d-bis/proxmox
4
0
Fork 0
Code Issues 1 Pull Requests 9 Actions Packages Projects Releases Wiki Activity
Files
3e9645274a5f6e2cbc5bae1dff55d3aed0295cbf
proxmox/docs/04-configuration/DNS_NPMPLUS_VM_STREAMLINED_TABLE.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

365 lines
16 KiB
Markdown
Raw Blame History

# DNS → NPMplus → VM Streamlined Architecture Table
**Last Updated:** 2026-01-31
**Document Version:** 1.0
**Status:** Active Documentation
---
**Date**: 2026-01-20
**Status**: Complete Streamlined Architecture Reference
**Purpose**: Cohesive DNS, SSL, and traffic routing table for all services
**Current topology:** ER605 was replaced by the UDM Pro (76.53.10.34). Proxmox hosts: 192.168.11.10 (ml110), 192.168.11.11 (r630-01), 192.168.11.12 (r630-02). NPMplus LXC (VMID 10233) has 192.168.11.166 (eth0) and 192.168.11.167 (eth1); **only 192.168.11.167** is used in UDM Pro port forwarding: 76.53.10.36:80 → 192.168.11.167:80, 76.53.10.36:443 → 192.168.11.167:443.
---
## Architecture Flow
```
Internet
Cloudflare DNS (All domains → 76.53.10.36)
UDM Pro Port Forwarding (76.53.10.36:80/443 → 192.168.11.167:80/443)
NPMplus (VMID 10233: 192.168.11.167) - SSL Termination & Routing
Backend VMs (Various IPs) - Services with/without Nginx
```
---
## Complete Service Mapping (Streamlined)
### d-bis.org Zone (9 Domains)
| Domain | SSL Cert | NPMplus Proxy | Backend VM | IP | Port | Has Nginx | Service Type |
|--------|----------|---------------|------------|----|----|-----------|--------------|
| `explorer.d-bis.org` | 49 | 8 | 5000 (blockscout-1) | 192.168.11.140 | 4000 | ✅ Yes | Blockscout Explorer |
| `rpc-http-pub.d-bis.org` | 53 | 10 | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8545 | ❌ No | Besu RPC HTTP |
| `rpc-ws-pub.d-bis.org` | 55 | 11 | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8546 | ❌ No | Besu RPC WebSocket |
| `rpc.d-bis.org` | Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8545 | ❌ No | Primary RPC HTTP (same as rpc-http-pub) |
| `rpc2.d-bis.org` | Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8545 | ❌ No | Secondary RPC HTTP (same as rpc-http-pub) |
| `ws.rpc.d-bis.org` | Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8546 | ❌ No | Primary RPC WebSocket (same as rpc-ws-pub) |
| `ws.rpc2.d-bis.org` | Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8546 | ❌ No | Secondary RPC WebSocket (same as rpc-ws-pub) |
| `rpc-http-prv.d-bis.org` | 52 | 12 | 2101 (besu-rpc-core-1) | 192.168.11.211 | 8545 | ❌ No | Besu RPC HTTP (Private) |
| `rpc-ws-prv.d-bis.org` | 54 | 13 | 2101 (besu-rpc-core-1) | 192.168.11.211 | 8546 | ❌ No | Besu RPC WebSocket (Private) |
| `dbis-admin.d-bis.org` | 46 | 14 | 10130 (dbis-frontend) | 192.168.11.130 | 80 | ✅ Yes | DBIS Admin Frontend |
| `dbis-api.d-bis.org` | 48 | 15 | 10150 (dbis-api-primary) | 192.168.11.155 | 3000 | ❌ No | DBIS API Primary |
| `dbis-api-2.d-bis.org` | 47 | 16 | 10151 (dbis-api-secondary) | 192.168.11.156 | 3000 | ❌ No | DBIS API Secondary |
| `secure.d-bis.org` | 58 | 17 | 10130 (dbis-frontend) | 192.168.11.130 | 80 | ✅ Yes | DBIS Secure Portal |
