# Check All Updates and Cloudflare Tunnels

**Last updated:** 2026-02-15  
**Purpose:** Single checklist for config updates (e.g. Dev VM IP) and all Cloudflare tunnels: IDs, origins, hostnames, and verification.

---

## 1. Config updates (applied)

| Item | Before | After | Where |
|------|--------|--------|--------|
| **Dev VM (5700) IP** | 192.168.11.60 | **192.168.11.59** | `config/ip-addresses.conf` (`IP_DEV_VM`), all docs, NPMplus Fourth proxy targets |
| **NPMplus Fourth proxy** | gitea/dev/codespaces → .60:3000 | → **192.168.11.59:3000** | Run `update-npmplus-fourth-proxy-hosts.sh` so NPM reads `IP_DEV_VM` from config |
| **UDM Pro port forward** | 22 → .60 (optional) | 22 → **192.168.11.59** | [UDM_PRO_DEV_CODESPACES_PORT_FORWARD.md](../04-configuration/UDM_PRO_DEV_CODESPACES_PORT_FORWARD.md) |

**Verify:** CT 5700 on Proxmox has `ip=192.168.11.59/24`; NPMplus Fourth proxy hosts for gitea.d-bis.org, dev.d-bis.org, codespaces.d-bis.org point to 192.168.11.59:3000.

---

## 2. Cloudflare tunnels — inventory

| Tunnel | .env variable | Origin (ingress target) | Hostnames | Connector / notes |
|--------|----------------|--------------------------|-----------|-------------------|
| **RPC (Option B)** | `CLOUDFLARE_TUNNEL_ID` | `https://192.168.11.167:443` (NPMplus #1) | rpc-http-pub, rpc, rpc2, rpc-http-prv, rpc.public-0138.defi-oracle.io, rpc.defi-oracle.io | VMID 102 (cloudflared); runbook [OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md](OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md) |
| **Dev/Codespaces** | `CLOUDFLARE_TUNNEL_ID_DEV_CODESPACES` | `https://192.168.11.170:443` (NPMplus #4) | dev.d-bis.org, gitea.d-bis.org, codespaces.d-bis.org, pve.ml110, pve.r630-01, pve.r630-02 | LXC 10236 (NPMplus Fourth); script `configure-dev-codespaces-tunnel-and-dns.sh` |
| **Alltra/HYBX** | `CLOUDFLARE_TUNNEL_ID_ALLTRA_HYBX` or `CLOUDFLARE_TUNNEL_ID_SFVALLEY02` | `https://192.168.11.169:443` (NPMplus #3) | rpc-alltra*, rpc-hybx*, cacti-*, firefly-*, fabric-*, indy-*, rpc-core-2 | NPMplus 10235; script `configure-alltra-hybx-tunnel-and-dns.sh` |
| **Mifos (r630-02)** | `CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02` | NPMplus 10237 or VMID 5800 | mifos.d-bis.org | VMID 5800 / NPMplus 10237; script `configure-mifos-dns.sh` (MIFOS_DNS_MODE=tunnel) |
| **DApp (5801)** | `CLOUDFLARE_TUNNEL_ID` (same as RPC) | `https://192.168.11.167:443` (NPMplus #1) | dapp.d-bis.org | Add hostname to RPC tunnel; NPMplus 10233 proxies to 192.168.11.58:80 (VMID 5801); see [DAPP_LXC_DEPLOYMENT.md](../03-deployment/DAPP_LXC_DEPLOYMENT.md) § Full E2E |

**.env (from .env.example / repo):**

- `CLOUDFLARE_TUNNEL_ID=ad9eb7c4-f522-480e-b640-bfc137518c94` — RPC (Option B)
- `CLOUDFLARE_TUNNEL_ID_DEV_CODESPACES=16062e5d-3393-448f-b639-4308b753b51e` — Dev/Codespaces
- `CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02=8b0cee6f-9ab4-4d10-a870-9c3edd9bed42` — Mifos
- Alltra/HYBX: `CLOUDFLARE_TUNNEL_ID_ALLTRA_HYBX` or `892bd3fe-c6fa-4ddf-8b60-a8ed2b849c3d` (example)

---

## 3. FQDN → NPMplus Fourth (192.168.11.170:443)

The dev/Codespaces FQDN (gitea.d-bis.org, dev.d-bis.org, codespaces.d-bis.org) is correctly routed to **https://192.168.11.170:443** (NPMplus Fourth). The 502 “Host Error” means the failure is **after** Cloudflare: either NPMplus Fourth cannot reach the backend, or the backend (Dev VM Gitea) is down.

