d-bis/proxmox
4
0
Fork 0
Code Issues 1 Pull Requests 9 Actions Packages Projects Releases Wiki Activity
Files
b7eebb87b33ea4af3efe689c5a0469df4a134313
proxmox/docs/04-configuration/cloudflare/CLOUDFLARE_DNS_SPECIFIC_SERVICES.md
defiQUG dbd517b279 Sync workspace: config, docs, scripts, CI, operator rules, and submodule pointers. 
- Update dbis_core, cross-chain-pmm-lps, explorer-monorepo, metamask-integration, pr-workspace/chains
- Omit embedded publish git dirs and empty placeholders from index

Made-with: Cursor
2026-04-12 06:12:20 -07:00

14 KiB
Raw Blame History

Cloudflare DNS Configuration for Specific Services

Historical note: This guide preserves an older service map in which the public RPC lane was VMID 2502. Keep it as Cloudflare workflow history. The current public RPC lane is VMID 2201 (192.168.11.221), with current mappings documented in docs/04-configuration/RPC_ENDPOINTS_MASTER.md and docs/04-configuration/ALL_VMIDS_ENDPOINTS.md.

Last Updated: 2025-01-20
Document Version: 1.0
Status: Service-Specific DNS Mapping

Overview

This document provides specific Cloudflare DNS and tunnel configuration for:

  1. Mail Server (VMID 100) - Mail services for all domains
  2. Public RPC Node (VMID 2502) - Besu RPC-3 for public access
  3. Solace Frontend (VMID 300X) - Solace frontend application

Service 1: Mail Server (VMID 100)

Container Information

  • VMID: 100
  • Service: Mail server (Postfix, Dovecot, or similar)
  • Purpose: Handle mail for all domains
  • IP Address: To be determined (check with pct config 100)
  • Ports:
    • SMTP: 25 (or 587 for submission)
    • IMAP: 143 (or 993 for IMAPS)
    • POP3: 110 (or 995 for POP3S)

DNS Records Required

For each domain that will use this mail server:

MX Records (Mail Exchange)

Type: MX
Name: @ (or domain root)
Priority: 10
Target: mail.yourdomain.com
TTL: Auto
Proxy: ❌ DNS only (gray cloud) - MX records cannot be proxied

Example for multiple domains:

  • yourdomain.com → MX 10 mail.yourdomain.com
  • anotherdomain.com → MX 10 mail.anotherdomain.com

A/CNAME Records for Mail Server

Type: A (or CNAME if using tunnel)
Name: mail
Target: <tunnel-id>.cfargotunnel.com (if using tunnel)
       OR <server-ip> (if direct access)
TTL: Auto
Proxy: 🟠 Proxied (if using tunnel)
       ❌ DNS only (if direct access with public IP)

Note: Mail servers typically need direct IP access for MX records. If using Cloudflare tunnel, you may need to:

  • Use A records pointing to public IPs for MX
  • Use tunnel for webmail interface only

Tunnel Configuration (Optional - for Webmail)

If your mail server has a webmail interface:

In Cloudflare Tunnel Dashboard:

Subdomain: webmail
Domain: yourdomain.com
Service: http://<mail-server-ip>:80
         OR https://<mail-server-ip>:443

DNS Record:

Type: CNAME
Name: webmail
Target: <tunnel-id>.cfargotunnel.com
Proxy: 🟠 Proxied

Mail Server Ports Configuration

Important: Cloudflare tunnels can handle HTTP/HTTPS traffic, but mail protocols (SMTP, IMAP, POP3) require direct connection or special configuration.

Options:

  1. Direct Public IP (Recommended for mail):

    • Assign public IP to mail server
    • Create A records pointing to public IP
    • Configure firewall rules

  2. Cloudflare Tunnel for Webmail Only:

    • Use tunnel for webmail interface
    • Use direct IP for mail protocols (SMTP, IMAP, POP3)

  3. SMTP Relay via Cloudflare (Advanced):

    • Use Cloudflare Email Routing for incoming mail
    • Configure mail server for outgoing mail only

Recommended Configuration

MX Records (All Domains):
  yourdomain.com → MX 10 mail.yourdomain.com
  anotherdomain.com → MX 10 mail.anotherdomain.com

A Record (Mail Server):
  mail.yourdomain.com → A <public-ip> (if direct access)
  OR
  mail.yourdomain.com → CNAME <tunnel-id>.cfargotunnel.com (if tunnel)

CNAME Record (Webmail):
  webmail.yourdomain.com → CNAME <tunnel-id>.cfargotunnel.com
  Proxy: 🟠 Proxied

Service 2: Public RPC Node (VMID 2502)

Container Information

  • VMID: 2502
  • Hostname: besu-rpc-3
  • IP Address: 192.168.11.252
  • Service: Besu JSON-RPC API
  • Port: 8545 (HTTP-RPC), 8546 (WebSocket-RPC)
  • Purpose: Public access to blockchain RPC endpoint

DNS Records

Primary RPC Endpoint

Type: CNAME
Name: rpc
Target: <tunnel-id>.cfargotunnel.com
TTL: Auto
Proxy: 🟠 Proxied (orange cloud) - Required for tunnel

