d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
proxmox/docs/04-configuration/RPC_DNS_CONFIGURATION.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

364 lines
13 KiB
Markdown
Raw Permalink Blame History

# RPC DNS Configuration for d-bis.org and defi-oracle.io
**Last Updated:** 2025-01-23
**Status:** Active Configuration
---
## Overview
DNS configuration for RPC endpoints with Nginx SSL termination on port 443.
**Architecture:**
**d-bis.org domain (Direct A records):**
```
Internet → DNS (A records) → Nginx (port 443) → Besu RPC (8545/8546)
```
**defi-oracle.io domain (Cloudflare Tunnel):**
```
Internet → DNS (CNAME) → Cloudflare Tunnel → VMID 2400 → Nginx (port 443) → Besu RPC (8545/8546)
```
All HTTPS traffic arrives on port 443, and Nginx routes to the appropriate backend port based on the domain name (Server Name Indication - SNI). For VMID 2400, traffic flows through Cloudflare Tunnel first.
---
## DNS Records Configuration
### Cloudflare DNS Records
**Important:** A records in DNS do NOT include port numbers. All traffic comes to port 443 (HTTPS), and Nginx handles routing to the backend ports.
#### Permissioned/Private RPC (VMID 2101 - 192.168.11.211) - JWT Authentication Required
| Type | Name | Target | Proxy | Notes |
|------|------|--------|-------|-------|
| A | `rpc-http-prv` | `192.168.11.211` | 🟠 Proxied (optional) | HTTP RPC endpoint (JWT auth required) |
| A | `rpc-ws-prv` | `192.168.11.211` | 🟠 Proxied (optional) | WebSocket RPC endpoint (JWT auth required) |
**DNS Configuration:**
```
Type: A
Name: rpc-http-prv
Target: 192.168.11.211
TTL: Auto
Proxy: 🟠 Proxied (recommended for DDoS protection)
Type: A
Name: rpc-ws-prv
Target: 192.168.11.211
TTL: Auto
Proxy: 🟠 Proxied (recommended for DDoS protection)
```
**Note:** These endpoints require JWT token authentication. See [RPC_JWT_AUTHENTICATION.md](RPC_JWT_AUTHENTICATION.md) for details.
#### Public RPC (VMID 2201 - 192.168.11.221, RPC_PUBLIC_1) - No Authentication
| Type | Name | Target | Proxy | Notes |
|------|------|--------|-------|-------|
| A | `rpc-http-pub` | `192.168.11.221` | 🟠 Proxied (optional) | HTTP RPC endpoint (public, no auth) |
| A | `rpc-ws-pub` | `192.168.11.221` | 🟠 Proxied (optional) | WebSocket RPC endpoint (public, no auth) |
**DNS Configuration:**
```
Type: A
Name: rpc-http-pub
Target: 192.168.11.221
TTL: Auto
Proxy: 🟠 Proxied (recommended for DDoS protection)
Type: A
Name: rpc-ws-pub
Target: 192.168.11.221
TTL: Auto
Proxy: 🟠 Proxied (recommended for DDoS protection)
