d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4eead3e53fecdb2b7e629bb9f56b22ff92c61d2e
proxmox/docs/04-configuration/DNS_NPMPLUS_VM_STREAMLINED_TABLE.md
defiQUG 4f383490a3 docs(A): sync high-value runbooks for The Order (10210 HAProxy) 
- SANKOFA_CUTOVER_PLAN: live backends table, fix TBDs, historical step labels
- SANKOFA_THE_ORDER_CHECKLIST: replace with done + bypass + pointers
- DNS comprehensive + streamlined tables: the-order row and sankofa zone live
- E2E Cloudflare runbook: the-order backend column

Made-with: Cursor
2026-03-27 15:24:54 -07:00

365 lines
16 KiB
Markdown
Raw Blame History

# DNS → NPMplus → VM Streamlined Architecture Table
**Last Updated:** 2026-03-27
**Document Version:** 1.1
**Status:** Active Documentation
---
**Date**: 2026-01-20
**Status**: Complete Streamlined Architecture Reference
**Purpose**: Cohesive DNS, SSL, and traffic routing table for all services
**Current topology:** ER605 was replaced by the UDM Pro (76.53.10.34). Proxmox hosts: 192.168.11.10 (ml110), 192.168.11.11 (r630-01), 192.168.11.12 (r630-02). NPMplus LXC (VMID 10233) has 192.168.11.166 (eth0) and 192.168.11.167 (eth1); **only 192.168.11.167** is used in UDM Pro port forwarding: 76.53.10.36:80 → 192.168.11.167:80, 76.53.10.36:443 → 192.168.11.167:443.
---
## Architecture Flow
```
Internet
Cloudflare DNS (All domains → 76.53.10.36)
UDM Pro Port Forwarding (76.53.10.36:80/443 → 192.168.11.167:80/443)
NPMplus (VMID 10233: 192.168.11.167) - SSL Termination & Routing
Backend VMs (Various IPs) - Services with/without Nginx
```
---
## Complete Service Mapping (Streamlined)
### d-bis.org Zone (9 Domains)
| Domain | SSL Cert | NPMplus Proxy | Backend VM | IP | Port | Has Nginx | Service Type |
|--------|----------|---------------|------------|----|----|-----------|--------------|
| `explorer.d-bis.org` | 49 | 8 | 5000 (blockscout-1) | 192.168.11.140 | 4000 | ✅ Yes | Blockscout Explorer |
| `rpc-http-pub.d-bis.org` | 53 | 10 | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8545 | ❌ No | Besu RPC HTTP |
| `rpc-ws-pub.d-bis.org` | 55 | 11 | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8546 | ❌ No | Besu RPC WebSocket |
| `rpc.d-bis.org` | Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8545 | ❌ No | Primary RPC HTTP (same as rpc-http-pub) |
| `rpc2.d-bis.org` | Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8545 | ❌ No | Secondary RPC HTTP (same as rpc-http-pub) |
| `ws.rpc.d-bis.org` | Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8546 | ❌ No | Primary RPC WebSocket (same as rpc-ws-pub) |
| `ws.rpc2.d-bis.org` | Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8546 | ❌ No | Secondary RPC WebSocket (same as rpc-ws-pub) |
| `rpc-http-prv.d-bis.org` | 52 | 12 | 2101 (besu-rpc-core-1) | 192.168.11.211 | 8545 | ❌ No | Besu RPC HTTP (Private) |
| `rpc-ws-prv.d-bis.org` | 54 | 13 | 2101 (besu-rpc-core-1) | 192.168.11.211 | 8546 | ❌ No | Besu RPC WebSocket (Private) |
| `dbis-admin.d-bis.org` | 46 | 14 | 10130 (dbis-frontend) | 192.168.11.130 | 80 | ✅ Yes | DBIS Admin Frontend |
| `dbis-api.d-bis.org` | 48 | 15 | 10150 (dbis-api-primary) | 192.168.11.155 | 3000 | ❌ No | DBIS API Primary |
