7.0 KiB
7.0 KiB
RPC DNS Configuration for d-bis.org
Last Updated: 2025-12-21
Status: Active Configuration
Overview
DNS configuration for RPC endpoints with Nginx SSL termination on port 443.
Architecture:
Internet → DNS (A records) → Nginx (port 443) → Besu RPC (8545/8546)
All HTTPS traffic arrives on port 443, and Nginx routes to the appropriate backend port based on the domain name (Server Name Indication - SNI).
DNS Records Configuration
Cloudflare DNS Records
Important: A records in DNS do NOT include port numbers. All traffic comes to port 443 (HTTPS), and Nginx handles routing to the backend ports.
Public RPC (VMID 2501 - 192.168.11.251)
| Type | Name | Target | Proxy | Notes |
|---|---|---|---|---|
| A | rpc-http-pub |
192.168.11.251 |
🟠 Proxied (optional) | HTTP RPC endpoint |
| A | rpc-ws-pub |
192.168.11.251 |
🟠 Proxied (optional) | WebSocket RPC endpoint |
DNS Configuration:
Type: A
Name: rpc-http-pub
Target: 192.168.11.251
TTL: Auto
Proxy: 🟠 Proxied (recommended for DDoS protection)
Type: A
Name: rpc-ws-pub
Target: 192.168.11.251
TTL: Auto
Proxy: 🟠 Proxied (recommended for DDoS protection)
Private RPC (VMID 2502 - 192.168.11.252)
| Type | Name | Target | Proxy | Notes |
|---|---|---|---|---|
| A | rpc-http-prv |
192.168.11.252 |
🟠 Proxied (optional) | HTTP RPC endpoint |
| A | rpc-ws-prv |
192.168.11.252 |
🟠 Proxied (optional) | WebSocket RPC endpoint |
DNS Configuration:
Type: A
Name: rpc-http-prv
Target: 192.168.11.252
TTL: Auto
Proxy: 🟠 Proxied (recommended for DDoS protection)
Type: A
Name: rpc-ws-prv
Target: 192.168.11.252
TTL: Auto
Proxy: 🟠 Proxied (recommended for DDoS protection)
How It Works
Request Flow
- Client makes request to
https://rpc-http-pub.d-bis.org - DNS resolves to
192.168.11.251(A record) - HTTPS connection established on port 443 (standard HTTPS port)
- Nginx receives request on port 443
- Nginx uses Server Name Indication (SNI) to identify domain:
rpc-http-pub.d-bis.org→ proxies to127.0.0.1:8545(HTTP RPC)rpc-ws-pub.d-bis.org→ proxies to127.0.0.1:8546(WebSocket RPC)rpc-http-prv.d-bis.org→ proxies to127.0.0.1:8545(HTTP RPC)rpc-ws-prv.d-bis.org→ proxies to127.0.0.1:8546(WebSocket RPC)
- Besu RPC processes request and returns response
- Nginx forwards response back to client
Port Mapping
| Domain | DNS Target | Nginx Port | Backend Port | Service |
|---|---|---|---|---|
rpc-http-pub.d-bis.org |
192.168.11.251 |
443 (HTTPS) | 8545 | HTTP RPC |
rpc-ws-pub.d-bis.org |
192.168.11.251 |
443 (HTTPS) | 8546 | WebSocket RPC |
rpc-http-prv.d-bis.org |
192.168.11.252 |
443 (HTTPS) | 8545 | HTTP RPC |
rpc-ws-prv.d-bis.org |
192.168.11.252 |
443 (HTTPS) | 8546 | WebSocket RPC |
Note: DNS A records only contain IP addresses. Port numbers are handled by:
- Port 443: Standard HTTPS port (handled automatically by browsers/clients)
- Backend ports (8545/8546): Configured in Nginx server blocks
Testing
Test DNS Resolution
# Test DNS resolution
dig rpc-http-pub.d-bis.org
nslookup rpc-http-pub.d-bis.org
# Should resolve to: 192.168.11.251
Test HTTPS Endpoints
# Test HTTP RPC endpoint (port 443)
curl -k https://rpc-http-pub.d-bis.org/health
