4f383490a3
- SANKOFA_CUTOVER_PLAN: live backends table, fix TBDs, historical step labels - SANKOFA_THE_ORDER_CHECKLIST: replace with done + bypass + pointers - DNS comprehensive + streamlined tables: the-order row and sankofa zone live - E2E Cloudflare runbook: the-order backend column Made-with: Cursor
16 KiB
16 KiB
DNS → NPMplus → VM Streamlined Architecture Table
Last Updated: 2026-03-27
Document Version: 1.1
Status: Active Documentation
Date: 2026-01-20
Status: Complete Streamlined Architecture Reference
Purpose: Cohesive DNS, SSL, and traffic routing table for all services
Current topology: ER605 was replaced by the UDM Pro (76.53.10.34). Proxmox hosts: 192.168.11.10 (ml110), 192.168.11.11 (r630-01), 192.168.11.12 (r630-02). NPMplus LXC (VMID 10233) has 192.168.11.166 (eth0) and 192.168.11.167 (eth1); only 192.168.11.167 is used in UDM Pro port forwarding: 76.53.10.36:80 → 192.168.11.167:80, 76.53.10.36:443 → 192.168.11.167:443.
Architecture Flow
Internet
↓
Cloudflare DNS (All domains → 76.53.10.36)
↓
UDM Pro Port Forwarding (76.53.10.36:80/443 → 192.168.11.167:80/443)
↓
NPMplus (VMID 10233: 192.168.11.167) - SSL Termination & Routing
↓
Backend VMs (Various IPs) - Services with/without Nginx
Complete Service Mapping (Streamlined)
d-bis.org Zone (9 Domains)
| Domain | SSL Cert | NPMplus Proxy | Backend VM | IP | Port | Has Nginx | Service Type |
|---|---|---|---|---|---|---|---|
explorer.d-bis.org |
49 | 8 | 5000 (blockscout-1) | 192.168.11.140 | 4000 | ✅ Yes | Blockscout Explorer |
rpc-http-pub.d-bis.org |
53 | 10 | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8545 | ❌ No | Besu RPC HTTP |
rpc-ws-pub.d-bis.org |
55 | 11 | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8546 | ❌ No | Besu RPC WebSocket |
rpc.d-bis.org |
Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8545 | ❌ No | Primary RPC HTTP (same as rpc-http-pub) |
rpc2.d-bis.org |
Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8545 | ❌ No | Secondary RPC HTTP (same as rpc-http-pub) |
ws.rpc.d-bis.org |
Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8546 | ❌ No | Primary RPC WebSocket (same as rpc-ws-pub) |
ws.rpc2.d-bis.org |
Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8546 | ❌ No | Secondary RPC WebSocket (same as rpc-ws-pub) |
rpc-http-prv.d-bis.org |
52 | 12 | 2101 (besu-rpc-core-1) | 192.168.11.211 | 8545 | ❌ No | Besu RPC HTTP (Private) |
rpc-ws-prv.d-bis.org |
54 | 13 | 2101 (besu-rpc-core-1) | 192.168.11.211 | 8546 | ❌ No | Besu RPC WebSocket (Private) |
dbis-admin.d-bis.org |
46 | 14 | 10130 (dbis-frontend) | 192.168.11.130 | 80 | ✅ Yes | DBIS Admin Frontend |
dbis-api.d-bis.org |
48 | 15 | 10150 (dbis-api-primary) | 192.168.11.155 | 3000 | ❌ No | DBIS API Primary |
dbis-api-2.d-bis.org |
47 | 16 | 10151 (dbis-api-secondary) | 192.168.11.156 | 3000 | ❌ No | DBIS API Secondary |