| `dbis-api-2.d-bis.org` | 47 | 16 | 10151 (dbis-api-secondary) | 192.168.11.156 | 3000 | ❌ No | DBIS API Secondary |
| `secure.d-bis.org` | 58 | 17 | 10130 (dbis-frontend) | 192.168.11.130 | 80 | ✅ Yes | DBIS Secure Portal |
### mim4u.org Zone (4 Domains)
| Domain | SSL Cert | NPMplus Proxy | Backend VM | IP | Port | Has Nginx | Service Type |
|--------|----------|---------------|------------|----|----|-----------|--------------|
| `mim4u.org` | 50 | 17 | 7810 (mim-web-1) | 192.168.11.37 | 80 | ✅ Yes | MIM4U Main Site |
| `www.mim4u.org` | 50 | 17 (same) | 7810 (mim-web-1) | 192.168.11.37 | 80 | ✅ Yes | MIM4U Main Site |
| `secure.mim4u.org` | 59 | 19 | 7810 (mim-web-1) | 192.168.11.37 | 80 | ✅ Yes | MIM4U Secure Portal |
| `training.mim4u.org` | 61 | 20 | 7810 (mim-web-1) | 192.168.11.37 | 80 | ✅ Yes | MIM4U Training Portal |
### sankofa.nexus zone (live backends)
| Domain | SSL Cert (ex.) | NPMplus Proxy (ex.) | Backend VM | IP | Port | Has Nginx | Service type | Status |
|--------|------------------|---------------------|------------|----|------|-----------|--------------|--------|
| `sankofa.nexus` | 57 | 21 | 7801 | 192.168.11.51 | 3000 | ❌ No | Sankofa portal | ✅ Live |
| `www.sankofa.nexus` | 64 | 22 | 7801 | 192.168.11.51 | 3000 | ❌ No | Sankofa portal (301 apex) | ✅ Live |
| `phoenix.sankofa.nexus` | 51 | 23 | 7800 | 192.168.11.50 | 4000 | ❌ No | Phoenix API | ✅ Live |
| `www.phoenix.sankofa.nexus` | 63 | 24 | 7800 | 192.168.11.50 | 4000 | ❌ No | Phoenix API (301 apex) | ✅ Live |
| `the-order.sankofa.nexus` | 60 | 25 | 10210 | 192.168.11.39 | 80 | ❌ No | Order via HAProxy→portal | ✅ Live |
**Note:** SSL cert and NPM proxy **IDs** differ per installation—verify in NPM UI. **IPs/ports** are authoritative vs Blockscout (`.140` is only for `explorer.d-bis.org`). See [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md).
### defi-oracle.io Zone (3 Domains)
| Domain | SSL Cert | NPMplus Proxy | Backend VM | IP | Port | Has Nginx | Service Type |
|--------|----------|---------------|------------|----|----|-----------|--------------|
| `rpc.public-0138.defi-oracle.io` | 56 | 26 | 2400 (thirdweb-rpc-1) | 192.168.11.240 | 443 | ✅ Yes | ThirdWeb RPC (HTTPS) |
| `rpc.defi-oracle.io` | Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8545 | ✅ Yes | Defi Oracle HTTP RPC (same as rpc-http-pub) |
| `wss.defi-oracle.io` | Request | — | 2201 (besu-rpc-public-1) | 192.168.11.221 | 8546 | ✅ Yes | Defi Oracle WebSocket RPC (same as rpc-ws-pub) |
---
## DNS Configuration Summary
### Cloudflare DNS Records
| Zone | Records | Type | Target | Proxy Status | SSL Termination |
|------|---------|------|--------|--------------|-----------------|
| d-bis.org | 13 | A | 76.53.10.36 | DNS Only (Gray) | NPMplus (Let's Encrypt) |
| mim4u.org | 4 | A | 76.53.10.36 | DNS Only (Gray) | NPMplus (Let's Encrypt) |
| sankofa.nexus | 5 | A | 76.53.10.36 | DNS Only (Gray) | NPMplus (Let's Encrypt) |
| defi-oracle.io | 3 | A | 76.53.10.36 | DNS Only (Gray) | NPMplus (Let's Encrypt) |
| **TOTAL** | **25** | **A** | **76.53.10.36** | **DNS Only** | **NPMplus** |
**Note**: All DNS records use "DNS Only" mode (gray cloud) to bypass Cloudflare proxy. SSL termination is handled by NPMplus using Let's Encrypt certificates (auto-renewing until 2026-04-16).