curl -k -X POST https://rpc-http-pub.d-bis.org \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
# Test WebSocket RPC endpoint (port 443)
# Use wscat or similar WebSocket client
wscat -c wss://rpc-ws-pub.d-bis.org
Test Direct IP Access (for troubleshooting)
# Test Nginx directly on container IP
curl -k https://192.168.11.251/health
curl -k https://192.168.11.252/health
# Test backend Besu RPC directly (bypassing Nginx)
curl -X POST http://192.168.11.251:8545 \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
Cloudflare Proxy Settings
When to Use Proxy (🟠 Proxied)
Recommended for:
- DDoS protection
- CDN caching (though RPC responses shouldn't be cached)
- SSL/TLS termination at Cloudflare edge
- Hiding origin server IP
Considerations:
- Cloudflare may cache some responses (disable caching for RPC)
- Additional latency (usually minimal)
- WebSocket support requires Cloudflare WebSocket passthrough
When to Use DNS Only (❌ DNS only)
Use when:
- Direct IP access needed
- Cloudflare proxy causes issues
- Testing/debugging
- Internal network access
Nginx Configuration Summary
The Nginx configuration on each container:
VMID 2501:
- Listens on port 443 (HTTPS)
rpc-http-pub.d-bis.org→ proxies to127.0.0.1:8545rpc-ws-pub.d-bis.org→ proxies to127.0.0.1:8546
VMID 2502:
- Listens on port 443 (HTTPS)
rpc-http-prv.d-bis.org→ proxies to127.0.0.1:8545rpc-ws-prv.d-bis.org→ proxies to127.0.0.1:8546
Troubleshooting
DNS Not Resolving
# Check DNS resolution
dig rpc-http-pub.d-bis.org
nslookup rpc-http-pub.d-bis.org
# Verify DNS records in Cloudflare dashboard
Connection Refused
# Check if Nginx is running
ssh root@192.168.11.10 "pct exec 2501 -- systemctl status nginx"
# Check if port 443 is listening
ssh root@192.168.11.10 "pct exec 2501 -- ss -tuln | grep 443"
# Check Nginx configuration
ssh root@192.168.11.10 "pct exec 2501 -- nginx -t"
SSL Certificate Issues
# Check SSL certificate
ssh root@192.168.11.10 "pct exec 2501 -- openssl x509 -in /etc/nginx/ssl/rpc.crt -text -noout"
# Test SSL connection
openssl s_client -connect rpc-http-pub.d-bis.org:443 -servername rpc-http-pub.d-bis.org
Backend Connection Issues
# Test backend Besu RPC directly
curl -X POST http://192.168.11.251:8545 \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
# Check Besu service status
ssh root@192.168.11.10 "pct exec 2501 -- systemctl status besu-rpc"
Related Documentation
- CLOUDFLARE_DNS_SPECIFIC_SERVICES.md - General DNS configuration
- NGINX_ARCHITECTURE_RPC.md - Nginx architecture details
- CLOUDFLARE_NGINX_INTEGRATION.md - Cloudflare + Nginx integration
Quick Reference
DNS Records to Create:
rpc-http-pub.d-bis.org → A → 192.168.11.251
rpc-ws-pub.d-bis.org → A → 192.168.11.251
rpc-http-prv.d-bis.org → A → 192.168.11.252
rpc-ws-prv.d-bis.org → A → 192.168.11.252
Endpoints:
https://rpc-http-pub.d-bis.org→ HTTP RPC (port 443 → 8545)wss://rpc-ws-pub.d-bis.org→ WebSocket RPC (port 443 → 8546)https://rpc-http-prv.d-bis.org→ HTTP RPC (port 443 → 8545)wss://rpc-ws-prv.d-bis.org→ WebSocket RPC (port 443 → 8546)