Alternative subdomains:

rpc-public.yourdomain.com
rpc-mainnet.yourdomain.com
api.yourdomain.com (if this is the primary API)

Tunnel Configuration

In Cloudflare Tunnel Dashboard:

Public Hostname:

Subdomain: rpc
Domain: yourdomain.com
Service: http://192.168.11.252:8545

For WebSocket Support:

Subdomain: rpc-ws
Domain: yourdomain.com
Service: http://192.168.11.252:8546

Or use single endpoint with path-based routing:

Subdomain: rpc
Domain: yourdomain.com
Service: http://192.168.11.252:8545
Path: /ws → http://192.168.11.252:8546

Complete Configuration Example

DNS Records:

Type Name Target Proxy
CNAME rpc <tunnel-id>.cfargotunnel.com 🟠 Proxied
CNAME rpc-ws <tunnel-id>.cfargotunnel.com 🟠 Proxied

Tunnel Ingress:

ingress:
  # HTTP JSON-RPC
  - hostname: rpc.yourdomain.com
    service: http://192.168.11.252:8545
  
  # WebSocket RPC
  - hostname: rpc-ws.yourdomain.com
    service: http://192.168.11.252:8546
  
  # Catch-all
  - service: http_status:404

Testing

Test HTTP-RPC:

curl -X POST https://rpc.yourdomain.com \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "method": "eth_blockNumber",
    "params": [],
    "id": 1
  }'

Test WebSocket (from browser console):

const ws = new WebSocket('wss://rpc-ws.yourdomain.com');
ws.onopen = () => {
  ws.send(JSON.stringify({
    jsonrpc: "2.0",
    method: "eth_blockNumber",
    params: [],
    id: 1
  }));
};

Security Considerations

  1. Rate Limiting: Configure rate limiting in Cloudflare
  2. DDoS Protection: Cloudflare automatically provides DDoS protection
  3. Access Control: Consider adding Cloudflare Access for additional security
  4. API Keys: Implement API key authentication at application level
  5. CORS: Configure CORS headers if needed for web applications

Service 3: Solace Frontend (VMID 300X)

Container Information

  • VMID: 300X (specific VMID to be determined)
  • Service: Solace frontend application
  • Purpose: User-facing web interface for Solace
  • IP Address: To be determined
  • Port: Typically 80 (HTTP) or 443 (HTTPS)

VMID Allocation Note

Important: Solace is not explicitly assigned a VMID range in the official allocation documents (VMID_ALLOCATION_FINAL.md).

The 300X range falls within the "Besu RPC / Gateways" allocation (2500-3499), which includes:

  • 2500-2502: Initial Besu RPC nodes (3 nodes)
  • 2503-3499: Reserved for RPC/Gateway expansion (997 VMIDs)

Since Solace frontend is deployed in the 300X range, it's using VMIDs from the RPC/Gateway expansion pool. This should be documented in the VMID allocation plan for future reference.

Finding the Solace Container

Check which container is Solace:

# List containers in 300X range
pct list | grep -E "^\s*3[0-9]{3}"

# Check container hostname
pct config <VMID> | grep hostname

# Check container IP
pct config <VMID> | grep ip

Or check running services:

# SSH into Proxmox host and check
for vmid in 3000 3001 3002 3003 3004 3005; do
  echo "=== VMID $vmid ==="
  pct exec $vmid -- hostname 2>/dev/null || echo "Not found"
done

DNS Records

Primary Frontend:

Type: CNAME
Name: solace
Target: <tunnel-id>.cfargotunnel.com
TTL: Auto
Proxy: 🟠 Proxied (orange cloud)

Alternative names:

app.yourdomain.com
solace-app.yourdomain.com
frontend.yourdomain.com

Tunnel Configuration

In Cloudflare Tunnel Dashboard:

Public Hostname:

Subdomain: solace
Domain: yourdomain.com
Service: http://<solace-container-ip>:<port>

Example (assuming VMID 3000, IP 192.168.11.300, port 80):

Subdomain: solace
Domain: yourdomain.com
Service: http://192.168.11.300:80

Complete Configuration Example

Once container details are confirmed:

DNS Record:

Type Name Target Proxy
CNAME solace <tunnel-id>.cfargotunnel.com 🟠 Proxied

Tunnel Ingress:

ingress:
  - hostname: solace.yourdomain.com
    service: http://<solace-ip>:<port>
  
  # Catch-all
  - service: http_status:404

Additional Configuration (If Needed)

If Solace has API endpoints:

Subdomain: solace-api
Domain: yourdomain.com
Service: http://<solace-ip>:<api-port>

If Solace has WebSocket support:

Subdomain: solace-ws
Domain: yourdomain.com
Service: http://<solace-ip>:<ws-port>

Complete DNS Mapping Summary

All Services Together

Service VMID IP DNS Record Tunnel Ingress
Mail Server 100 TBD mail.yourdomain.com Webmail only (if applicable)
Public RPC 2502 192.168.11.252 rpc.yourdomain.com http://192.168.11.252:8545
Solace Frontend 300X TBD solace.yourdomain.com http://<ip>:<port>