### mim4u.org Zone (4 Domains)
| Domain | SSL Cert | NPMplus Proxy | Backend VM | IP | Port | Has Nginx | Service Type |
|--------|----------|---------------|------------|----|----|-----------|--------------|
| `mim4u.org` | 50 | 17 | 7810 (mim-web-1) | 192.168.11.37 | 80 | ✅ Yes | MIM4U Main Site |
| `www.mim4u.org` | 50 | 17 (same) | 7810 (mim-web-1) | 192.168.11.37 | 80 | ✅ Yes | MIM4U Main Site |
| `secure.mim4u.org` | 59 | 19 | 7810 (mim-web-1) | 192.168.11.37 | 80 | ✅ Yes | MIM4U Secure Portal |
| `training.mim4u.org` | 61 | 20 | 7810 (mim-web-1) | 192.168.11.37 | 80 | ✅ Yes | MIM4U Training Portal |
### sankofa.nexus Zone (5 Domains) ⚠️
| Domain | SSL Cert | NPMplus Proxy | Backend VM | IP | Port | Has Nginx | Service Type | Status |
|--------|----------|---------------|------------|----|----|-----------|--------------|--------|
| `sankofa.nexus` | 57 | 21 | ⚠️ TBD | 192.168.11.140 ⚠️ | 80 ⚠️ | ⚠️ TBD | Sankofa Main Portal | ⚠️ Not Deployed |
| `www.sankofa.nexus` | 64 | 22 | ⚠️ TBD | 192.168.11.140 ⚠️ | 80 ⚠️ | ⚠️ TBD | Sankofa Main Portal | ⚠️ Not Deployed |
| `phoenix.sankofa.nexus` | 51 | 23 | ⚠️ TBD | 192.168.11.140 ⚠️ | 80 ⚠️ | ⚠️ TBD | Phoenix Site | ⚠️ Not Deployed |
| `www.phoenix.sankofa.nexus` | 63 | 24 | ⚠️ TBD | 192.168.11.140 ⚠️ | 80 ⚠️ | ⚠️ TBD | Phoenix Site | ⚠️ Not Deployed |
| `the-order.sankofa.nexus` | 60 | 25 | ⚠️ TBD | 192.168.11.140 ⚠️ | 80 ⚠️ | ⚠️ TBD | The Order Portal | ⚠️ Not Deployed |
**⚠️ Note**: All Sankofa domains currently route to Blockscout (192.168.11.140) but services are NOT deployed. This is incorrect routing and needs to be fixed once services are deployed.
### defi-oracle.io Zone (3 Domains)
| Domain | SSL Cert | NPMplus Proxy | Backend VM | IP | Port | Has Nginx | Service Type |
|--------|----------|---------------|------------|----|----|-----------|--------------|
| `rpc.public-0138.defi-oracle.io` | 56 | 26 | 2400 (thirdweb-rpc-1) | 192.168.11.240 | 443 | ✅ Yes | ThirdWeb RPC (HTTPS) |
| `rpc.defi-oracle.io` | Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8545 | ✅ Yes | Defi Oracle HTTP RPC (same as rpc-http-pub) |
| `wss.defi-oracle.io` | Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8546 | ✅ Yes | Defi Oracle WebSocket RPC (same as rpc-ws-pub) |
---
## DNS Configuration Summary
### Cloudflare DNS Records
| Zone | Records | Type | Target | Proxy Status | SSL Termination |
|------|---------|------|--------|--------------|-----------------|
| d-bis.org | 13 | A | 76.53.10.36 | DNS Only (Gray) | NPMplus (Let's Encrypt) |
| mim4u.org | 4 | A | 76.53.10.36 | DNS Only (Gray) | NPMplus (Let's Encrypt) |
| sankofa.nexus | 5 | A | 76.53.10.36 | DNS Only (Gray) | NPMplus (Let's Encrypt) |
| defi-oracle.io | 3 | A | 76.53.10.36 | DNS Only (Gray) | NPMplus (Let's Encrypt) |
| **TOTAL** | **25** | **A** | **76.53.10.36** | **DNS Only** | **NPMplus** |
**Note**: All DNS records use "DNS Only" mode (gray cloud) to bypass Cloudflare proxy. SSL termination is handled by NPMplus using Let's Encrypt certificates (auto-renewing until 2026-04-16).