- **NPMplus Fourth** must proxy `gitea.d-bis.org` → **192.168.11.59:3000** (not .60). Run:  
  `NPM_PASSWORD=xxx bash scripts/nginx-proxy-manager/update-npmplus-fourth-proxy-hosts.sh`
- **Backend:** CT 5700 must be running at 192.168.11.59 and Gitea listening on port 3000. From Proxmox host:  
  `pct status 5700; pct exec 5700 -- systemctl is-active gitea; curl -s -o /dev/null -w '%{http_code}' http://192.168.11.59:3000/`

## 4. Tunnel ingress (no IP in URL)

- **RPC tunnel:** All 6 RPC hostnames → **URL** `https://192.168.11.167:443` (No TLS Verify). No change for Dev VM IP.
- **Dev/Codespaces tunnel:** All 6 hostnames → **URL** `https://192.168.11.170:443` (No TLS Verify). Ingress points to NPMplus Fourth; NPMplus then forwards gitea/dev/codespaces to **192.168.11.59:3000** (so only NPMplus proxy config needed the .59 update).
- **Alltra/HYBX:** → `https://192.168.11.169:443`.
- **Mifos:** → NPMplus 10237 or 5800 per your config.
- **DApp:** Add dapp.d-bis.org → `https://192.168.11.167:443` to RPC tunnel; NPMplus 10233 → 192.168.11.58:80.

---

## 5. DNS (Cloudflare)

- **RPC (Option B):** 6 hostnames = **CNAME** to `<CLOUDFLARE_TUNNEL_ID>.cfargotunnel.com` (Proxied). Script: `set-rpc-dns-to-tunnel.sh`.
- **Dev/Codespaces:** dev, gitea, codespaces, pve.ml110, pve.r630-01, pve.r630-02 = **CNAME** to `<CLOUDFLARE_TUNNEL_ID_DEV_CODESPACES>.cfargotunnel.com`. Script: `configure-dev-codespaces-tunnel-and-dns.sh`.
- **Alltra/HYBX:** Script: `configure-alltra-hybx-tunnel-and-dns.sh`.
- **Mifos:** `MIFOS_DNS_MODE=tunnel` + `configure-mifos-dns.sh` → mifos.d-bis.org CNAME to tunnel.
- **DApp:** CNAME dapp.d-bis.org → `<CLOUDFLARE_TUNNEL_ID>.cfargotunnel.com` (Proxied); same tunnel as RPC.

---

## 6. Verification commands

| Check | Command |
|-------|--------|
| **E2E (all domains incl. Gitea)** | `bash scripts/verify/verify-end-to-end-routing.sh --profile=public` |
| **RPC tunnel ingress (from host with VMID 102)** | `bash scripts/verify/verify-cloudflare-tunnel-ingress.sh [--host 192.168.11.11]` |
| **Dev/Codespaces tunnel + DNS** | `bash scripts/cloudflare/configure-dev-codespaces-tunnel-and-dns.sh` (updates ingress + CNAMEs) |
| **NPMplus Fourth proxy (gitea → .59:3000)** | `NPM_PASSWORD=xxx bash scripts/nginx-proxy-manager/update-npmplus-fourth-proxy-hosts.sh` |
| **Proxmox + Dev VM fix** | `bash scripts/maintenance/resolve-and-fix-all-via-proxmox-ssh.sh` |
| **All maintenance via Proxmox SSH** | `bash scripts/maintenance/run-all-maintenance-via-proxmox-ssh.sh` [--no-npm] [--e2e] |

---

## 7. Quick checklist

- [ ] `config/ip-addresses.conf`: `IP_DEV_VM="192.168.11.59"`
- [ ] Proxmox CT 5700: running at 192.168.11.59 (reconfigure + start if needed; see [DEV_VM_IP_CHANGE_59.md](../04-configuration/DEV_VM_IP_CHANGE_59.md))
- [ ] NPMplus Fourth: proxy hosts dev/gitea/codespaces → 192.168.11.59:3000 (run update script or set in UI)
- [ ] UDM Pro: optional 76.53.10.40:22 → 192.168.11.59 (if you use SSH to dev VM from WAN)
- [ ] Dev/Codespaces tunnel: ingress = https://192.168.11.170:443; DNS CNAMEs for dev, gitea, codespaces, pve.* (run `configure-dev-codespaces-tunnel-and-dns.sh` if needed)
- [ ] RPC tunnel: ingress = https://192.168.11.167:443 for 6 RPC hostnames; cloudflared (e.g. VMID 102) running
- [ ] Alltra/HYBX tunnel: ingress = https://192.168.11.169:443; connector running
- [ ] Run E2E and fix any 502s (RPC backends, DBIS, or NPMplus → backend). **One command for all RPC/502:** `./scripts/maintenance/run-all-maintenance-via-proxmox-ssh.sh --e2e` (writable → 2101 → Besu install → 502s → E2E). If issues remain, see **§9 Remaining fixes**.

