proxmox/docs/04-configuration/DNS_NPMPLUS_VM_COMPREHENSIVE_ARCHITECTURE.md

# DNS → NPMplus → VM Comprehensive Architecture Table

**Last Updated:** 2026-03-27  
**Document Version:** 1.1  
**Status:** Active Documentation

---

**Date**: 2026-01-20  
**Status**: Complete Architecture Reference  
**Purpose**: Streamlined DNS, SSL, and traffic routing documentation

**Related Documentation**:
- **HA Setup**: `docs/04-configuration/NPMPLUS_HA_SETUP_GUIDE.md` - High Availability setup guide
- **Backup/Restore**: `docs/04-configuration/NPMPLUS_BACKUP_RESTORE.md` - Backup and restore procedures
- **Verification**: `docs/04-configuration/INGRESS_VERIFICATION_RUNBOOK.md` - Verification procedures
- **Risks**: `docs/04-configuration/INGRESS_RISKS_AND_HARDENING.md` - Risk assessment and hardening

---

## Architecture Overview

```
Internet
    ↓
Cloudflare DNS (A Records → 76.53.10.36)
    ↓
UDM Pro Port Forwarding (76.53.10.36:80/443 → 192.168.11.166:80/443)
    ↓
NPMplus (VMID 10233: 192.168.11.166) - SSL Termination & Routing
    ↓
Backend VMs (Various IPs) - Services with/without Nginx
```