---
## Port Forwarding Configuration
### UDM Pro Port Forwarding Rules
| Public IP:Port | Internal IP:Port | Protocol | Service | Status |
|----------------|------------------|----------|---------|--------|
| 76.53.10.36:443 | 192.168.11.167:443 | TCP | NPMplus HTTPS | ✅ Active |
| 76.53.10.36:80 | 192.168.11.167:80 | TCP | NPMplus HTTP | ✅ Active |
**Router**: UDM Pro
**Forwarding Type**: Port forwarding configured in UDM Pro firewall rules
---
## NPMplus Configuration
### NPMplus Container Details
| Property | Value |
|----------|-------|
| **VMID** | 10233 |
| **Host** | r630-01 (192.168.11.11) |
| **Internal IP (eth0)** | 192.168.11.166 |
| **Internal IP (eth1)** | 192.168.11.167 |
| **NPMplus (canonical)** | 192.168.11.167 |
| **Management UI** | `https://192.168.11.167:81` |
| **Public IP** | 76.53.10.36 |
| **Public Ports** | 80 (HTTP), 443 (HTTPS) |
| **Status** | ✅ Running |
### SSL Certificates (19 Active)
| Cert ID | Domain(s) | Provider | Expires | Auto-Renewal |
|---------|-----------|----------|---------|--------------|
| 46 | `dbis-admin.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 47 | `dbis-api-2.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 48 | `dbis-api.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 49 | `explorer.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 50 | `mim4u.org`, `www.mim4u.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 51 | `phoenix.sankofa.nexus` | Let's Encrypt | 2026-04-16 | ✅ |
| 52 | `rpc-http-prv.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 53 | `rpc-http-pub.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 54 | `rpc-ws-prv.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 55 | `rpc-ws-pub.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 56 | `rpc.public-0138.defi-oracle.io` | Let's Encrypt | 2026-04-16 | ✅ |
| 57 | `sankofa.nexus` | Let's Encrypt | 2026-04-16 | ✅ |
| 58 | `secure.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 59 | `secure.mim4u.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 60 | `the-order.sankofa.nexus` | Let's Encrypt | 2026-04-16 | ✅ |
| 61 | `training.mim4u.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 62 | `www.mim4u.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 63 | `www.phoenix.sankofa.nexus` | Let's Encrypt | 2026-04-16 | ✅ |
| 64 | `www.sankofa.nexus` | Let's Encrypt | 2026-04-16 | ✅ |
**Total**: 19 SSL certificates, all valid until 2026-04-16 with auto-renewal enabled.
---
## Backend VM Configuration
### VMs with Nginx Web Server (4 VMs)
| VMID | IP | Hostname | Host | Status | Nginx Config | Purpose | Domains |
|------|----|----------|------|--------|--------------|---------|---------|
| 5000 | 192.168.11.140 | blockscout-1 | r630-02 | ✅ Running | `/etc/nginx/sites-available/blockscout` | Blockscout Explorer | `explorer.d-bis.org` |
| 7810 | 192.168.11.37 | mim-web-1 | r630-02 | ✅ Running | `/etc/nginx/sites-available/mim4u` | MIM4U Web App | `mim4u.org`, `www.mim4u.org`, `secure.mim4u.org`, `training.mim4u.org` |