secure.d-bis.org |
58 | 17 | 10130 (dbis-frontend) | 192.168.11.130 | 80 | ✅ Yes | DBIS Secure Portal |
mim4u.org Zone (4 Domains)
| Domain | SSL Cert | NPMplus Proxy | Backend VM | IP | Port | Has Nginx | Service Type |
|---|---|---|---|---|---|---|---|
mim4u.org |
50 | 17 | 7810 (mim-web-1) | 192.168.11.37 | 80 | ✅ Yes | MIM4U Main Site |
www.mim4u.org |
50 | 17 (same) | 7810 (mim-web-1) | 192.168.11.37 | 80 | ✅ Yes | MIM4U Main Site |
secure.mim4u.org |
59 | 19 | 7810 (mim-web-1) | 192.168.11.37 | 80 | ✅ Yes | MIM4U Secure Portal |
training.mim4u.org |
61 | 20 | 7810 (mim-web-1) | 192.168.11.37 | 80 | ✅ Yes | MIM4U Training Portal |
sankofa.nexus zone (live backends)
| Domain | SSL Cert (ex.) | NPMplus Proxy (ex.) | Backend VM | IP | Port | Has Nginx | Service type | Status |
|---|---|---|---|---|---|---|---|---|
sankofa.nexus |
57 | 21 | 7801 | 192.168.11.51 | 3000 | ❌ No | Sankofa portal | ✅ Live |
www.sankofa.nexus |
64 | 22 | 7801 | 192.168.11.51 | 3000 | ❌ No | Sankofa portal (301 apex) | ✅ Live |
phoenix.sankofa.nexus |
51 | 23 | 7800 | 192.168.11.50 | 4000 | ❌ No | Phoenix API | ✅ Live |
www.phoenix.sankofa.nexus |
63 | 24 | 7800 | 192.168.11.50 | 4000 | ❌ No | Phoenix API (301 apex) | ✅ Live |
the-order.sankofa.nexus |
60 | 25 | 10210 | 192.168.11.39 | 80 | ❌ No | Order via HAProxy→portal | ✅ Live |
Note: SSL cert and NPM proxy IDs differ per installation—verify in NPM UI. IPs/ports are authoritative vs Blockscout (.140 is only for explorer.d-bis.org). See ALL_VMIDS_ENDPOINTS.md.
defi-oracle.io Zone (3 Domains)
| Domain | SSL Cert | NPMplus Proxy | Backend VM | IP | Port | Has Nginx | Service Type |
|---|---|---|---|---|---|---|---|
rpc.public-0138.defi-oracle.io |
56 | 26 | 2400 (thirdweb-rpc-1) | 192.168.11.240 | 443 | ✅ Yes | ThirdWeb RPC (HTTPS) |
rpc.defi-oracle.io |
Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8545 | ✅ Yes | Defi Oracle HTTP RPC (same as rpc-http-pub) |
wss.defi-oracle.io |
Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8546 | ✅ Yes | Defi Oracle WebSocket RPC (same as rpc-ws-pub) |
DNS Configuration Summary
Cloudflare DNS Records
| Zone | Records | Type | Target | Proxy Status | SSL Termination |
|---|---|---|---|---|---|
| d-bis.org | 13 | A | 76.53.10.36 | DNS Only (Gray) | NPMplus (Let's Encrypt) |
| mim4u.org | 4 | A | 76.53.10.36 | DNS Only (Gray) | NPMplus (Let's Encrypt) |
| sankofa.nexus | 5 | A | 76.53.10.36 | DNS Only (Gray) | NPMplus (Let's Encrypt) |
| defi-oracle.io | 3 | A | 76.53.10.36 | DNS Only (Gray) | NPMplus (Let's Encrypt) |
| TOTAL | 25 | A | 76.53.10.36 | DNS Only | NPMplus |
Note: All DNS records use "DNS Only" mode (gray cloud) to bypass Cloudflare proxy. SSL termination is handled by NPMplus using Let's Encrypt certificates (auto-renewing until 2026-04-16).