---

## 8. Manual NPM Fourth proxy (if API update fails)

If `update-npmplus-fourth-proxy-hosts.sh` reports "could not update … via API" for some or all hosts, set Forward host/port in the NPM UI:

| Proxy host | Forward host | Port | WebSocket |
|------------|--------------|------|-----------|
| dev.d-bis.org | 192.168.11.59 | 3000 | off |
| gitea.d-bis.org | 192.168.11.59 | 3000 | off |
| codespaces.d-bis.org | 192.168.11.59 | 3000 | off |
| pve.ml110.d-bis.org | 192.168.11.10 | 8006 | on |
| pve.r630-01.d-bis.org | 192.168.11.11 | 8006 | on |
| pve.r630-02.d-bis.org | 192.168.11.12 | 8006 | on |

- **UI:** https://192.168.11.170:81 (or https://76.53.10.40:81 via UDM port forward). Hosts → Proxy Hosts → Edit each domain → set **Forward Hostname / IP** and **Forward Port** (and WebSocket for pve.*).
- **Debug script:** run with `DEBUG_NPM_FOURTH=1` to print GET/PUT responses, e.g. `DEBUG_NPM_FOURTH=1 NPM_PASSWORD=... bash scripts/nginx-proxy-manager/update-npmplus-fourth-proxy-hosts.sh`.

---

## 9. Remaining fixes (502s, RPC)

After tunnel/NPM/Dev VM are correct, fix any remaining 502s from RPC or other backends:

| Issue | Fix (run from project root on LAN) | Doc |
|-------|-------------------------------------|-----|
| **All-in-one (recommended)** | `./scripts/maintenance/run-all-maintenance-via-proxmox-ssh.sh --e2e` — writable → 2101 → Besu install → 502s → E2E | [502_DEEP_DIVE](../00-meta/502_DEEP_DIVE_ROOT_CAUSES_AND_FIXES.md), [MAINTENANCE_SCRIPTS_REVIEW](../00-meta/MAINTENANCE_SCRIPTS_REVIEW.md) |
| **RPC CTs read-only** | `./scripts/maintenance/make-rpc-vmids-writable-via-ssh.sh` first (2101, 2500–2505 on r630-01) | [502_DEEP_DIVE §Read-only CT](../00-meta/502_DEEP_DIVE_ROOT_CAUSES_AND_FIXES.md) |
| **2101** (rpc-http-prv) — JNA / Besu not starting | `./scripts/maintenance/fix-rpc-2101-jna-reinstall.sh` (CT must be writable; run make-rpc-vmids-writable first if needed) | [502_DEEP_DIVE_ROOT_CAUSES_AND_FIXES.md](../00-meta/502_DEEP_DIVE_ROOT_CAUSES_AND_FIXES.md), [RPC_NODES_BLOCK_PRODUCTION_FIX.md](../09-troubleshooting/RPC_NODES_BLOCK_PRODUCTION_FIX.md) |
| **2500–2505** (rpc-alltra*, rpc-hybx*) — Besu binary missing | `./scripts/besu/install-besu-permanent-on-missing-nodes.sh` (use `--dry-run` to preview; CTs must be writable) | Same + [BESU_NODES_TWEAKS_AND_FOLLOWUPS.md](../06-besu/BESU_NODES_TWEAKS_AND_FOLLOWUPS.md) |
| **All 502 backends** (DBIS, Cacti, RPC) | `./scripts/maintenance/fix-all-502s-comprehensive.sh` | [502_DEEP_DIVE](../00-meta/502_DEEP_DIVE_ROOT_CAUSES_AND_FIXES.md) |

---

## 10. Related docs

- [CLOUDFLARE_ROUTING_MASTER.md](CLOUDFLARE_ROUTING_MASTER.md) — Edge routing, Option B RPC tunnel
- [OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md](OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md) — RPC tunnel steps
- [DEV_CODESPACES_76_53_10_40.md](../04-configuration/DEV_CODESPACES_76_53_10_40.md) — Fourth NPMplus, Dev VM, tunnel
- [DEV_VM_IP_CHANGE_59.md](../04-configuration/DEV_VM_IP_CHANGE_59.md) — Dev VM IP change and Proxmox steps
- [NETWORK_CONFIGURATION_MASTER.md](../11-references/NETWORK_CONFIGURATION_MASTER.md) — IPs and NPMplus instances