| 10130 | 192.168.11.130 | dbis-frontend | r630-01 | ✅ Running | TBD | DBIS Admin Frontend | `dbis-admin.d-bis.org`, `secure.d-bis.org` |
| 2201 | 192.168.11.221 | besu-rpc-public-1 | r630-02 | ✅ Running | 8545/8546 | Besu RPC | `rpc-http-pub.d-bis.org`, `rpc-ws-pub.d-bis.org`, `rpc.d-bis.org`, `rpc2.d-bis.org`, `ws.rpc.d-bis.org`, `ws.rpc2.d-bis.org`, `rpc.defi-oracle.io`, `wss.defi-oracle.io` |
| 2400 | 192.168.11.240 | thirdweb-rpc-1 | ml110 | ✅ Running | TBD | ThirdWeb RPC (HTTPS) | `rpc.public-0138.defi-oracle.io` |
### VMs without Nginx (Direct Service Access) (4 VMs)
| VMID | IP | Hostname | Host | Status | Service | Port | Protocol | Domains |
|------|----|----------|------|--------|---------|------|----------|---------|
| 2101 | 192.168.11.211 | besu-rpc-core-1 | ml110 | ✅ Running | Besu RPC | 8545/8546 | HTTP/WS | `rpc-http-prv.d-bis.org`, `rpc-ws-prv.d-bis.org` |
| 2201 | 192.168.11.221 | besu-rpc-public-1 | r630-02 | ✅ Running | Besu RPC | 8545/8546 | HTTP/WS | `rpc-http-pub.d-bis.org`, `rpc-ws-pub.d-bis.org`, `rpc.d-bis.org`, `rpc2.d-bis.org`, `ws.rpc.d-bis.org`, `ws.rpc2.d-bis.org`, `rpc.defi-oracle.io`, `wss.defi-oracle.io` |
| 10150 | 192.168.11.155 | dbis-api-primary | r630-01 | ✅ Running | Node.js API | 3000 | HTTP | `dbis-api.d-bis.org` |
| 10151 | 192.168.11.156 | dbis-api-secondary | r630-01 | ✅ Running | Node.js API | 3000 | HTTP | `dbis-api-2.d-bis.org` |
---
## Traffic Flow Examples
### Example 1: Web Application (MIM4U)
```
User: https://mim4u.org
↓ DNS: mim4u.org → 76.53.10.36
↓ Port Forward: 76.53.10.36:443 → 192.168.11.167:443
↓ NPMplus (192.168.11.167:443):
│ ├─ SSL Termination (Cert ID: 50)
│ ├─ Proxy Host ID: 17
│ └─ Proxy Pass: http://192.168.11.37:80
↓ nginx on VMID 7810 (192.168.11.37:80):
│ └─ Serve: /var/www/html
↓ Response: HTTPS → User
```
### Example 2: API Service (DBIS)
```
User: https://dbis-api.d-bis.org
↓ DNS: dbis-api.d-bis.org → 76.53.10.36
↓ Port Forward: 76.53.10.36:443 → 192.168.11.167:443
↓ NPMplus (192.168.11.167:443):
│ ├─ SSL Termination (Cert ID: 48)
│ ├─ Proxy Host ID: 15
│ └─ Proxy Pass: http://192.168.11.155:3000
↓ Node.js API on VMID 10150 (192.168.11.155:3000):
│ └─ Process Request
↓ Response: HTTPS → User
```
### Example 3: RPC Endpoint (ThirdWeb)
```
User: https://rpc.public-0138.defi-oracle.io
↓ DNS: rpc.public-0138.defi-oracle.io → 76.53.10.36
↓ Port Forward: 76.53.10.36:443 → 192.168.11.167:443
↓ NPMplus (192.168.11.167:443):
│ ├─ SSL Termination (Cert ID: 56)
│ ├─ Proxy Host ID: 26
│ └─ Proxy Pass: https://192.168.11.240:443
↓ nginx on VMID 2400 (192.168.11.240:443):
│ ├─ SSL Termination (Internal)
│ └─ Backend: Besu RPC + Translator
↓ Response: HTTPS → User
```
### Example 4: RPC Service (Direct Besu)
```
User: https://rpc-http-pub.d-bis.org
↓ DNS: rpc-http-pub.d-bis.org → 76.53.10.36
↓ Port Forward: 76.53.10.36:443 → 192.168.11.167:443
↓ NPMplus (192.168.11.167:443):
│ ├─ SSL Termination (Cert ID: 53)
│ ├─ Proxy Host ID: 10
│ └─ Proxy Pass: http://192.168.11.221:8545
↓ Besu RPC on VMID 2201 (192.168.11.221:8545):