```
### DNS Records Configuration for defi-oracle.io Domain
**Note:** The `defi-oracle.io` domain is used specifically for ThirdWeb RPC nodes and Thirdweb listing integration.
#### ThirdWeb RPC (VMID 2400 - 192.168.11.240) - defi-oracle.io Domain
**Note:** VMID 2400 uses Cloudflare Tunnel, so DNS records use CNAME (not A records).
| Type | Name | Domain | Target | Proxy | Notes |
|------|------|--------|--------|-------|-------|
| CNAME | `rpc.public-0138` | `defi-oracle.io` | `26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com` | 🟠 Proxied | Tunnel endpoint for ThirdWeb RPC |
| CNAME | `rpc` | `defi-oracle.io` | `rpc.public-0138.defi-oracle.io` | 🟠 Proxied | Short alias for ThirdWeb RPC |
**DNS Configuration:**
**Record 1: Tunnel Endpoint**
```
Type: CNAME
Name: rpc.public-0138
Domain: defi-oracle.io
Target: 26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com
TTL: Auto
Proxy: 🟠 Proxied (required for tunnel)
```
**Record 2: Short Alias**
```
Type: CNAME
Name: rpc
Domain: defi-oracle.io
Target: rpc.public-0138.defi-oracle.io
TTL: Auto
Proxy: 🟠 Proxied (required for tunnel)
```
**Full FQDNs:**
- `rpc.public-0138.defi-oracle.io` (primary endpoint)
- `rpc.defi-oracle.io` (HTTP RPC short alias)
- `wss.defi-oracle.io` (WebSocket RPC)
**Alternative: DNS-only (NPMplus)** — When using NPMplus (no tunnel), create A records in Cloudflare (DNS Only / gray cloud):
| Type | Name | Target | Proxy |
|------|------|--------|-------|
| A | `rpc` | 76.53.10.36 | DNS Only |
| A | `wss` | 76.53.10.36 | DNS Only |
Then NPMplus (192.168.11.167) receives traffic and proxies to 192.168.11.240:443 for both `rpc.defi-oracle.io` and `wss.defi-oracle.io`. Request Let's Encrypt certificates in NPMplus for both hostnames.
**DNS Structure (tunnel):**
```
rpc.defi-oracle.io
↓ (CNAME)
rpc.public-0138.defi-oracle.io
↓ (CNAME)
26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com
↓ (Cloudflare Tunnel)
192.168.11.240 (VMID 2400)
```
**Note:** This endpoint is used for the Thirdweb listing for ChainID 138. Traffic flows through Cloudflare Tunnel to VMID 2400, where Nginx handles SSL termination and routes to Besu RPC (port 8545 for HTTP, port 8546 for WebSocket).
---
## How It Works
### Request Flow
1. **Client** makes request to `https://rpc-http-prv.d-bis.org` (permissioned) or `https://rpc-http-pub.d-bis.org` (public)
2. **DNS** resolves to appropriate IP (A record)
3. **HTTPS connection** established on port 443 (standard HTTPS port)
4. **Nginx** receives request on port 443
5. **Nginx** uses Server Name Indication (SNI) to identify domain:
- `rpc-http-pub.d-bis.org` → proxies to `127.0.0.1:8545` (HTTP RPC)
- `rpc-ws-pub.d-bis.org` → proxies to `127.0.0.1:8546` (WebSocket RPC)
- `rpc-http-prv.d-bis.org` → proxies to `127.0.0.1:8545` (HTTP RPC)
- `rpc-ws-prv.d-bis.org` → proxies to `127.0.0.1:8546` (WebSocket RPC)
- `rpc.public-0138.defi-oracle.io` → Cloudflare Tunnel → VMID 2400 → proxies to `127.0.0.1:8545` (HTTP RPC) or `127.0.0.1:8546` (WebSocket RPC)
- `rpc.defi-oracle.io` → CNAME → `rpc.public-0138.defi-oracle.io` → Cloudflare Tunnel → VMID 2400 → proxies to `127.0.0.1:8545` (HTTP RPC) or `127.0.0.1:8546` (WebSocket RPC)
- With DNS-only: `rpc.defi-oracle.io` / `wss.defi-oracle.io` → A 76.53.10.36 → NPMplus → VMID 2400:443
6. **Besu RPC** processes request and returns response
7. **Nginx** forwards response back to client