---
## Port Forwarding Configuration
### UDM Pro Port Forwarding Rules
| Public IP:Port | Internal IP:Port | Protocol | Service | Status |
|----------------|------------------|----------|---------|--------|
| 76.53.10.36:443 | 192.168.11.167:443 | TCP | NPMplus HTTPS | ✅ Active |
| 76.53.10.36:80 | 192.168.11.167:80 | TCP | NPMplus HTTP | ✅ Active |
**Router**: UDM Pro
**Forwarding Type**: Port forwarding configured in UDM Pro firewall rules
---
## NPMplus Configuration
### NPMplus Container Details
| Property | Value |
|----------|-------|
| **VMID** | 10233 |
| **Host** | r630-01 (192.168.11.11) |
| **Internal IP (eth0)** | 192.168.11.166 |
| **Internal IP (eth1)** | 192.168.11.167 |
| **NPMplus (canonical)** | 192.168.11.167 |
| **Management UI** | `https://192.168.11.167:81` |
| **Public IP** | 76.53.10.36 |
| **Public Ports** | 80 (HTTP), 443 (HTTPS) |
| **Status** | ✅ Running |
### SSL Certificates (19 Active)
| Cert ID | Domain(s) | Provider | Expires | Auto-Renewal |
|---------|-----------|----------|---------|--------------|
| 46 | `dbis-admin.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 47 | `dbis-api-2.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 48 | `dbis-api.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 49 | `explorer.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 50 | `mim4u.org`, `www.mim4u.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 51 | `phoenix.sankofa.nexus` | Let's Encrypt | 2026-04-16 | ✅ |
| 52 | `rpc-http-prv.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 53 | `rpc-http-pub.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 54 | `rpc-ws-prv.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 55 | `rpc-ws-pub.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 56 | `rpc.public-0138.defi-oracle.io` | Let's Encrypt | 2026-04-16 | ✅ |
| 57 | `sankofa.nexus` | Let's Encrypt | 2026-04-16 | ✅ |
| 58 | `secure.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 59 | `secure.mim4u.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 60 | `the-order.sankofa.nexus` | Let's Encrypt | 2026-04-16 | ✅ |
| 61 | `training.mim4u.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 62 | `www.mim4u.org` | Let's Encrypt | 2026-04-16 | ✅ |
| 63 | `www.phoenix.sankofa.nexus` | Let's Encrypt | 2026-04-16 | ✅ |
| 64 | `www.sankofa.nexus` | Let's Encrypt | 2026-04-16 | ✅ |
**Total**: 19 SSL certificates, all valid until 2026-04-16 with auto-renewal enabled.
---
## Backend VM Configuration
### VMs with Nginx Web Server (4 VMs)
| VMID | IP | Hostname | Host | Status | Nginx Config | Purpose | Domains |
|------|----|----------|------|--------|--------------|---------|---------|
| 5000 | 192.168.11.140 | blockscout-1 | r630-02 | ✅ Running | `/etc/nginx/sites-available/blockscout` | Blockscout Explorer | `explorer.d-bis.org` |
| 7810 | 192.168.11.37 | mim-web-1 | r630-02 | ✅ Running | `/etc/nginx/sites-available/mim4u` | MIM4U Web App | `mim4u.org`, `www.mim4u.org`, `secure.mim4u.org`, `training.mim4u.org` |