Port Forwarding Configuration
UDM Pro Port Forwarding Rules
| Public IP:Port | Internal IP:Port | Protocol | Service | Status |
|---|---|---|---|---|
| 76.53.10.36:443 | 192.168.11.167:443 | TCP | NPMplus HTTPS | ✅ Active |
| 76.53.10.36:80 | 192.168.11.167:80 | TCP | NPMplus HTTP | ✅ Active |
Router: UDM Pro
Forwarding Type: Port forwarding configured in UDM Pro firewall rules
NPMplus Configuration
NPMplus Container Details
| Property | Value |
|---|---|
| VMID | 10233 |
| Host | r630-01 (192.168.11.11) |
| Internal IP (eth0) | 192.168.11.166 |
| Internal IP (eth1) | 192.168.11.167 |
| NPMplus (canonical) | 192.168.11.167 |
| Management UI | https://192.168.11.167:81 |
| Public IP | 76.53.10.36 |
| Public Ports | 80 (HTTP), 443 (HTTPS) |
| Status | ✅ Running |
SSL Certificates (19 Active)
| Cert ID | Domain(s) | Provider | Expires | Auto-Renewal |
|---|---|---|---|---|
| 46 | dbis-admin.d-bis.org |
Let's Encrypt | 2026-04-16 | ✅ |
| 47 | dbis-api-2.d-bis.org |
Let's Encrypt | 2026-04-16 | ✅ |
| 48 | dbis-api.d-bis.org |
Let's Encrypt | 2026-04-16 | ✅ |
| 49 | explorer.d-bis.org |
Let's Encrypt | 2026-04-16 | ✅ |
| 50 | mim4u.org, www.mim4u.org |
Let's Encrypt | 2026-04-16 | ✅ |
| 51 | phoenix.sankofa.nexus |
Let's Encrypt | 2026-04-16 | ✅ |
| 52 | rpc-http-prv.d-bis.org |
Let's Encrypt | 2026-04-16 | ✅ |
| 53 | rpc-http-pub.d-bis.org |
Let's Encrypt | 2026-04-16 | ✅ |
| 54 | rpc-ws-prv.d-bis.org |
Let's Encrypt | 2026-04-16 | ✅ |
| 55 | rpc-ws-pub.d-bis.org |
Let's Encrypt | 2026-04-16 | ✅ |
| 56 | rpc.public-0138.defi-oracle.io |
Let's Encrypt | 2026-04-16 | ✅ |
| 57 | sankofa.nexus |
Let's Encrypt | 2026-04-16 | ✅ |
| 58 | secure.d-bis.org |
Let's Encrypt | 2026-04-16 | ✅ |
| 59 | secure.mim4u.org |
Let's Encrypt | 2026-04-16 | ✅ |
| 60 | the-order.sankofa.nexus |
Let's Encrypt | 2026-04-16 | ✅ |
| 61 | training.mim4u.org |
Let's Encrypt | 2026-04-16 | ✅ |
| 62 | www.mim4u.org |
Let's Encrypt | 2026-04-16 | ✅ |
| 63 | www.phoenix.sankofa.nexus |
Let's Encrypt | 2026-04-16 | ✅ |
| 64 | www.sankofa.nexus |
Let's Encrypt | 2026-04-16 | ✅ |
Total: 19 SSL certificates, all valid until 2026-04-16 with auto-renewal enabled.