│ └─ Process JSON-RPC Request
↓ Response: HTTPS → User
```
---
## Service Summary Statistics
### By Service Type
| Service Type | Count | Domains | VMs with Nginx | VMs Direct Access |
|--------------|-------|---------|----------------|-------------------|
| Web Applications | 5 | 9 | 3 | 0 |
| API Services | 2 | 2 | 0 | 2 |
| RPC Services | 5 | 5 | 1 | 4 |
| Blockchain Explorer | 1 | 1 | 1 | 0 |
| **TOTAL** | **13** | **17** | **5** | **6** |
**Note**: Sankofa domains (5) are not included in totals as services are not deployed.
### By Zone
| Zone | Domains | SSL Certs | Active Services | Issues |
|------|---------|-----------|-----------------|--------|
| d-bis.org | 9 | 9 | 9 | None |
| mim4u.org | 4 | 4 | 4 | None |
| sankofa.nexus | 5 | 5 | 0 | ⚠️ Services not deployed |
| defi-oracle.io | 1 | 1 | 1 | None |
| **TOTAL** | **19** | **19** | **14** | **5 issues** |
---
## Issues and Action Items
### ⚠️ Critical Issues
1. **Sankofa Nexus Services NOT Deployed**
- All 5 Sankofa domains currently route to Blockscout (192.168.11.140)
- Sankofa services need to be deployed before these domains can work correctly
- **Action Required**: Deploy Sankofa services and update NPMplus routing
### 📋 Recommended Improvements
1. **Documentation**
- ⚠️ Document nginx config file paths for VMID 10130 and 2400
- ⚠️ Document custom nginx configurations for all VMs with nginx
2. **Monitoring**
- Set up certificate expiration alerts (all certs expire 2026-04-16)
- Monitor backend VM health
- Track DNS resolution status
3. **Security**
- ✅ All SSL certificates auto-renewing
- ✅ HSTS enabled on all domains
- ✅ Security headers configured
---
## Quick Reference Commands
### Test DNS Resolution
```bash
dig +short mim4u.org
dig +short explorer.d-bis.org
dig +short rpc-http-pub.d-bis.org
```
### Test SSL Certificates
```bash
curl -vI https://mim4u.org 2>&1 | grep -E "(certificate|SSL|TLS)"
curl -vI https://explorer.d-bis.org 2>&1 | grep -E "(certificate|SSL|TLS)"
```
### Test Backend Services
```bash
# Test Blockscout
curl -I http://192.168.11.140:80
# Test MIM4U
curl -I http://192.168.11.37:80
# Test DBIS API
curl -I http://192.168.11.155:3000
# Test RPC
curl -X POST http://192.168.11.221:8545 \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
```
### Check NPMplus Status
```bash
# From Proxmox host
ssh root@192.168.11.11 "pct exec 10233 -- docker ps --filter 'name=npmplus'"
# Check NPMplus logs
ssh root@192.168.11.11 "pct exec 10233 -- docker logs npmplus --tail 50"
```
### Check VM Status
```bash
# Check specific VM
ssh root@192.168.11.12 "pct status 7810"
# Check nginx status on VM
ssh root@192.168.11.12 "pct exec 7810 -- systemctl status nginx"
```
---
## Related Documentation
- **Comprehensive Architecture**: `docs/04-configuration/DNS_NPMPLUS_VM_COMPREHENSIVE_ARCHITECTURE.md`
- **VMID Endpoints**: `docs/04-configuration/ALL_VMIDS_ENDPOINTS.md`
- **NPMplus Setup**: `docs/04-configuration/NPMPLUS_COMPLETE_SETUP_SUMMARY.md`
- **NPMplus Service Mapping**: `docs/04-configuration/NPMPLUS_SERVICE_MAPPING_COMPLETE.md`
- **MIM4U DNS Config**: `reports/VMID_7810_DNS_NPMPLUS_CONFIGURATION.md`
- **Cloudflare DNS**: `docs/04-configuration/cloudflare/CLOUDFLARE_DNS_SPECIFIC_SERVICES.md`
---
**Last Updated**: 2026-01-20
**Maintained By**: Infrastructure Team
**Status**: ✅ Complete Streamlined Architecture Reference
Reference in New Issue View Git Blame Copy Permalink