d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
proxmox/docs/05-network/BESU_RPC_CONFIGURATION_FIXED.md
defiQUG cb47cce074 Complete markdown files cleanup and organization 
- Organized 252 files across project
- Root directory: 187 → 2 files (98.9% reduction)
- Moved configuration guides to docs/04-configuration/
- Moved troubleshooting guides to docs/09-troubleshooting/
- Moved quick start guides to docs/01-getting-started/
- Moved reports to reports/ directory
- Archived temporary files
- Generated comprehensive reports and documentation
- Created maintenance scripts and guides

All files organized according to established standards.
2026-01-06 01:46:25 -08:00

269 lines
8.8 KiB
Markdown
Raw Permalink Blame History

# Besu RPC Nodes Configuration - Fixed
**Last Updated:** 2025-01-20
**Document Version:** 1.0
**Status:** Active Documentation
---
## Overview
This document describes the corrected configuration for the three Besu RPC nodes (VMIDs 2500, 2501, 2502) in the Proxmox VE deployment.
---
## Node Roles and Requirements
### VMID 2500 - Core RPC Node
- **Role**: Core/Internal infrastructure
- **Access**: **NO public access or routing**
- **Features**: **All features enabled** (ADMIN, DEBUG, TRACE, TXPOOL, QBFT)
- **Config File**: `config-rpc-core.toml`
- **IP**: 192.168.11.250
**Key Settings**:
- ✅ Discovery **DISABLED** (no public routing)
- ✅ All APIs enabled: `ETH`, `NET`, `WEB3`, `TXPOOL`, `QBFT`, `ADMIN`, `DEBUG`, `TRACE`
- ✅ CORS origins empty (no public access)
- ✅ Node permissioning enabled (only local nodes)
- ✅ Account permissioning **disabled** (internal use only)
### VMID 2501 - Permissioned RPC Node (Prv)
- **Role**: Permissioned public access
- **Access**: **Public permissioned access** (requires authentication)
- **Features**: **Non-Admin features only** (no ADMIN, DEBUG, TRACE)
- **Config File**: `config-rpc-perm.toml`
- **IP**: 192.168.11.251
**Key Settings**:
- ✅ Discovery **ENABLED** (public access)
- ✅ Non-Admin APIs only: `ETH`, `NET`, `WEB3`, `TXPOOL`, `QBFT`
-**ADMIN API REMOVED** (as required)
-**DEBUG API REMOVED** (as required)
- ✅ CORS enabled for public access
-**Account permissioning ENABLED** (requires authentication)
- ✅ Node permissioning enabled
### VMID 2502 - Public RPC Node (Pub)
- **Role**: Public non-authenticated access
- **Access**: **Public non-auth access**
- **Features**: **Minimal wallet features only**
- **Config File**: `config-rpc-public.toml`
- **IP**: 192.168.11.252
**Key Settings**:
- ✅ Discovery **ENABLED** (public access)
- ✅ Minimal APIs only: `ETH`, `NET`, `WEB3` (read-only)
- ✅ WebSocket **DISABLED** (HTTP only)
- ✅ CORS enabled for public access
- ✅ Account permissioning **disabled** (public non-auth)
- ✅ Node permissioning enabled
---
## Configuration Changes Made
### 1. Fixed `config-rpc-core.toml` (VMID 2500)
-**Removed ADMIN from permissioned config** - ADMIN should only be in Core
-**Disabled discovery** - Changed from `true` to `false` (no public routing)
-**Removed CORS origins** - Changed from `["*"]` to `[]` (no public access)
-**Fixed paths** - Updated to use `/data/besu`, `/genesis/`, `/permissions/`
-**Removed deprecated options** - Removed `log-destination`, `max-remote-initiated-connections`, `accounts-enabled`, `database-path`, `trie-logs-enabled`
### 2. Fixed `config-rpc-perm.toml` (VMID 2501)
-**Removed ADMIN API** - Changed from `["ETH","NET","WEB3","TXPOOL","QBFT","ADMIN"]` to `["ETH","NET","WEB3","TXPOOL","QBFT"]`
-**Removed DEBUG API** - Not included (non-Admin features only)
-**Account permissions enabled** - `permissions-accounts-config-file-enabled=true` (for permissioned access)
-**Fixed paths** - Updated to use `/data/besu`, `/genesis/`, `/permissions/`
-**Removed deprecated options** - Same cleanup as Core config
### 3. Fixed `config-rpc-public.toml` (VMID 2502)
-**Minimal APIs confirmed** - Only `ETH`, `NET`, `WEB3` (correct)
-**WebSocket disabled** - Already correct
-**Account permissions disabled** - Correct for public non-auth
-**Fixed paths** - Updated to use `/data/besu`, `/genesis/`, `/permissions/`
-**Removed deprecated options** - Same cleanup as other configs
---
## Deployment
### Automated Deployment Script
A new script has been created to deploy and verify the configurations:
```bash
cd /home/intlc/projects/proxmox
./scripts/configure-besu-rpc-nodes.sh
```
This script will:
1. ✅ Check container status and start if needed
2. ✅ Copy correct config file to each RPC node
3. ✅ Update systemd service files
4. ✅ Verify configuration matches requirements
5. ✅ Restart services
6. ✅ Check if 2501 and 2502 are reversed
### Manual Deployment
If you prefer to deploy manually:
```bash
# For VMID 2500 (Core)
pct push 2500 smom-dbis-138/config/config-rpc-core.toml /etc/besu/config-rpc-core.toml
