d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
968d7388ca87c61234bae4f96adfb2bbd66e7fff
proxmox/docs/05-network/NGINX_SETUP_FINAL_SUMMARY.md
defiQUG 9c37af10c0 Complete optional next steps: fix references and consolidate duplicates 
- Fixed 104 broken references in 59 files
- Consolidated 40+ duplicate status files
- Archived duplicates to reports/archive/duplicates/
- Created scripts for reference fixing and consolidation
- Updated content inconsistency reports

All optional cleanup tasks complete.
2026-01-06 02:25:38 -08:00

220 lines
5.0 KiB
Markdown
Raw Blame History

# Nginx Setup on VMID 2500 - Final Summary
**Last Updated:** 2025-01-20
**Document Version:** 1.0
**Status:** Active Documentation
---
## ✅ Installation Complete
Nginx has been successfully installed, configured, and secured on VMID 2500 (besu-rpc-1).
---
## 📋 What Was Configured
### 1. Core Installation ✅
- ✅ Nginx installed
- ✅ OpenSSL installed
- ✅ SSL certificate generated (self-signed, 10-year validity)
- ✅ Service enabled and active
### 2. Reverse Proxy Configuration ✅
**Ports**:
- **80**: HTTP to HTTPS redirect
- **443**: HTTPS RPC API (proxies to Besu port 8545)
- **8443**: HTTPS WebSocket RPC (proxies to Besu port 8546)
- **8080**: Nginx status page (internal only)
**Server Names**:
- `besu-rpc-1`
- `192.168.11.250`
- `rpc-core.besu.local`
- `rpc-core.chainid138.local`
- `rpc-core-ws.besu.local` (WebSocket)
- `rpc-core-ws.chainid138.local` (WebSocket)
### 3. Security Features ✅
#### Rate Limiting
- **HTTP RPC**: 10 requests/second (burst: 20)
- **WebSocket RPC**: 50 requests/second (burst: 50)
- **Connection Limiting**: 10 connections per IP (HTTP), 5 (WebSocket)
#### Security Headers
- Strict-Transport-Security (HSTS)
- X-Frame-Options
- X-Content-Type-Options
- X-XSS-Protection
- Referrer-Policy
- Permissions-Policy
#### SSL/TLS
- **Protocols**: TLSv1.2, TLSv1.3
- **Ciphers**: Strong ciphers (ECDHE, DHE)
- **Certificate**: Self-signed (replace with Let's Encrypt for production)
### 4. Monitoring ✅
#### Nginx Status Page
- **URL**: `http://127.0.0.1:8080/nginx_status`
- **Access**: Internal only (127.0.0.1)
- **Status**: ✅ Active
#### Health Check
- **Script**: `/usr/local/bin/nginx-health-check.sh`
- **Service**: `nginx-health-monitor.service`
- **Timer**: Runs every 5 minutes
- **Status**: ✅ Active
#### Log Rotation
- **Retention**: 14 days
- **Rotation**: Daily
- **Compression**: Enabled
- **Status**: ✅ Configured
---
## 🧪 Verification Results
### Service Status
```bash
pct exec 2500 -- systemctl status nginx
# Status: ✅ active (running)
```
### Health Check
```bash
pct exec 2500 -- /usr/local/bin/nginx-health-check.sh
# Result: ✅ All checks passing
```
### RPC Endpoint
```bash
curl -k -X POST https://192.168.11.250:443 \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
# Result: ✅ Responding correctly
```
### Nginx Status
```bash
pct exec 2500 -- curl http://127.0.0.1:8080/nginx_status
# Result: ✅ Active connections, requests handled
```
### Ports
- ✅ Port 80: Listening
- ✅ Port 443: Listening
- ✅ Port 8443: Listening
- ✅ Port 8080: Listening (status page)
---
## 📊 Configuration Files
### Main Files
- **Nginx Config**: `/etc/nginx/nginx.conf`
- **Site Config**: `/etc/nginx/sites-available/rpc-core`
- **SSL Certificate**: `/etc/nginx/ssl/rpc.crt`
- **SSL Key**: `/etc/nginx/ssl/rpc.key`
### Scripts
- **Health Check**: `/usr/local/bin/nginx-health-check.sh`
- **Config Script**: `scripts/configure-nginx-rpc-2500.sh`
- **Security Script**: `scripts/configure-nginx-security-2500.sh`
- **Monitoring Script**: `scripts/setup-nginx-monitoring-2500.sh`
### Services
- **Nginx**: `nginx.service` ✅ Active
- **Health Monitor**: `nginx-health-monitor.timer` ✅ Active
---
## 🔧 Management Commands
### Service Management
```bash
# Status
pct exec 2500 -- systemctl status nginx
# Reload
pct exec 2500 -- systemctl reload nginx
# Restart
pct exec 2500 -- systemctl restart nginx
# Test config
pct exec 2500 -- nginx -t
```
### Monitoring
```bash
# Status page
pct exec 2500 -- curl http://127.0.0.1:8080/nginx_status
# Health check
pct exec 2500 -- /usr/local/bin/nginx-health-check.sh
# View logs
pct exec 2500 -- tail -f /var/log/nginx/rpc-core-http-access.log
```
---
## ✅ All Next Steps Completed
1. ✅ Install Nginx
2. ✅ Generate SSL certificate
3. ✅ Configure reverse proxy
4. ✅ Set up rate limiting
5. ✅ Configure security headers
6. ✅ Set up firewall rules
7. ✅ Enable monitoring
8. ✅ Configure health checks
9. ✅ Set up log rotation
10. ✅ Create documentation
---
## 🚀 Production Ready
**Status**: ✅ **PRODUCTION READY**
The RPC node is fully configured with:
- ✅ Secure HTTPS access
- ✅ Rate limiting protection
- ✅ Comprehensive monitoring
- ✅ Automated health checks
- ✅ Proper log management
**Optional Enhancement**: Replace self-signed certificate with Let's Encrypt for production use.
---
## 📚 Documentation
All documentation has been created:
- Configuration guide
- Troubleshooting guide
- Setup summaries
- Management commands
- Security recommendations
---
## Related Documentation
- **[NGINX_ARCHITECTURE_RPC.md](NGINX_ARCHITECTURE_RPC.md)** ⭐⭐⭐ - Complete NGINX architecture for RPC nodes
- **[RPC_2500_CONFIGURATION_SUMMARY.md](RPC_2500_CONFIGURATION_SUMMARY.md)** - RPC 2500 configuration
- **[../09-troubleshooting/RPC_2500_TROUBLESHOOTING.md](/docs/09-troubleshooting/RPC_2500_TROUBLESHOOTING.md)** - RPC troubleshooting
---
**Last Updated:** 2025-01-20
**Document Version:** 1.0
**Review Cycle:** Quarterly
Reference in New Issue View Git Blame Copy Permalink