| 10130 | 192.168.11.130 | dbis-frontend | r630-01 | ✅ Running | TBD | DBIS Admin Frontend | `dbis-admin.d-bis.org`, `secure.d-bis.org` |
| 2201 | 192.168.11.221 | besu-rpc-public-1 | r630-02 | ✅ Running | 8545/8546 | Besu RPC | `rpc-http-pub.d-bis.org`, `rpc-ws-pub.d-bis.org`, `rpc.d-bis.org`, `rpc2.d-bis.org`, `ws.rpc.d-bis.org`, `ws.rpc2.d-bis.org`, `rpc.defi-oracle.io`, `wss.defi-oracle.io` |
| 2400 | 192.168.11.240 | thirdweb-rpc-1 | ml110 | ✅ Running | TBD | ThirdWeb RPC (HTTPS) | `rpc.public-0138.defi-oracle.io` |
### VMs without Nginx (Direct Service Access) (4 VMs)
| VMID | IP | Hostname | Host | Status | Service | Port | Protocol | Domains |
|------|----|----------|------|--------|---------|------|----------|---------|
| 2101 | 192.168.11.211 | besu-rpc-core-1 | ml110 | ✅ Running | Besu RPC | 8545/8546 | HTTP/WS | `rpc-http-prv.d-bis.org`, `rpc-ws-prv.d-bis.org` |
| 2201 | 192.168.11.221 | besu-rpc-public-1 | r630-02 | ✅ Running | Besu RPC | 8545/8546 | HTTP/WS | `rpc-http-pub.d-bis.org`, `rpc-ws-pub.d-bis.org`, `rpc.d-bis.org`, `rpc2.d-bis.org`, `ws.rpc.d-bis.org`, `ws.rpc2.d-bis.org`, `rpc.defi-oracle.io`, `wss.defi-oracle.io` |
| 10150 | 192.168.11.155 | dbis-api-primary | r630-01 | ✅ Running | Node.js API | 3000 | HTTP | `dbis-api.d-bis.org` |
| 10151 | 192.168.11.156 | dbis-api-secondary | r630-01 | ✅ Running | Node.js API | 3000 | HTTP | `dbis-api-2.d-bis.org` |
---
## Traffic Flow Examples
### Example 1: Web Application (MIM4U)
```
User: https://mim4u.org
↓ DNS: mim4u.org → 76.53.10.36
↓ Port Forward: 76.53.10.36:443 → 192.168.11.167:443
↓ NPMplus (192.168.11.167:443):
│ ├─ SSL Termination (Cert ID: 50)
│ ├─ Proxy Host ID: 17
│ └─ Proxy Pass: http://192.168.11.37:80
↓ nginx on VMID 7810 (192.168.11.37:80):
│ └─ Serve: /var/www/html
↓ Response: HTTPS → User
```
### Example 2: API Service (DBIS)
```
User: https://dbis-api.d-bis.org
↓ DNS: dbis-api.d-bis.org → 76.53.10.36
↓ Port Forward: 76.53.10.36:443 → 192.168.11.167:443
↓ NPMplus (192.168.11.167:443):
│ ├─ SSL Termination (Cert ID: 48)
│ ├─ Proxy Host ID: 15
│ └─ Proxy Pass: http://192.168.11.155:3000
↓ Node.js API on VMID 10150 (192.168.11.155:3000):
│ └─ Process Request
↓ Response: HTTPS → User
```
### Example 3: RPC Endpoint (ThirdWeb)
```
User: https://rpc.public-0138.defi-oracle.io
↓ DNS: rpc.public-0138.defi-oracle.io → 76.53.10.36
↓ Port Forward: 76.53.10.36:443 → 192.168.11.167:443
↓ NPMplus (192.168.11.167:443):
│ ├─ SSL Termination (Cert ID: 56)
│ ├─ Proxy Host ID: 26
│ └─ Proxy Pass: https://192.168.11.240:443
↓ nginx on VMID 2400 (192.168.11.240:443):
│ ├─ SSL Termination (Internal)
│ └─ Backend: Besu RPC + Translator
↓ Response: HTTPS → User
```
### Example 4: RPC Service (Direct Besu)
```
User: https://rpc-http-pub.d-bis.org
↓ DNS: rpc-http-pub.d-bis.org → 76.53.10.36
↓ Port Forward: 76.53.10.36:443 → 192.168.11.167:443
↓ NPMplus (192.168.11.167:443):
│ ├─ SSL Termination (Cert ID: 53)
│ ├─ Proxy Host ID: 10
│ └─ Proxy Pass: http://192.168.11.221:8545
↓ Besu RPC on VMID 2201 (192.168.11.221:8545):
