -k https://192.168.11.250:443/metrics ``` --- ## ๐Ÿ“Š Log Files **Access Logs**: - HTTP RPC: `/var/log/nginx/rpc-core-http-access.log` - WebSocket RPC: `/var/log/nginx/rpc-core-ws-access.log` **Error Logs**: - HTTP RPC: `/var/log/nginx/rpc-core-http-error.log` - WebSocket RPC: `/var/log/nginx/rpc-core-ws-error.log` **View Logs**: ```bash # HTTP access pct exec 2500 -- tail -f /var/log/nginx/rpc-core-http-access.log # HTTP errors pct exec 2500 -- tail -f /var/log/nginx/rpc-core-http-error.log # WebSocket access pct exec 2500 -- tail -f /var/log/nginx/rpc-core-ws-access.log ``` --- ## ๐Ÿ”’ Security Features ### SSL/TLS Configuration - **Protocols**: TLSv1.2, TLSv1.3 - **Ciphers**: Strong ciphers only (ECDHE, DHE) - **Session Cache**: Enabled (10m) - **Session Timeout**: 10 minutes ### Security Headers - **Strict-Transport-Security**: 1 year HSTS - **X-Frame-Options**: SAMEORIGIN - **X-Content-Type-Options**: nosniff - **X-XSS-Protection**: 1; mode=block ### CORS Configuration - **Access-Control-Allow-Origin**: * (allows all origins) - **Access-Control-Allow-Methods**: GET, POST, OPTIONS - **Access-Control-Allow-Headers**: Content-Type, Authorization **Note**: Adjust CORS settings based on your security requirements. --- ## ๐Ÿ”ง Management Commands ### Check Nginx Status ```bash pct exec 2500 -- systemctl status nginx ``` ### Test Configuration ```bash pct exec 2500 -- nginx -t ``` ### Reload Configuration ```bash pct exec 2500 -- systemctl reload nginx ``` ### Restart Nginx ```bash pct exec 2500 -- systemctl restart nginx ``` ### View Configuration ```bash pct exec 2500 -- cat /etc/nginx/sites-available/rpc-core ``` --- ## ๐Ÿ”„ Updating Configuration ### Edit Configuration ```bash pct exec 2500 -- nano /etc/nginx/sites-available/rpc-core ``` ### After Editing ```bash # Test configuration pct exec 2500 -- nginx -t # If test passes, reload pct exec 2500 -- systemctl reload nginx ``` --- ## ๐Ÿ” SSL Certificate Management ### Current Certificate **Type**: Self-signed **Valid For**: 10 years **Location**: `/etc/nginx/ssl/` ### Replace with Let's Encrypt 1. **Install Certbot**: ```bash pct exec 2500 -- apt-get install -y certbot python3-certbot-nginx ``` 2. **Obtain Certificate**: ```bash pct exec 2500 -- certbot --nginx -d rpc-core.besu.local -d rpc-core.chainid138.local ``` 3. **Auto-renewal** (certbot sets this up automatically): ```bash pct exec 2500 -- certbot renew --dry-run ``` --- ## ๐ŸŒ Integration with nginx-proxy-manager If using nginx-proxy-manager (VMID 105) as a central proxy: **Configuration**: - **Domain**: `rpc-core.besu.local` or `rpc-core.chainid138.local` - **Forward to**: `192.168.11.250:443` (HTTPS) - **SSL**: Handle at nginx-proxy-manager level (or pass through) - **Websockets**: Enabled **Note**: You can also forward to port 8545 directly and let nginx-proxy-manager handle SSL. --- ## ๐Ÿ“ˆ Performance Tuning ### Current Settings - **Proxy Timeouts**: 300s (5 minutes) - **WebSocket Timeouts**: 86400s (24 hours) - **Client Max Body Size**: 10M - **Buffering**: Disabled (for real-time RPC) ### Adjust if Needed Edit `/etc/nginx/sites-available/rpc-core` and adjust: - `proxy_read_timeout` - `proxy_send_timeout` - `proxy_connect_timeout` - `client_max_body_size` --- ## ๐Ÿ› Troubleshooting ### Nginx Not Starting ```bash # Check configuration syntax pct exec 2500 -- nginx -t # Check error logs pct exec 2500 -- journalctl -u nginx -n 50 # Check for port conflicts pct exec 2500 -- ss -tlnp | grep -E ':80|:443|:8443' ``` ### RPC Not Responding ```bash # Check if Besu RPC is running pct exec 2500 -- ss -tlnp | grep 8545 # Test direct connection pct exec 2500 -- curl -X POST http://localhost:8545 \ -H 'Content-Type: application/json' \ -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}' # Check Nginx error logs pct exec 2500 -- tail -50 /var/log/nginx/rpc-core-http-error.log ``` ### SSL Certificate Issues ```bash # Check certificate pct exec 2500 -- openssl x509 -in /etc/nginx/ssl/rpc.crt -text -noout # Verify certificate matches key pct exec 2500 -- openssl x509 -noout -modulus -in /etc/nginx/ssl/rpc.crt | openssl md5 pct exec 2500 -- openssl rsa -noout -modulus -in /etc/nginx/ssl/rpc.key | openssl md5 ``` --- ## โœ… Verification Checklist - [x] Nginx installed - [x] SSL certificate generated - [x] Configuration file created - [x] Site enabled - [x] Nginx service active - [x] Port 80 listening (HTTP redirect) - [x] Port 443 listening (HTTPS RPC) - [x] Port 8443 listening (HTTPS WebSocket) - [x] Configuration test passed - [x] RPC endpoint responding through Nginx - [x] Health check endpoint working --- ## ๐Ÿ“š Related Documentation - [Nginx Architecture for RPC Nodes](../05-network/NGINX_ARCHITECTURE_RPC.md) - [RPC Node Types Architecture](../05-network/RPC_NODE_TYPES_ARCHITECTURE.md) - [Cloudflare Nginx Integration](../05-network/CLOUDFLARE_NGINX_INTEGRATION.md) --- **Configuration Date**: $(date) **Status**: โœ… **OPERATIONAL**