Backend VM Configuration
VMs with Nginx Web Server (4 VMs)
| VMID | IP | Hostname | Host | Status | Nginx Config | Purpose | Domains |
|---|---|---|---|---|---|---|---|
| 5000 | 192.168.11.140 | blockscout-1 | r630-02 | ✅ Running | /etc/nginx/sites-available/blockscout |
Blockscout Explorer | explorer.d-bis.org |
| 7810 | 192.168.11.37 | mim-web-1 | r630-02 | ✅ Running | /etc/nginx/sites-available/mim4u |
MIM4U Web App | mim4u.org, www.mim4u.org, secure.mim4u.org, training.mim4u.org |
| 10130 | 192.168.11.130 | dbis-frontend | r630-01 | ✅ Running | TBD | DBIS Admin Frontend | dbis-admin.d-bis.org, secure.d-bis.org |
| 2201 | 192.168.11.221 | besu-rpc-public-1 | r630-02 | ✅ Running | 8545/8546 | Besu RPC | rpc-http-pub.d-bis.org, rpc-ws-pub.d-bis.org, rpc.d-bis.org, rpc2.d-bis.org, ws.rpc.d-bis.org, ws.rpc2.d-bis.org, rpc.defi-oracle.io, wss.defi-oracle.io |
| 2400 | 192.168.11.240 | thirdweb-rpc-1 | ml110 | ✅ Running | TBD | ThirdWeb RPC (HTTPS) | rpc.public-0138.defi-oracle.io |
VMs without Nginx (Direct Service Access) (4 VMs)
| VMID | IP | Hostname | Host | Status | Service | Port | Protocol | Domains |
|---|---|---|---|---|---|---|---|---|
| 2101 | 192.168.11.211 | besu-rpc-core-1 | ml110 | ✅ Running | Besu RPC | 8545/8546 | HTTP/WS | rpc-http-prv.d-bis.org, rpc-ws-prv.d-bis.org |
| 2201 | 192.168.11.221 | besu-rpc-public-1 | r630-02 | ✅ Running | Besu RPC | 8545/8546 | HTTP/WS | rpc-http-pub.d-bis.org, rpc-ws-pub.d-bis.org, rpc.d-bis.org, rpc2.d-bis.org, ws.rpc.d-bis.org, ws.rpc2.d-bis.org, rpc.defi-oracle.io, wss.defi-oracle.io |
| 10150 | 192.168.11.155 | dbis-api-primary | r630-01 | ✅ Running | Node.js API | 3000 | HTTP | dbis-api.d-bis.org |
| 10151 | 192.168.11.156 | dbis-api-secondary | r630-01 | ✅ Running | Node.js API | 3000 | HTTP | dbis-api-2.d-bis.org |
Traffic Flow Examples
Example 1: Web Application (MIM4U)
User: https://mim4u.org
↓ DNS: mim4u.org → 76.53.10.36
↓ Port Forward: 76.53.10.36:443 → 192.168.11.167:443
↓ NPMplus (192.168.11.167:443):
│ ├─ SSL Termination (Cert ID: 50)
│ ├─ Proxy Host ID: 17
│ └─ Proxy Pass: http://192.168.11.37:80
↓ nginx on VMID 7810 (192.168.11.37:80):
│ └─ Serve: /var/www/html
↓ Response: HTTPS → User
Example 2: API Service (DBIS)
User: https://dbis-api.d-bis.org
↓ DNS: dbis-api.d-bis.org → 76.53.10.36
↓ Port Forward: 76.53.10.36:443 → 192.168.11.167:443
↓ NPMplus (192.168.11.167:443):
│ ├─ SSL Termination (Cert ID: 48)
│ ├─ Proxy Host ID: 15
│ └─ Proxy Pass: http://192.168.11.155:3000
↓ Node.js API on VMID 10150 (192.168.11.155:3000):
│ └─ Process Request
↓ Response: HTTPS → User
Example 3: RPC Endpoint (ThirdWeb)
User: https://rpc.public-0138.defi-oracle.io
↓ DNS: rpc.public-0138.defi-oracle.io → 76.53.10.36
↓ Port Forward: 76.53.10.36:443 → 192.168.11.167:443
↓ NPMplus (192.168.11.167:443):
│ ├─ SSL Termination (Cert ID: 56)
│ ├─ Proxy Host ID: 26
│ └─ Proxy Pass: https://192.168.11.240:443
↓ nginx on VMID 2400 (192.168.11.240:443):
│ ├─ SSL Termination (Internal)
│ └─ Backend: Besu RPC + Translator
↓ Response: HTTPS → User
Example 4: RPC Service (Direct Besu)
User: https://rpc-http-pub.d-bis.org
↓ DNS: rpc-http-pub.d-bis.org → 76.53.10.36
↓ Port Forward: 76.53.10.36:443 → 192.168.11.167:443
↓ NPMplus (192.168.11.167:443):
│ ├─ SSL Termination (Cert ID: 53)
│ ├─ Proxy Host ID: 10
│ └─ Proxy Pass: http://192.168.11.221:8545
↓ Besu RPC on VMID 2201 (192.168.11.221:8545):
│ └─ Process JSON-RPC Request
↓ Response: HTTPS → User
Service Summary Statistics
By Service Type
| Service Type | Count | Domains | VMs with Nginx | VMs Direct Access |
|---|---|---|---|---|
| Web Applications | 5 | 9 | 3 | 0 |
| API Services | 2 | 2 | 0 | 2 |
| RPC Services | 5 | 5 | 1 | 4 |
| Blockchain Explorer | 1 | 1 | 1 | 0 |
| TOTAL | 13 | 17 | 5 | 6 |
Note: Sankofa domains (5) are not included in totals as services are not deployed.