---

## Complete Service Mapping Table

### Primary Table: Cloudflare DNS → NPMplus → VM Routing

| Domain | Cloudflare DNS | NPMplus Config | Backend VM | Traffic Flow |
|--------|---------------|----------------|------------|--------------|
| | **DNS Type** | **Target IP** | **Proxy** | **SSL Cert ID** | **Proxy Host ID** | **Backend Target** | **VMID** | **IP** | **Hostname** | **Host** | **Service** | **Has Nginx** | **Internal Port** | **NPMplus→VM** |
|------|------|------|------|------|------|------|------|------|------|------|------|------|------|------|
| **d-bis.org Zone** |
| `explorer.d-bis.org` | A | 76.53.10.36 | DNS Only | 49 | 8 | `192.168.11.140:4000` (direct) | 5000 | 192.168.11.140 | blockscout-1 | r630-02 | Blockscout Explorer | ✅ Yes | 80, 4000 | HTTP → 4000 |
| `rpc-http-pub.d-bis.org` | A | 76.53.10.36 | DNS Only | 53 | 10 | `192.168.11.221:8545` | 2201 | 192.168.11.221 | besu-rpc-public-1 | ml110 | Besu RPC HTTP | ❌ No | 8545 | HTTP → 8545 |
| `rpc-ws-pub.d-bis.org` | A | 76.53.10.36 | DNS Only | 55 | 11 | `192.168.11.221:8546` | 2201 | 192.168.11.221 | besu-rpc-public-1 | ml110 | Besu RPC WebSocket | ❌ No | 8546 | WS → 8546 |
| `rpc-http-prv.d-bis.org` | A | 76.53.10.36 | DNS Only | 52 | 12 | `192.168.11.211:8545` | 2101 | 192.168.11.211 | besu-rpc-core-1 | ml110 | Besu RPC HTTP (Private) | ❌ No | 8545 | HTTP → 8545 |
| `rpc-ws-prv.d-bis.org` | A | 76.53.10.36 | DNS Only | 54 | 13 | `192.168.11.211:8546` | 2101 | 192.168.11.211 | besu-rpc-core-1 | ml110 | Besu RPC WebSocket (Private) | ❌ No | 8546 | WS → 8546 |
| `dbis-admin.d-bis.org` | A | 76.53.10.36 | DNS Only | 46 | 14 | `192.168.11.130:80` | 10130 | 192.168.11.130 | dbis-frontend | r630-01 | DBIS Admin Frontend | ✅ Yes | 80 | HTTP → 80 |
| `dbis-api.d-bis.org` | A | 76.53.10.36 | DNS Only | 48 | 15 | `192.168.11.155:3000` | 10150 | 192.168.11.155 | dbis-api-primary | r630-01 | DBIS API Primary | ❌ No | 3000 | HTTP → 3000 |
| `dbis-api-2.d-bis.org` | A | 76.53.10.36 | DNS Only | 47 | 16 | `192.168.11.156:3000` | 10151 | 192.168.11.156 | dbis-api-secondary | r630-01 | DBIS API Secondary | ❌ No | 3000 | HTTP → 3000 |
| `secure.d-bis.org` | A | 76.53.10.36 | DNS Only | 58 | 17 | `192.168.11.130:80` | 10130 | 192.168.11.130 | dbis-frontend | r630-01 | DBIS Secure Portal | ✅ Yes | 80 | HTTP → 80 |
| **mim4u.org Zone** |
| `mim4u.org` | A | 76.53.10.36 | DNS Only | 50 | 17 | `192.168.11.37:80` | 7810 | 192.168.11.37 | mim-web-1 | r630-02 | MIM4U Main Site | ✅ Yes | 80 | HTTP → 80 |
| `www.mim4u.org` | A | 76.53.10.36 | DNS Only | 50 | 17 (same) | `192.168.11.37:80` | 7810 | 192.168.11.37 | mim-web-1 | r630-02 | MIM4U Main Site | ✅ Yes | 80 | HTTP → 80 |
| `secure.mim4u.org` | A | 76.53.10.36 | DNS Only | 59 | 19 | `192.168.11.37:80` | 7810 | 192.168.11.37 | mim-web-1 | r630-02 | MIM4U Secure Portal | ✅ Yes | 80 | HTTP → 80 |
| `training.mim4u.org` | A | 76.53.10.36 | DNS Only | 61 | 20 | `192.168.11.37:80` | 7810 | 192.168.11.37 | mim-web-1 | r630-02 | MIM4U Training Portal | ✅ Yes | 80 | HTTP → 80 |
| **sankofa.nexus Zone** (see [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md) — do not point these to explorer/192.168.11.140) |
| `sankofa.nexus` | A | 76.53.10.36 | DNS Only | 57 | 21 | `192.168.11.51:3000` | 7801 | 192.168.11.51 | sankofa-portal-1 | r630-01 | Sankofa Portal | ❌ No | 3000 | HTTP → 3000 |
| `www.sankofa.nexus` | A | 76.53.10.36 | DNS Only | 64 | 22 | `192.168.11.51:3000` | 7801 | 192.168.11.51 | sankofa-portal-1 | r630-01 | Sankofa Portal | ❌ No | 3000 | HTTP → 3000 |
| `phoenix.sankofa.nexus` | A | 76.53.10.36 | DNS Only | 51 | 23 | `192.168.11.50:4000` | 7800 | 192.168.11.50 | sankofa-api-1 | r630-01 | Phoenix API | ❌ No | 4000 | HTTP → 4000 |
| `www.phoenix.sankofa.nexus` | A | 76.53.10.36 | DNS Only | 63 | 24 | `192.168.11.50:4000` | 7800 | 192.168.11.50 | sankofa-api-1 | r630-01 | Phoenix API | ❌ No | 4000 | HTTP → 4000 |
| `the-order.sankofa.nexus` | A | 76.53.10.36 | DNS Only | 60 | 25 | `192.168.11.39:80` | 10210 | 192.168.11.39 | order-haproxy | r630-01 | The Order (HAProxy→portal) | ❌ No | 80 | HTTP → 80 → `.51:3000` |
| **defi-oracle.io Zone** |
| `rpc.public-0138.defi-oracle.io` | A | 76.53.10.36 | DNS Only | 56 | 26 | `192.168.11.240:443` | 2400 | 192.168.11.240 | thirdweb-rpc-1 | ml110 | ThirdWeb RPC | ✅ Yes | 443 | HTTPS → 443 |

**Legend:**
- ✅ = Configured and working
- ❌ = Not applicable
- ⚠️ = Requires attention / Not deployed
- TBD = To Be Determined

**Notes:**
1. **Sankofa/Phoenix domains** must route to VMID 7801 (192.168.11.51:3000) and VMID 7800 (192.168.11.50:4000) respectively — **not** to Blockscout (192.168.11.140). See [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md) and [RPC_ENDPOINTS_MASTER.md](RPC_ENDPOINTS_MASTER.md). If NPMplus currently points these to .140, update proxy hosts to the correct IP:port.
2. **NPMplus** terminates SSL and proxies HTTP to backend VMs (except ThirdWeb RPC which uses HTTPS).
3. **VMID 7810** has nginx running on port 80 serving MIM4U sites.
4. **VMID 5000** has nginx on port 80 that proxies `/api/*` to port 4000 (Blockscout API).
5. **VMID 2400** has nginx on port 443 serving ThirdWeb RPC with SSL.