### Port Mapping
| Domain | DNS Target | Nginx Port | Backend Port | Service | Auth |
|--------|------------|------------|-------------|---------|------|
| `rpc-http-prv.d-bis.org` | `192.168.11.211` | 443 (HTTPS) | 8545 | HTTP RPC | ✅ JWT Required |
| `rpc-ws-prv.d-bis.org` | `192.168.11.211` | 443 (HTTPS) | 8546 | WebSocket RPC | ✅ JWT Required |
| `rpc-http-pub.d-bis.org` | `192.168.11.221` | 443 (HTTPS) | 8545 | HTTP RPC | ❌ No Auth |
| `rpc-ws-pub.d-bis.org` | `192.168.11.221` | 443 (HTTPS) | 8546 | WebSocket RPC | ❌ No Auth |
| `rpc.public-0138.defi-oracle.io` | Cloudflare Tunnel → `192.168.11.240` | 443 (HTTPS) | 8545/8546 | HTTP/WS RPC | ❌ No Auth |
| `rpc.defi-oracle.io` | CNAME → `rpc.public-0138` → Cloudflare Tunnel → `192.168.11.240` (or A 76.53.10.36 → NPMplus) | 443 (HTTPS) | 8545/8546 | HTTP/WS RPC | ❌ No Auth |
| `wss.defi-oracle.io` | A 76.53.10.36 → NPMplus → `192.168.11.240:443` | 443 (HTTPS) | 8545/8546 | WebSocket RPC | ❌ No Auth |
**Note:** DNS A records only contain IP addresses. Port numbers are handled by:
- **Port 443**: Standard HTTPS port (handled automatically by browsers/clients)
- **Backend ports (8545/8546)**: Configured in Nginx server blocks
---
## Testing
### Test DNS Resolution
```bash
# Test DNS resolution
dig rpc-http-pub.d-bis.org
nslookup rpc-http-pub.d-bis.org
# Should resolve to: 192.168.11.211
```
### Test HTTPS Endpoints
```bash
# Test HTTP RPC endpoint (port 443)
curl -k https://rpc-http-pub.d-bis.org/health
curl -k -X POST https://rpc-http-pub.d-bis.org \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
# Test WebSocket RPC endpoint (port 443)
# Use wscat or similar WebSocket client
wscat -c wss://rpc-ws-pub.d-bis.org
```
### Test Direct IP Access (for troubleshooting)
```bash
# Test Nginx directly on container IP
curl -k https://192.168.11.211/health
curl -k https://192.168.11.221/health
# Test backend Besu RPC directly (bypassing Nginx)
curl -X POST http://192.168.11.211:8545 \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
```
---
## Cloudflare Proxy Settings
### When to Use Proxy (🟠 Proxied)
**Recommended for:**
- DDoS protection
- CDN caching (though RPC responses shouldn't be cached)
- SSL/TLS termination at Cloudflare edge
- Hiding origin server IP
**Considerations:**
- Cloudflare may cache some responses (disable caching for RPC)
- Additional latency (usually minimal)
- WebSocket support requires Cloudflare WebSocket passthrough
### When to Use DNS Only (❌ DNS only)
**Use when:**
- Direct IP access needed
- Cloudflare proxy causes issues
- Testing/debugging
- Internal network access
---
## Nginx Configuration Summary
The Nginx configuration on each container:
**VMID 2501 (Permissioned RPC):**
- Listens on port 443 (HTTPS)
- `rpc-http-prv.d-bis.org` → proxies to `127.0.0.1:8545` (JWT auth required)
- `rpc-ws-prv.d-bis.org` → proxies to `127.0.0.1:8546` (JWT auth required)
**VMID 2502 (Public RPC):**
- Listens on port 443 (HTTPS)
- `rpc-http-pub.d-bis.org` → proxies to `127.0.0.1:8545` (no auth)
- `rpc-ws-pub.d-bis.org` → proxies to `127.0.0.1:8546` (no auth)
**VMID 2400 (ThirdWeb RPC - Cloudflare Tunnel):**
- Cloudflare Tunnel endpoint: `26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com`
- Nginx listens on port 443 (HTTPS) inside container
- `rpc.public-0138.defi-oracle.io` → Cloudflare Tunnel → proxies to `127.0.0.1:8545` (HTTP RPC, no auth) or `127.0.0.1:8546` (WebSocket RPC, no auth)