By Zone
| Zone | Domains | SSL Certs | Active Services | Issues |
|---|---|---|---|---|
| d-bis.org | 9 | 9 | 9 | None |
| mim4u.org | 4 | 4 | 4 | None |
| sankofa.nexus | 5 | 5 | 0 | ⚠️ Services not deployed |
| defi-oracle.io | 1 | 1 | 1 | None |
| TOTAL | 19 | 19 | 14 | 5 issues |
Issues and Action Items
⚠️ Critical Issues
- Sankofa Nexus Services NOT Deployed
- All 5 Sankofa domains currently route to Blockscout (192.168.11.140)
- Sankofa services need to be deployed before these domains can work correctly
- Action Required: Deploy Sankofa services and update NPMplus routing
📋 Recommended Improvements
-
Documentation
- ⚠️ Document nginx config file paths for VMID 10130 and 2400
- ⚠️ Document custom nginx configurations for all VMs with nginx
-
Monitoring
- Set up certificate expiration alerts (all certs expire 2026-04-16)
- Monitor backend VM health
- Track DNS resolution status
-
Security
- ✅ All SSL certificates auto-renewing
- ✅ HSTS enabled on all domains
- ✅ Security headers configured
Quick Reference Commands
Test DNS Resolution
dig +short mim4u.org
dig +short explorer.d-bis.org
dig +short rpc-http-pub.d-bis.org
Test SSL Certificates
curl -vI https://mim4u.org 2>&1 | grep -E "(certificate|SSL|TLS)"
curl -vI https://explorer.d-bis.org 2>&1 | grep -E "(certificate|SSL|TLS)"
Test Backend Services
# Test Blockscout
curl -I http://192.168.11.140:80
# Test MIM4U
curl -I http://192.168.11.37:80
# Test DBIS API
curl -I http://192.168.11.155:3000
# Test RPC
curl -X POST http://192.168.11.221:8545 \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
Check NPMplus Status
# From Proxmox host
ssh root@192.168.11.11 "pct exec 10233 -- docker ps --filter 'name=npmplus'"
# Check NPMplus logs
ssh root@192.168.11.11 "pct exec 10233 -- docker logs npmplus --tail 50"
Check VM Status
# Check specific VM
ssh root@192.168.11.12 "pct status 7810"
# Check nginx status on VM
ssh root@192.168.11.12 "pct exec 7810 -- systemctl status nginx"
Related Documentation
- Comprehensive Architecture:
docs/04-configuration/DNS_NPMPLUS_VM_COMPREHENSIVE_ARCHITECTURE.md - VMID Endpoints:
docs/04-configuration/ALL_VMIDS_ENDPOINTS.md - NPMplus Setup:
docs/04-configuration/NPMPLUS_COMPLETE_SETUP_SUMMARY.md - NPMplus Service Mapping:
docs/04-configuration/NPMPLUS_SERVICE_MAPPING_COMPLETE.md - MIM4U DNS Config:
reports/VMID_7810_DNS_NPMPLUS_CONFIGURATION.md - Cloudflare DNS:
docs/04-configuration/cloudflare/CLOUDFLARE_DNS_SPECIFIC_SERVICES.md
Last Updated: 2026-01-20
Maintained By: Infrastructure Team
Status: ✅ Complete Streamlined Architecture Reference