---

## Detailed VM Service Configuration

### VMs with Nginx Web Server

| VMID | IP | Hostname | Host | Status | Nginx Version | Config Location | Purpose | Public Domains |
|------|----|----------|------|--------|--------------|-----------------|---------|----------------|
| 5000 | 192.168.11.140 | blockscout-1 | r630-02 | ✅ Running | 1.18.0+ | `/etc/nginx/sites-available/blockscout` | Blockscout Explorer | `explorer.d-bis.org` |
| 7810 | 192.168.11.37 | mim-web-1 | r630-02 | ✅ Running | 1.18.0 | `/etc/nginx/sites-available/mim4u` | MIM4U Web App | `mim4u.org`, `www.mim4u.org`, `secure.mim4u.org`, `training.mim4u.org` |
| 10130 | 192.168.11.130 | dbis-frontend | r630-01 | ✅ Running | TBD | TBD | DBIS Admin Frontend | `dbis-admin.d-bis.org`, `secure.d-bis.org` |
| 2400 | 192.168.11.240 | thirdweb-rpc-1 | ml110 | ✅ Running | TBD | TBD | ThirdWeb RPC (HTTPS) | `rpc.public-0138.defi-oracle.io` |

### VMs without Nginx (Direct Service Access)

| VMID | IP | Hostname | Host | Status | Service | Port | Protocol | Public Domains |
|------|----|----------|------|--------|---------|------|----------|----------------|
| 2101 | 192.168.11.211 | besu-rpc-core-1 | ml110 | ✅ Running | Besu RPC | 8545/8546 | HTTP/WS | `rpc-http-prv.d-bis.org`, `rpc-ws-prv.d-bis.org` |
| 2201 | 192.168.11.221 | besu-rpc-public-1 | ml110 | ✅ Running | Besu RPC | 8545/8546 | HTTP/WS | `rpc-http-pub.d-bis.org`, `rpc-ws-pub.d-bis.org` |
| 10150 | 192.168.11.155 | dbis-api-primary | r630-01 | ✅ Running | Node.js API | 3000 | HTTP | `dbis-api.d-bis.org` |
| 10151 | 192.168.11.156 | dbis-api-secondary | r630-01 | ✅ Running | Node.js API | 3000 | HTTP | `dbis-api-2.d-bis.org` |

---

## NPMplus Configuration Details

### NPMplus Container Information

#### Primary NPMplus (10233)

| Property | Value |
|----------|-------|
| **VMID** | 10233 |
| **Host** | r630-01 (192.168.11.11) |
| **Internal IP (eth0)** | 192.168.11.166 |
| **Internal IP (eth1)** | 192.168.11.167 |
| **Management UI** | `https://192.168.11.166:81` |
| **Public IP** | 76.53.10.36 |
| **Public Ports** | 80 (HTTP), 443 (HTTPS) |
| **Status** | ✅ Running |

#### NPMplus Alltra/HYBX (10235)

| Property | Value |
|----------|-------|
| **VMID** | 10235 |
| **Host** | r630-01 (192.168.11.11) |
| **Internal IP** | 192.168.11.169 |
| **Management UI** | `https://192.168.11.169:81` |
| **Port forward** | 76.53.10.38:80/81/443 → 192.168.11.169 |
| **Designated public IP** | 76.53.10.42 |
| **Tunnel target** | https://192.168.11.169:443 (Option B) |
| **Backends** | Alltra + HYBX Sentries, RPC, Cacti, Firefly, Fabric, Indy |
| **Status** | ⏳ To be deployed |
| **Reference** | [NPMPLUS_ALLTRA_HYBX_MASTER_PLAN.md](NPMPLUS_ALLTRA_HYBX_MASTER_PLAN.md) |

### SSL Certificate Management

| Cert ID | Domains | Provider | Expires | Auto-Renewal |
|---------|---------|----------|---------|--------------|
| 46 | `dbis-admin.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ Enabled |
| 47 | `dbis-api-2.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ Enabled |
| 48 | `dbis-api.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ Enabled |
| 49 | `explorer.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ Enabled |
| 50 | `mim4u.org`, `www.mim4u.org` | Let's Encrypt | 2026-04-16 | ✅ Enabled |
| 51 | `phoenix.sankofa.nexus` | Let's Encrypt | 2026-04-16 | ✅ Enabled |
| 52 | `rpc-http-prv.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ Enabled |
| 53 | `rpc-http-pub.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ Enabled |
| 54 | `rpc-ws-prv.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ Enabled |
| 55 | `rpc-ws-pub.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ Enabled |
| 56 | `rpc.public-0138.defi-oracle.io` | Let's Encrypt | 2026-04-16 | ✅ Enabled |
| 57 | `sankofa.nexus` | Let's Encrypt | 2026-04-16 | ✅ Enabled |
| 58 | `secure.d-bis.org` | Let's Encrypt | 2026-04-16 | ✅ Enabled |
| 59 | `secure.mim4u.org` | Let's Encrypt | 2026-04-16 | ✅ Enabled |
| 60 | `the-order.sankofa.nexus` | Let's Encrypt | 2026-04-16 | ✅ Enabled |
| 61 | `training.mim4u.org` | Let's Encrypt | 2026-04-16 | ✅ Enabled |
| 62 | `www.mim4u.org` | Let's Encrypt | 2026-04-16 | ✅ Enabled |
| 63 | `www.phoenix.sankofa.nexus` | Let's Encrypt | 2026-04-16 | ✅ Enabled |
| 64 | `www.sankofa.nexus` | Let's Encrypt | 2026-04-16 | ✅ Enabled |

