cb47cce074
- Organized 252 files across project - Root directory: 187 → 2 files (98.9% reduction) - Moved configuration guides to docs/04-configuration/ - Moved troubleshooting guides to docs/09-troubleshooting/ - Moved quick start guides to docs/01-getting-started/ - Moved reports to reports/ directory - Archived temporary files - Generated comprehensive reports and documentation - Created maintenance scripts and guides All files organized according to established standards.
299 lines
8.1 KiB
Markdown
299 lines
8.1 KiB
Markdown
# DNS Conflict Resolution Plan
|
|
|
|
## Critical Issue Summary
|
|
|
|
**Problem**: 9 hostnames pointing to the same Cloudflare tunnel (`10ab22da-8ea3-4e2e-a896-27ece2211a05`) without proper ingress rules.
|
|
|
|
**Impact**: Services failing, routing conflicts, difficult troubleshooting.
|
|
|
|
## Root Cause Analysis
|
|
|
|
### DNS Zone File Shows:
|
|
```
|
|
9 hostnames → 10ab22da-8ea3-4e2e-a896-27ece2211a05.cfargotunnel.com
|
|
```
|
|
|
|
### Current Tunnel Status
|
|
- **Tunnel ID**: `10ab22da-8ea3-4e2e-a896-27ece2211a05`
|
|
- **Status**: ⚠️ DOWN (needs configuration)
|
|
- **Location**: Should be in VMID 102 on r630-02
|
|
- **Target**: Should route to central Nginx at `192.168.11.21:80`
|
|
|
|
### Affected Services
|
|
|
|
| Hostname | Service | Expected Target |
|
|
|----------|---------|-----------------|
|
|
| `dbis-admin.d-bis.org` | Admin UI | `http://192.168.11.21:80` |
|
|
| `dbis-api.d-bis.org` | API v1 | `http://192.168.11.21:80` |
|
|
| `dbis-api-2.d-bis.org` | API v2 | `http://192.168.11.21:80` |
|
|
| `mim4u.org.d-bis.org` | MIM4U Site | `http://192.168.11.21:80` |
|
|
| `www.mim4u.org.d-bis.org` | MIM4U WWW | `http://192.168.11.21:80` |
|
|
| `rpc-http-prv.d-bis.org` | Private HTTP RPC | `http://192.168.11.21:80` |
|
|
| `rpc-http-pub.d-bis.org` | Public HTTP RPC | `http://192.168.11.21:80` |
|
|
| `rpc-ws-prv.d-bis.org` | Private WS RPC | `http://192.168.11.21:80` |
|
|
| `rpc-ws-pub.d-bis.org` | Public WS RPC | `http://192.168.11.21:80` |
|
|
|
|
## Resolution Steps
|
|
|
|
### Step 1: Verify Tunnel Configuration Location
|
|
|
|
```bash
|
|
# Check if tunnel config exists in VMID 102
|
|
ssh root@192.168.11.12 "pct exec 102 -- ls -la /etc/cloudflared/ | grep 10ab22da"
|
|
```
|
|
|
|
### Step 2: Create/Update Tunnel Configuration
|
|
|
|
The tunnel needs a complete ingress configuration file:
|
|
|
|
**File**: `/etc/cloudflared/tunnel-services.yml` (in VMID 102)
|
|
|
|
```yaml
|
|
tunnel: 10ab22da-8ea3-4e2e-a896-27ece2211a05
|
|
credentials-file: /etc/cloudflared/credentials-services.json
|
|
|
|
ingress:
|
|
# Admin Interface
|
|
- hostname: dbis-admin.d-bis.org
|
|
service: http://192.168.11.21:80
|
|
originRequest:
|
|
httpHostHeader: dbis-admin.d-bis.org
|
|
|
|
# API Endpoints
|
|
- hostname: dbis-api.d-bis.org
|
