proxmox/docs/05-network/CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md

# Cloudflare Tunnel Routing Architecture

**Last Updated:** 2025-12-27  
**Document Version:** 1.0  
**Status:** Active Documentation

---

## Architecture Overview

```
Internet → Cloudflare → cloudflared (VMID 102) → Routing Decision
                                                      ├─ HTTP RPC → Central Nginx (VMID 105) → RPC Nodes
                                                      └─ WebSocket RPC → Direct to RPC Nodes
```

---

## Routing Rules

### HTTP Endpoints (via Central Nginx)

All HTTP endpoints route through the central Nginx on VMID 105 (`192.168.11.21:80`):

| Domain | Cloudflare Tunnel → | Central Nginx → | Final Destination |
|--------|---------------------|-----------------|-------------------|
| `explorer.d-bis.org` | `http://192.168.11.21:80` | `http://192.168.11.140:80` | Blockscout |
| `rpc-http-pub.d-bis.org` | `http://192.168.11.21:80` | `https://192.168.11.252:443` | RPC Public (HTTP) |
| `rpc-http-prv.d-bis.org` | `http://192.168.11.21:80` | `https://192.168.11.251:443` | RPC Private (HTTP) |
| `dbis-admin.d-bis.org` | `http://192.168.11.21:80` | `http://192.168.11.130:80` | DBIS Frontend |
| `dbis-api.d-bis.org` | `http://192.168.11.21:80` | `http://192.168.11.150:3000` | DBIS API Primary |
| `dbis-api-2.d-bis.org` | `http://192.168.11.21:80` | `http://192.168.11.151:3000` | DBIS API Secondary |
| `mim4u.org` | `http://192.168.11.21:80` | `http://192.168.11.19:80` | Miracles In Motion |
| `www.mim4u.org` | `http://192.168.11.21:80` | `301 Redirect` → `mim4u.org` | Redirects to non-www |

### WebSocket Endpoints (Direct Routing)

WebSocket endpoints route **directly** to RPC nodes, bypassing the central Nginx:

| Domain | Cloudflare Tunnel → | Direct to RPC Node → | Final Destination |
|--------|---------------------|----------------------|-------------------|
| `rpc-ws-pub.d-bis.org` | `wss://192.168.11.252:443` | `wss://192.168.11.252:443` | `127.0.0.1:8546` (WebSocket) |
| `rpc-ws-prv.d-bis.org` | `wss://192.168.11.251:443` | `wss://192.168.11.251:443` | `127.0.0.1:8546` (WebSocket) |

**Why Direct Routing for WebSockets?**
- WebSocket connections require persistent connections and protocol upgrades
- Direct routing reduces latency and connection overhead
- RPC nodes handle WebSocket connections efficiently on their own Nginx instances

---

## Cloudflare Tunnel Configuration

### Tunnel: `rpc-http-pub.d-bis.org` (Tunnel ID: `10ab22da-8ea3-4e2e-a896-27ece2211a05`)

#### HTTP Endpoints (via Central Nginx)

```yaml
ingress:
  # Explorer
  - hostname: explorer.d-bis.org
    service: http://192.168.11.21:80
  
  # HTTP RPC Public
  - hostname: rpc-http-pub.d-bis.org
    service: http://192.168.11.21:80
  
  # HTTP RPC Private
  - hostname: rpc-http-prv.d-bis.org
    service: http://192.168.11.21:80
  
  # DBIS Services
  - hostname: dbis-admin.d-bis.org
    service: http://192.168.11.21:80
  
  - hostname: dbis-api.d-bis.org
    service: http://192.168.11.21:80
  
  - hostname: dbis-api-2.d-bis.org
    service: http://192.168.11.21:80
  
  # Miracles In Motion
  - hostname: mim4u.org
    service: http://192.168.11.21:80
  
  - hostname: www.mim4u.org
    service: http://192.168.11.21:80
```

#### WebSocket Endpoints (Direct Routing)

```yaml
  # WebSocket RPC Public (direct to RPC node)
  - hostname: rpc-ws-pub.d-bis.org
    service: https://192.168.11.252:443
    originRequest:
      noTLSVerify: true
      httpHostHeader: rpc-ws-pub.d-bis.org
  
  # WebSocket RPC Private (direct to RPC node)
  - hostname: rpc-ws-prv.d-bis.org
    service: https://192.168.11.251:443
    originRequest:
      noTLSVerify: true
      httpHostHeader: rpc-ws-prv.d-bis.org
  
  # Catch-all
  - service: http_status:404
```

---

## Complete Configuration Summary

### Cloudflare Dashboard Configuration

**For HTTP endpoints**, configure in Cloudflare dashboard:
- **Service Type**: HTTP
- **URL**: `192.168.11.21:80` (Central Nginx)