**Total Certificates**: 19 active SSL certificates  
**Certificate Storage**: `/data/tls/certbot/live/npm-XX/`

---

## Port Forwarding Configuration (UDM Pro)

### Public to Internal Port Mapping

| Public IP:Port | Internal IP:Port | Protocol | Service | Status |
|----------------|------------------|----------|---------|--------|
| 76.53.10.36:443 | 192.168.11.166:443 | TCP | NPMplus HTTPS | ✅ Active |
| 76.53.10.36:80 | 192.168.11.166:80 | TCP | NPMplus HTTP | ✅ Active |

**Router**: UDM Pro  
**Forwarding Rule**: Port forwarding configured in UDM Pro firewall rules

---

## Cloudflare DNS Records Summary

### DNS Record Statistics

| Zone | Total Records | A Records | CNAME Records | Proxied | DNS Only |
|------|---------------|-----------|---------------|---------|----------|
| d-bis.org | 9 | 9 | 0 | 0 | 9 |
| mim4u.org | 4 | 4 | 0 | 0 | 4 |
| sankofa.nexus | 5 | 5 | 0 | 0 | 5 |
| defi-oracle.io | 1 | 1 | 0 | 0 | 1 |
| **TOTAL** | **19** | **19** | **0** | **0** | **19** |

**Note**: All DNS records use "DNS Only" mode (gray cloud) to bypass Cloudflare proxy and route directly to NPMplus at 76.53.10.36. SSL termination is handled by NPMplus using Let's Encrypt certificates.

---

## Service Types and Protocols

### Web Services (HTTP/HTTPS)

| Service Type | Domain Example | Port | Protocol | Backend Type |
|--------------|----------------|------|----------|--------------|
| Web Application | `mim4u.org` | 80 | HTTP | Nginx |
| Admin Portal | `dbis-admin.d-bis.org` | 80 | HTTP | Nginx |
| API Service | `dbis-api.d-bis.org` | 3000 | HTTP | Node.js |
| Blockchain Explorer | `explorer.d-bis.org` | 80/4000 | HTTP | Nginx + Blockscout |

### RPC Services (JSON-RPC over HTTP/WebSocket)

| Service Type | Domain Example | Port | Protocol | Backend Type |
|--------------|----------------|------|----------|--------------|
| RPC HTTP | `rpc-http-pub.d-bis.org` | 8545 | HTTP | Besu |
| RPC WebSocket | `rpc-ws-pub.d-bis.org` | 8546 | WebSocket | Besu |
| RPC HTTPS | `rpc.public-0138.defi-oracle.io` | 443 | HTTPS | Nginx + Besu |

---

## Traffic Flow Examples

### Example 1: MIM4U Main Site

```
User Request: https://mim4u.org
    ↓
DNS Resolution: mim4u.org → 76.53.10.36
    ↓
UDM Pro: Port Forward 76.53.10.36:443 → 192.168.11.166:443
    ↓
NPMplus (192.168.11.166:443):
    ├─ SSL Termination (Cert ID: 50)
    ├─ Hostname: mim4u.org
    ├─ Proxy Host ID: 17
    └─ Proxy Pass: http://192.168.11.37:80
        ↓
nginx on VMID 7810 (192.168.11.37:80):
    ├─ Server Name: mim4u.org
    ├─ Root: /var/www/html
    └─ Response → User (HTTPS)
```

### Example 2: DBIS API

```
User Request: https://dbis-api.d-bis.org
    ↓
DNS Resolution: dbis-api.d-bis.org → 76.53.10.36
    ↓
UDM Pro: Port Forward 76.53.10.36:443 → 192.168.11.166:443
    ↓
NPMplus (192.168.11.166:443):
    ├─ SSL Termination (Cert ID: 48)
    ├─ Hostname: dbis-api.d-bis.org
    ├─ Proxy Host ID: 15
    └─ Proxy Pass: http://192.168.11.155:3000
        ↓
Node.js API on VMID 10150 (192.168.11.155:3000):
    ├─ Service: DBIS API Primary
    └─ Response → User (HTTPS)
```