|
service: http://192.168.11.21:80
|
|
originRequest:
|
|
httpHostHeader: dbis-api.d-bis.org
|
|
|
|
- hostname: dbis-api-2.d-bis.org
|
|
service: http://192.168.11.21:80
|
|
originRequest:
|
|
httpHostHeader: dbis-api-2.d-bis.org
|
|
|
|
# MIM4U Services
|
|
- hostname: mim4u.org.d-bis.org
|
|
service: http://192.168.11.21:80
|
|
originRequest:
|
|
httpHostHeader: mim4u.org.d-bis.org
|
|
|
|
- hostname: www.mim4u.org.d-bis.org
|
|
service: http://192.168.11.21:80
|
|
originRequest:
|
|
httpHostHeader: www.mim4u.org.d-bis.org
|
|
|
|
# RPC Endpoints - HTTP
|
|
- hostname: rpc-http-prv.d-bis.org
|
|
service: http://192.168.11.21:80
|
|
originRequest:
|
|
httpHostHeader: rpc-http-prv.d-bis.org
|
|
|
|
- hostname: rpc-http-pub.d-bis.org
|
|
service: http://192.168.11.21:80
|
|
originRequest:
|
|
httpHostHeader: rpc-http-pub.d-bis.org
|
|
|
|
# RPC Endpoints - WebSocket
|
|
- hostname: rpc-ws-prv.d-bis.org
|
|
service: http://192.168.11.21:80
|
|
originRequest:
|
|
httpHostHeader: rpc-ws-prv.d-bis.org
|
|
|
|
- hostname: rpc-ws-pub.d-bis.org
|
|
service: http://192.168.11.21:80
|
|
originRequest:
|
|
httpHostHeader: rpc-ws-pub.d-bis.org
|
|
|
|
# Catch-all (MUST be last)
|
|
- service: http_status:404
|
|
|
|
# Metrics
|
|
metrics: 127.0.0.1:9090
|
|
|
|
# Logging
|
|
loglevel: info
|
|
|
|
# Grace period
|
|
gracePeriod: 30s
|
|
```
|
|
|
|
### Step 3: Create Systemd Service
|
|
|
|
**File**: `/etc/systemd/system/cloudflared-services.service`
|
|
|
|
```ini
|
|
[Unit]
|
|
Description=Cloudflare Tunnel for Services (RPC, API, Admin, MIM4U)
|
|
After=network.target
|
|
|
|
[Service]
|
|
TimeoutStartSec=0
|
|
Type=notify
|
|
ExecStart=/usr/local/bin/cloudflared --config /etc/cloudflared/tunnel-services.yml tunnel run
|
|
Restart=on-failure
|
|
RestartSec=5s
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
```
|
|
|
|
### Step 4: Fix TTL Values
|
|
|
|
In Cloudflare Dashboard:
|
|
1. Go to **DNS** → **Records**
|
|
2. For each CNAME record, change TTL from **1** to **300** (5 minutes) or **Auto**
|
|
3. Save changes
|
|
|
|
**Affected Records**:
|
|
- All 9 CNAME records pointing to `10ab22da-8ea3-4e2e-a896-27ece2211a05.cfargotunnel.com`
|
|
|
|
### Step 5: Verify Nginx Configuration
|
|
|
|
Ensure Nginx on `192.168.11.21:80` has server blocks for all hostnames:
|
|
|
|
```nginx
|
|
# Example server block
|
|
server {
|
|
listen 80;
|
|
server_name dbis-admin.d-bis.org;
|
|
|
|
location / {
|
|
proxy_pass http://<backend>;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
}
|
|
}
|
|
```
|
|
|
|
## Automated Fix Script
|
|
|
|
Create a script to deploy the fix:
|
|
|
|
```bash
|
|
#!/bin/bash
|
|
# fix-shared-tunnel.sh
|
|
|
|
PROXMOX_HOST="192.168.11.12"
|
|
VMID="102"
|
|
TUNNEL_ID="10ab22da-8ea3-4e2e-a896-27ece2211a05"
|
|
|
|
echo "Fixing shared tunnel configuration..."