DNS Records to Create

In Cloudflare DNS Dashboard:

  1. Mail Server:

    Type: MX
Name: @
Priority: 10
Target: mail.yourdomain.com
Proxy: ❌ DNS only

Type: A or CNAME
Name: mail
Target: <public-ip> or <tunnel-id>.cfargotunnel.com
Proxy: Based on access method

  2. RPC Node:

    Type: CNAME
Name: rpc
Target: <tunnel-id>.cfargotunnel.com
Proxy: 🟠 Proxied

Type: CNAME
Name: rpc-ws
Target: <tunnel-id>.cfargotunnel.com
Proxy: 🟠 Proxied

  3. Solace Frontend:

    Type: CNAME
Name: solace
Target: <tunnel-id>.cfargotunnel.com
Proxy: 🟠 Proxied

Tunnel Ingress Configuration (Complete)

In Cloudflare Zero Trust → Networks → Tunnels → Configure:

ingress:
  # Mail Server Webmail (if applicable)
  - hostname: webmail.yourdomain.com
    service: http://<mail-server-ip>:80
  
  # Public RPC - HTTP
  - hostname: rpc.yourdomain.com
    service: http://192.168.11.252:8545
  
  # Public RPC - WebSocket
  - hostname: rpc-ws.yourdomain.com
    service: http://192.168.11.252:8546
  
  # Solace Frontend
  - hostname: solace.yourdomain.com
    service: http://<solace-ip>:<port>
  
  # Catch-all
  - service: http_status:404

Verification Steps

1. Verify Container Status

# Check mail server
pct status 100
pct config 100 | grep -E "hostname|ip"

# Check RPC node
pct status 2502
pct config 2502 | grep -E "hostname|ip"
# Should show: hostname=besu-rpc-3, ip=192.168.11.252

# Find Solace container
pct list | grep -E "^\s*3[0-9]{3}"

2. Test Direct Container Access

# Test RPC node
curl -X POST http://192.168.11.252:8545 \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

# Test Solace (once IP is known)
curl -I http://<solace-ip>:<port>

# Test mail server webmail (if applicable)
curl -I http://<mail-ip>:80

3. Test DNS Resolution

# Test DNS records
dig rpc.yourdomain.com
dig solace.yourdomain.com
dig mail.yourdomain.com
nslookup rpc.yourdomain.com

4. Test Through Cloudflare

# Test RPC via Cloudflare
curl -X POST https://rpc.yourdomain.com \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

# Test Solace via Cloudflare
curl -I https://solace.yourdomain.com

# Test webmail via Cloudflare (if configured)
curl -I https://webmail.yourdomain.com

Security Recommendations

Mail Server

  1. MX Records: Use DNS-only (gray cloud) for MX records
  2. SPF Records: Add SPF records for email authentication 
    Type: TXT
Name: @
Content: v=spf1 ip4:<mail-server-ip> include:_spf.google.com ~all
  3. DKIM: Configure DKIM signing
  4. DMARC: Set up DMARC policy
  5. Firewall: Restrict mail ports to necessary IPs

RPC Node

  1. Rate Limiting: Configure in Cloudflare
  2. DDoS Protection: Enabled by default with proxy
  3. Access Logging: Monitor access patterns
  4. API Keys: Implement application-level authentication
  5. CORS: Configure if needed for web apps

Solace Frontend

  1. Cloudflare Access: Add access policies if needed
  2. SSL/TLS: Ensure Cloudflare SSL is enabled
  3. WAF Rules: Configure Web Application Firewall rules
  4. Rate Limiting: Protect against abuse
  5. Monitoring: Set up alerts for unusual traffic

Troubleshooting

Mail Server Issues

Problem: Mail not being received

Solutions:

  • Verify MX records are correct
  • Check mail server is accessible on port 25/587
  • Verify SPF/DKIM/DMARC records
  • Check mail server logs
  • Ensure firewall allows mail traffic

RPC Node Issues

Problem: RPC requests failing

Solutions:

  • Verify container is running: pct status 2502
  • Test direct access: curl http://192.168.11.252:8545
  • Check tunnel status in Cloudflare dashboard
  • Verify DNS record is proxied (orange cloud)
  • Check Cloudflare logs for errors

Solace Frontend Issues

Problem: Frontend not loading

Solutions:

  • Verify container is running
  • Check container IP and port
  • Test direct access to container
  • Verify tunnel configuration
  • Check DNS resolution
  • Review Cloudflare logs

Next Steps

  1. Identify Solace Container:

    • Determine exact VMID for Solace frontend
    • Get container IP address
    • Identify service port

  2. Configure Mail Server:

    • Determine mail server IP
    • Set up MX records for all domains
    • Configure SPF/DKIM/DMARC
    • Set up webmail tunnel (if applicable)

  3. Deploy Configurations:

    • Create DNS records in Cloudflare
    • Configure tunnel ingress rules
    • Test each service
    • Document final configuration

Related Documentation

Document Status: Active
Maintained By: Infrastructure Team
Last Updated: 2025-01-20
Next Update: After Solace container details are confirmed

Reference in New Issue View Git Blame Copy Permalink