│ └─ Process JSON-RPC Request
↓ Response: HTTPS → User
```
---
## Service Summary Statistics
### By Service Type
| Service Type | Count | Domains | VMs with Nginx | VMs Direct Access |
|--------------|-------|---------|----------------|-------------------|
| Web Applications | 5 | 9 | 3 | 0 |
| API Services | 2 | 2 | 0 | 2 |
| RPC Services | 5 | 5 | 1 | 4 |
| Blockchain Explorer | 1 | 1 | 1 | 0 |
| **TOTAL** | **13** | **17** | **5** | **6** |
**Note**: Sankofa domains (5) are not included in totals as services are not deployed.
### By Zone
| Zone | Domains | SSL Certs | Active Services | Issues |
|------|---------|-----------|-----------------|--------|
| d-bis.org | 9 | 9 | 9 | None |
| mim4u.org | 4 | 4 | 4 | None |
| sankofa.nexus | 5 | 5 | 0 | ⚠️ Services not deployed |
| defi-oracle.io | 1 | 1 | 1 | None |
| **TOTAL** | **19** | **19** | **14** | **5 issues** |
---
## Issues and Action Items
### ⚠️ Critical Issues
1. **Sankofa Nexus Services NOT Deployed**
- All 5 Sankofa domains currently route to Blockscout (192.168.11.140)
- Sankofa services need to be deployed before these domains can work correctly
- **Action Required**: Deploy Sankofa services and update NPMplus routing
### 📋 Recommended Improvements
1. **Documentation**
- ⚠️ Document nginx config file paths for VMID 10130 and 2400
- ⚠️ Document custom nginx configurations for all VMs with nginx
2. **Monitoring**
- Set up certificate expiration alerts (all certs expire 2026-04-16)
- Monitor backend VM health
- Track DNS resolution status
3. **Security**
- ✅ All SSL certificates auto-renewing
- ✅ HSTS enabled on all domains
- ✅ Security headers configured
---
## Quick Reference Commands
### Test DNS Resolution
```bash
dig +short mim4u.org
dig +short explorer.d-bis.org
dig +short rpc-http-pub.d-bis.org
```
### Test SSL Certificates
```bash
curl -vI https://mim4u.org 2>&1 | grep -E "(certificate|SSL|TLS)"
curl -vI https://explorer.d-bis.org 2>&1 | grep -E "(certificate|SSL|TLS)"
```
### Test Backend Services
```bash
# Test Blockscout
curl -I http://192.168.11.140:80
# Test MIM4U
curl -I http://192.168.11.37:80
# Test DBIS API
curl -I http://192.168.11.155:3000
# Test RPC
curl -X POST http://192.168.11.221:8545 \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
```
### Check NPMplus Status
```bash
# From Proxmox host
ssh root@192.168.11.11 "pct exec 10233 -- docker ps --filter 'name=npmplus'"
# Check NPMplus logs
ssh root@192.168.11.11 "pct exec 10233 -- docker logs npmplus --tail 50"
```
### Check VM Status
```bash
# Check specific VM
ssh root@192.168.11.12 "pct status 7810"
# Check nginx status on VM
ssh root@192.168.11.12 "pct exec 7810 -- systemctl status nginx"
```
---
## Related Documentation
- **Comprehensive Architecture**: `docs/04-configuration/DNS_NPMPLUS_VM_COMPREHENSIVE_ARCHITECTURE.md`
- **VMID Endpoints**: `docs/04-configuration/ALL_VMIDS_ENDPOINTS.md`
- **NPMplus Setup**: `docs/04-configuration/NPMPLUS_COMPLETE_SETUP_SUMMARY.md`
- **NPMplus Service Mapping**: `docs/04-configuration/NPMPLUS_SERVICE_MAPPING_COMPLETE.md`
- **MIM4U DNS Config**: `reports/VMID_7810_DNS_NPMPLUS_CONFIGURATION.md`
- **Cloudflare DNS**: `docs/04-configuration/cloudflare/CLOUDFLARE_DNS_SPECIFIC_SERVICES.md`
---
**Last Updated**: 2026-01-20
**Maintained By**: Infrastructure Team
**Status**: ✅ Complete Streamlined Architecture Reference
Reference in New Issue View Git Blame Copy Permalink