### Example 3: RPC Endpoint (ThirdWeb)

```
User Request: https://rpc.public-0138.defi-oracle.io
    ↓
DNS Resolution: rpc.public-0138.defi-oracle.io → 76.53.10.36
    ↓
UDM Pro: Port Forward 76.53.10.36:443 → 192.168.11.166:443
    ↓
NPMplus (192.168.11.166:443):
    ├─ SSL Termination (Cert ID: 56)
    ├─ Hostname: rpc.public-0138.defi-oracle.io
    ├─ Proxy Host ID: 26
    └─ Proxy Pass: https://192.168.11.240:443
        ↓
nginx on VMID 2400 (192.168.11.240:443):
    ├─ SSL Termination (Internal)
    ├─ Backend: Besu RPC + Translator
    └─ Response → User (HTTPS)
```

---

## Issues and Action Items

### ✅ Sankofa/Phoenix routing (authoritative)

**Source of truth:** [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md), [RPC_ENDPOINTS_MASTER.md](RPC_ENDPOINTS_MASTER.md). Sankofa and Phoenix services **are deployed**. Correct NPMplus backend targets:

| Domain | Correct backend | Wrong (do not use) |
|--------|------------------|---------------------|
| `sankofa.nexus`, `www.sankofa.nexus` | 192.168.11.51:3000 (VMID 7801) | 192.168.11.140 |
| `phoenix.sankofa.nexus`, `www.phoenix.sankofa.nexus` | 192.168.11.50:4000 (VMID 7800) | 192.168.11.140 |
| `the-order.sankofa.nexus`, `www.the-order.sankofa.nexus` | 192.168.11.39:80 (10210 HAProxy → .51:3000); www → 301 apex | 192.168.11.140 |

**Action:** If any Sankofa/Phoenix proxy host in NPMplus points to 192.168.11.140 (Blockscout), update it to the correct IP:port above. Only `explorer.d-bis.org` should point to 192.168.11.140.

### 📋 Recommended Improvements

1. **Documentation**
   - ✅ This comprehensive table created
   - ⚠️ Add nginx config file paths for all VMs with nginx
   - ⚠️ Document custom nginx configurations

2. **Monitoring**
   - Set up certificate expiration alerts
   - Monitor backend VM health
   - Track DNS resolution status

3. **Security**
   - All SSL certificates auto-renewing ✅
   - HSTS enabled on all domains ✅
   - Security headers configured ✅

---

## Quick Reference Commands

### Test DNS Resolution
```bash
dig +short mim4u.org
dig +short explorer.d-bis.org
dig +short rpc-http-pub.d-bis.org
```

### Test SSL Certificates
```bash
curl -vI https://mim4u.org 2>&1 | grep -E "(certificate|SSL|TLS)"
curl -vI https://explorer.d-bis.org 2>&1 | grep -E "(certificate|SSL|TLS)"
```

### Test Backend Services
```bash
# Test Blockscout
curl -I http://192.168.11.140:80

# Test MIM4U
curl -I http://192.168.11.37:80

# Test DBIS API
curl -I http://192.168.11.155:3000

# Test RPC
curl -X POST http://192.168.11.221:8545 \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
```

### Check NPMplus Status
```bash
# From Proxmox host
ssh root@192.168.11.11 "pct exec 10233 -- docker ps --filter 'name=npmplus'"

# Check NPMplus logs
ssh root@192.168.11.11 "pct exec 10233 -- docker logs npmplus --tail 50"
```

### Check VM Status
```bash
# Check specific VM
ssh root@192.168.11.12 "pct status 7810"

# Check nginx status on VM
ssh root@192.168.11.12 "pct exec 7810 -- systemctl status nginx"
```

---

## Related Documentation

- **VMID Endpoints**: `docs/04-configuration/ALL_VMIDS_ENDPOINTS.md`
- **NPMplus Setup**: `docs/04-configuration/NPMPLUS_COMPLETE_SETUP_SUMMARY.md`
- **NPMplus Service Mapping**: `docs/04-configuration/NPMPLUS_SERVICE_MAPPING_COMPLETE.md`
- **MIM4U DNS Config**: `reports/VMID_7810_DNS_NPMPLUS_CONFIGURATION.md`
- **Cloudflare DNS**: `docs/04-configuration/cloudflare/CLOUDFLARE_DNS_SPECIFIC_SERVICES.md`

---

**Last Updated**: 2026-01-20  
**Maintained By**: Infrastructure Team  
**Status**: ✅ Complete Architecture Reference