pct exec 2500 -- chown besu:besu /etc/besu/config-rpc-core.toml
pct exec 2500 -- systemctl restart besu-rpc.service
# For VMID 2501 (Permissioned)
pct push 2501 smom-dbis-138/config/config-rpc-perm.toml /etc/besu/config-rpc-perm.toml
pct exec 2501 -- chown besu:besu /etc/besu/config-rpc-perm.toml
pct exec 2501 -- systemctl restart besu-rpc.service
# For VMID 2502 (Public)
pct push 2502 smom-dbis-138/config/config-rpc-public.toml /etc/besu/config-rpc-public.toml
pct exec 2502 -- chown besu:besu /etc/besu/config-rpc-public.toml
pct exec 2502 -- systemctl restart besu-rpc.service
```
---
## Verification
### Check Configuration Files
```bash
# Verify Core RPC (2500)
pct exec 2500 -- grep "discovery-enabled" /etc/besu/config-rpc-core.toml
# Should show: discovery-enabled=false
pct exec 2500 -- grep "rpc-http-api" /etc/besu/config-rpc-core.toml
# Should include: ADMIN, DEBUG, TRACE
# Verify Permissioned RPC (2501)
pct exec 2501 -- grep "rpc-http-api" /etc/besu/config-rpc-perm.toml
# Should NOT include: ADMIN or DEBUG
# Should include: ETH, NET, WEB3, TXPOOL, QBFT
pct exec 2501 -- grep "permissions-accounts-config-file-enabled" /etc/besu/config-rpc-perm.toml
# Should show: permissions-accounts-config-file-enabled=true
# Verify Public RPC (2502)
pct exec 2502 -- grep "rpc-http-api" /etc/besu/config-rpc-public.toml
# Should only include: ETH, NET, WEB3
pct exec 2502 -- grep "rpc-ws-enabled" /etc/besu/config-rpc-public.toml
# Should show: rpc-ws-enabled=false
```
### Check Service Status
```bash
pct exec 2500 -- systemctl status besu-rpc.service
pct exec 2501 -- systemctl status besu-rpc.service
pct exec 2502 -- systemctl status besu-rpc.service
```
### Test RPC Endpoints
```bash
# Test Core RPC (should work from internal network)
curl -X POST http://192.168.11.250:8545 \
-H 'Content-Type: application/json' \
--data '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
# Test Permissioned RPC (should work with authentication)
curl -X POST http://192.168.11.251:8545 \
-H 'Content-Type: application/json' \
--data '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
# Test Public RPC (should work without authentication)
curl -X POST http://192.168.11.252:8545 \
-H 'Content-Type: application/json' \
--data '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
```
---
## API Comparison
| API | Core (2500) | Permissioned (2501) | Public (2502) |
|-----|-------------|---------------------|---------------|
| ETH | ✅ | ✅ | ✅ |
| NET | ✅ | ✅ | ✅ |
| WEB3 | ✅ | ✅ | ✅ |
| TXPOOL | ✅ | ✅ | ❌ |
| QBFT | ✅ | ✅ | ❌ |
| ADMIN | ✅ | ❌ | ❌ |
| DEBUG | ✅ | ❌ | ❌ |
| TRACE | ✅ | ❌ | ❌ |
---
## Security Considerations
### VMID 2500 (Core)
- **Firewall**: Should block external access to port 8545/8546
- **Discovery**: Disabled (no public routing)
- **CORS**: Empty (no cross-origin access)
- **Use Case**: Internal infrastructure, monitoring, administrative operations
### VMID 2501 (Permissioned)
- **Authentication**: Account permissioning enabled (requires allowlist)
- **Discovery**: Enabled (public access)
- **CORS**: Enabled (public access)
- **Use Case**: Enterprise/private applications with authentication
### VMID 2502 (Public)
- **Authentication**: None (public non-auth)
- **Discovery**: Enabled (public access)
- **CORS**: Enabled (public access)
- **APIs**: Minimal (read-only wallet features)
- **Use Case**: Public dApps, wallets, blockchain explorers
---
## Files Modified
1.`smom-dbis-138/config/config-rpc-core.toml` - Fixed for Core RPC
2.`smom-dbis-138/config/config-rpc-perm.toml` - Fixed for Permissioned RPC
3.`smom-dbis-138/config/config-rpc-public.toml` - Fixed for Public RPC
4.`scripts/configure-besu-rpc-nodes.sh` - New deployment script
---
## Next Steps
1. **Deploy configurations** using the automated script:
```bash
./scripts/configure-besu-rpc-nodes.sh
```
2. **Verify services** are running correctly
3. **Test RPC endpoints** from appropriate networks
4. **Configure firewall rules** to ensure:
- VMID 2500 is only accessible from internal network
- VMID 2501 and 2502 are accessible from public networks (if needed)
5. **Monitor logs** for any configuration errors:
```bash
pct exec 2500 -- journalctl -u besu-rpc.service -f
pct exec 2501 -- journalctl -u besu-rpc.service -f
pct exec 2502 -- journalctl -u besu-rpc.service -f
```
---
## Summary
**All configurations have been fixed and are ready for deployment**
- **2500 (Core)**: No public access, all features enabled
- **2501 (Permissioned)**: Public permissioned access, non-Admin features only
- **2502 (Public)**: Public non-auth access, minimal wallet features
The configurations now correctly match the requirements for each node type.
Reference in New Issue View Git Blame Copy Permalink