- `rpc.defi-oracle.io` → CNAME → `rpc.public-0138.defi-oracle.io` → Cloudflare Tunnel → proxies to `127.0.0.1:8545` (HTTP RPC, no auth) or `127.0.0.1:8546` (WebSocket RPC, no auth)
- Uses `defi-oracle.io` domain (Cloudflare Tunnel) for Thirdweb listing integration
---
## Troubleshooting
### DNS Not Resolving
```bash
# Check DNS resolution
dig rpc-http-pub.d-bis.org
nslookup rpc-http-pub.d-bis.org
# Verify DNS records in Cloudflare dashboard
```
### Connection Refused
```bash
# Check if Nginx is running
ssh root@192.168.11.10 "pct exec 2501 -- systemctl status nginx"
# Check if port 443 is listening
ssh root@192.168.11.10 "pct exec 2501 -- ss -tuln | grep 443"
# Check Nginx configuration
ssh root@192.168.11.10 "pct exec 2501 -- nginx -t"
```
### SSL Certificate Issues
```bash
# Check SSL certificate
ssh root@192.168.11.10 "pct exec 2501 -- openssl x509 -in /etc/nginx/ssl/rpc.crt -text -noout"
# Test SSL connection
openssl s_client -connect rpc-http-pub.d-bis.org:443 -servername rpc-http-pub.d-bis.org
```
### Backend Connection Issues
```bash
# Test backend Besu RPC directly
curl -X POST http://192.168.11.211:8545 \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
# Check Besu service status
ssh root@192.168.11.10 "pct exec 2501 -- systemctl status besu-rpc"
```
---
## Related Documentation
- [CLOUDFLARE_DNS_SPECIFIC_SERVICES.md](cloudflare/CLOUDFLARE_DNS_SPECIFIC_SERVICES.md) - General DNS configuration
- [NGINX_ARCHITECTURE_RPC.md](../05-network/NGINX_ARCHITECTURE_RPC.md) - Nginx architecture details
- [CLOUDFLARE_NGINX_INTEGRATION.md](../05-network/CLOUDFLARE_NGINX_INTEGRATION.md) - Cloudflare + Nginx integration
---
## Quick Reference
**DNS Records to Create:**
**d-bis.org domain:**
```
rpc-http-prv.d-bis.org → A → 192.168.11.211 (Permissioned, JWT auth required)
rpc-ws-prv.d-bis.org → A → 192.168.11.211 (Permissioned, JWT auth required)
rpc-http-pub.d-bis.org → A → 192.168.11.221 (Public, no auth)
rpc-ws-pub.d-bis.org → A → 192.168.11.221 (Public, no auth)
```
**defi-oracle.io domain (ThirdWeb RPC - Cloudflare Tunnel):**
```
rpc.public-0138.defi-oracle.io → CNAME → 26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com (Tunnel endpoint)
rpc.defi-oracle.io → CNAME → rpc.public-0138.defi-oracle.io (Short alias)
```
**defi-oracle.io domain (DNS-only + NPMplus):**
```
rpc.defi-oracle.io → A → 76.53.10.36 (HTTP RPC; NPMplus → 192.168.11.240:443)
wss.defi-oracle.io → A → 76.53.10.36 (WebSocket RPC; NPMplus → 192.168.11.240:443)
```
**Endpoints:**
**d-bis.org domain:**
- `https://rpc-http-prv.d-bis.org` → Permissioned HTTP RPC (port 443 → 8545, JWT auth required)
- `wss://rpc-ws-prv.d-bis.org` → Permissioned WebSocket RPC (port 443 → 8546, JWT auth required)
- `https://rpc-http-pub.d-bis.org` → Public HTTP RPC (port 443 → 8545, no auth)
- `wss://rpc-ws-pub.d-bis.org` → Public WebSocket RPC (port 443 → 8546, no auth)
**defi-oracle.io domain (ThirdWeb RPC - Cloudflare Tunnel):**
- `https://rpc.public-0138.defi-oracle.io` → ThirdWeb HTTP RPC (Cloudflare Tunnel → port 443 → 8545, no auth)
- `wss://rpc.public-0138.defi-oracle.io` → ThirdWeb WebSocket RPC (Cloudflare Tunnel → port 443 → 8546, no auth)
- `https://rpc.defi-oracle.io` → Defi Oracle HTTP RPC (A 76.53.10.36 → NPMplus → 8545, or CNAME to tunnel)
- `wss://wss.defi-oracle.io` → Defi Oracle WebSocket RPC (A 76.53.10.36 → NPMplus → 8546, no auth)
Reference in New Issue View Git Blame Copy Permalink