|
|
|
|
# 1. Create config file
|
|
ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- bash -c 'cat > /etc/cloudflared/tunnel-services.yml << \"EOF\"
|
|
tunnel: ${TUNNEL_ID}
|
|
credentials-file: /etc/cloudflared/credentials-services.json
|
|
|
|
ingress:
|
|
- hostname: dbis-admin.d-bis.org
|
|
service: http://192.168.11.21:80
|
|
originRequest:
|
|
httpHostHeader: dbis-admin.d-bis.org
|
|
- hostname: dbis-api.d-bis.org
|
|
service: http://192.168.11.21:80
|
|
originRequest:
|
|
httpHostHeader: dbis-api.d-bis.org
|
|
- hostname: dbis-api-2.d-bis.org
|
|
service: http://192.168.11.21:80
|
|
originRequest:
|
|
httpHostHeader: dbis-api-2.d-bis.org
|
|
- hostname: mim4u.org.d-bis.org
|
|
service: http://192.168.11.21:80
|
|
originRequest:
|
|
httpHostHeader: mim4u.org.d-bis.org
|
|
- hostname: www.mim4u.org.d-bis.org
|
|
service: http://192.168.11.21:80
|
|
originRequest:
|
|
httpHostHeader: www.mim4u.org.d-bis.org
|
|
- hostname: rpc-http-prv.d-bis.org
|
|
service: http://192.168.11.21:80
|
|
originRequest:
|
|
httpHostHeader: rpc-http-prv.d-bis.org
|
|
- hostname: rpc-http-pub.d-bis.org
|
|
service: http://192.168.11.21:80
|
|
originRequest:
|
|
httpHostHeader: rpc-http-pub.d-bis.org
|
|
- hostname: rpc-ws-prv.d-bis.org
|
|
service: http://192.168.11.21:80
|
|
originRequest:
|
|
httpHostHeader: rpc-ws-prv.d-bis.org
|
|
- hostname: rpc-ws-pub.d-bis.org
|
|
service: http://192.168.11.21:80
|
|
originRequest:
|
|
httpHostHeader: rpc-ws-pub.d-bis.org
|
|
- service: http_status:404
|
|
|
|
metrics: 127.0.0.1:9090
|
|
loglevel: info
|
|
gracePeriod: 30s
|
|
EOF'"
|
|
|
|
# 2. Create systemd service
|
|
ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- bash -c 'cat > /etc/systemd/system/cloudflared-services.service << \"EOF\"
|
|
[Unit]
|
|
Description=Cloudflare Tunnel for Services
|
|
After=network.target
|
|
|
|
[Service]
|
|
TimeoutStartSec=0
|
|
Type=notify
|
|
ExecStart=/usr/local/bin/cloudflared --config /etc/cloudflared/tunnel-services.yml tunnel run
|
|
Restart=on-failure
|
|
RestartSec=5s
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF'"
|
|
|
|
# 3. Reload systemd and start service
|
|
ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- systemctl daemon-reload"
|
|
ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- systemctl enable cloudflared-services.service"
|
|
ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- systemctl start cloudflared-services.service"
|
|
|
|
# 4. Check status
|
|
ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- systemctl status cloudflared-services.service"
|
|
|
|
echo "Done! Check tunnel status in Cloudflare dashboard."
|
|
```
|
|
|
|
## Testing
|
|
|
|
After applying the fix:
|
|
|
|
```bash
|
|
# Test each hostname
|
|
for host in dbis-admin dbis-api dbis-api-2 mim4u.org www.mim4u.org rpc-http-prv rpc-http-pub rpc-ws-prv rpc-ws-pub; do
|
|
echo "Testing ${host}.d-bis.org..."
|
|
curl -I "https://${host}.d-bis.org" 2>&1 | head -1
|
|
done
|
|
```
|
|
|
|
## Verification Checklist
|
|
|
|
- [ ] Tunnel configuration file created
|
|
- [ ] Systemd service created and enabled
|
|
- [ ] Tunnel service running
|
|
- [ ] All 9 hostnames accessible
|
|
- [ ] TTL values updated in Cloudflare
|
|
- [ ] Nginx routing correctly
|
|
- [ ] No 404 errors for valid hostnames
|
|
|
|
## Long-term Recommendations
|
|
|
|
1. **Separate Tunnels**: Consider splitting into separate tunnels:
|
|
- RPC tunnel (4 hostnames)
|
|
- API tunnel (3 hostnames)
|
|
- Web tunnel (2 hostnames)
|
|
|
|
2. **TTL Standardization**: Use consistent TTL values (300 or 3600)
|
|
|
|
3. **Monitoring**: Set up alerts for tunnel health
|
|
|
|
4. **Documentation**: Document all tunnel configurations
|
|
|
|
## Summary
|
|
|
|
**Issue**: 9 hostnames sharing one tunnel without proper ingress rules
|
|
**Fix**: Create complete ingress configuration with all hostnames
|
|
**Status**: ⚠️ Requires manual configuration
|
|
**Priority**: 🔴 HIGH - Services are likely failing
|