**For WebSocket endpoints**, configure in Cloudflare dashboard:
- **Service Type**: HTTPS
- **URL**: 
  - `rpc-ws-pub.d-bis.org` → `192.168.11.252:443`
  - `rpc-ws-prv.d-bis.org` → `192.168.11.251:443`
- **Additional Options**:
  - Enable "No TLS Verify"
  - Set HTTP Host Header to match the hostname

---

## Service Details

### RPC Nodes

**Public RPC (VMID 2502 - 192.168.11.252)**:
- HTTP RPC: `https://192.168.11.252:443` → `127.0.0.1:8545`
- WebSocket RPC: `wss://192.168.11.252:443` → `127.0.0.1:8546`

**Private RPC (VMID 2501 - 192.168.11.251)**:
- HTTP RPC: `https://192.168.11.251:443` → `127.0.0.1:8545`
- WebSocket RPC: `wss://192.168.11.251:443` → `127.0.0.1:8546`

### Central Nginx (VMID 105)

- **IP**: `192.168.11.21`
- **Port**: `80` (HTTP)
- **Configuration**: `/data/nginx/custom/http.conf`
- **Purpose**: Routes HTTP traffic to appropriate internal services

---

## Testing

### Test HTTP RPC (via Central Nginx)

```bash
# Public HTTP RPC
curl -X POST https://rpc-http-pub.d-bis.org \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'

# Private HTTP RPC
curl -X POST https://rpc-http-prv.d-bis.org \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
```

### Test WebSocket RPC (Direct)

```bash
# Public WebSocket RPC
wscat -c wss://rpc-ws-pub.d-bis.org

# Private WebSocket RPC
wscat -c wss://rpc-ws-prv.d-bis.org
```

### Test Explorer (via Central Nginx)

```bash
curl https://explorer.d-bis.org/api/v2/stats
```

---

## Benefits of This Architecture

1. **Centralized HTTP Management**: All HTTP traffic routes through central Nginx for easier management
2. **Optimized WebSocket Performance**: WebSocket connections route directly to RPC nodes, reducing latency
3. **Simplified Configuration**: Most services configured in one place (central Nginx)
4. **Flexible Routing**: Can easily add new HTTP services through central Nginx
5. **Direct WebSocket Support**: WebSocket connections maintain optimal performance with direct routing

---

## Maintenance

### Update HTTP Service Routing

Edit `/data/nginx/custom/http.conf` on VMID 105, then:
```bash
ssh root@192.168.11.12 "pct exec 105 -- nginx -t && systemctl restart npm"
```

### Update WebSocket Routing

Update directly in Cloudflare dashboard (tunnel configuration) - no Nginx changes needed.

---

---

## Related Documentation

> **Master Reference:** For a consolidated view of all Cloudflare routing, see **[CLOUDFLARE_ROUTING_MASTER.md](CLOUDFLARE_ROUTING_MASTER.md)** ⭐⭐⭐.

### Setup Guides
- **[../04-configuration/cloudflare/CLOUDFLARE_ZERO_TRUST_GUIDE.md](../04-configuration/cloudflare/CLOUDFLARE_ZERO_TRUST_GUIDE.md)** ⭐⭐⭐ - Complete Cloudflare Zero Trust setup
- **[../04-configuration/cloudflare/CLOUDFLARE_TUNNEL_INSTALLATION.md](../04-configuration/cloudflare/CLOUDFLARE_TUNNEL_INSTALLATION.md)** ⭐⭐ - Tunnel installation procedures
- **[../04-configuration/cloudflare/CLOUDFLARE_DNS_TO_CONTAINERS.md](../04-configuration/cloudflare/CLOUDFLARE_DNS_TO_CONTAINERS.md)** ⭐⭐⭐ - DNS mapping to containers

### Architecture Documents
- **[CENTRAL_NGINX_ROUTING_SETUP.md](CENTRAL_NGINX_ROUTING_SETUP.md)** ⭐⭐⭐ - Central Nginx routing configuration
- **[CLOUDFLARE_NGINX_INTEGRATION.md](CLOUDFLARE_NGINX_INTEGRATION.md)** ⭐⭐ - Cloudflare + NGINX integration
- **[NGINX_ARCHITECTURE_RPC.md](NGINX_ARCHITECTURE_RPC.md)** ⭐⭐ - NGINX RPC architecture

### Domain and DNS
- **[../02-architecture/DOMAIN_STRUCTURE.md](../02-architecture/DOMAIN_STRUCTURE.md)** ⭐⭐ - Domain structure reference
- **[../04-configuration/RPC_DNS_CONFIGURATION.md](/docs/04-configuration/RPC_DNS_CONFIGURATION.md)** - RPC DNS configuration
- **[../04-configuration/cloudflare/CLOUDFLARE_DNS_SPECIFIC_SERVICES.md](../04-configuration/cloudflare/CLOUDFLARE_DNS_SPECIFIC_SERVICES.md)** ⭐⭐⭐ - Service-specific DNS configuration

---

**Last Updated:** 2025-12-27  
**Document Version:** 1.0  
**Review Cycle:** Quarterly