proxmox/docs/04-configuration/E2E_FAILURES_CLOUDFLARE_NPMPLUS_REVIEW.md

# E2E Failures — Cloudflare & NPMplus Configuration Review

**Last Updated:** 2026-01-31  
**Document Version:** 1.0  
**Status:** Active Documentation

---

**Date**: 2026-01-30  
**Context**: Block production + chainlist E2E script (`scripts/check-block-production-and-chainlist-e2e.sh`)  
**Purpose**: Identify whether Cloudflare or NPMplus configuration is the cause of each failing endpoint.

---

## Summary of E2E Failures

| Endpoint | Type | Failure | Cloudflare/NPMplus cause? |
|----------|------|---------|----------------------------|
| `https://rpc.defi-oracle.io` | HTTP | chainId/eth_blockNumber failed | **Yes — Cloudflare Tunnel** |
| `wss://rpc.d-bis.org` | WebSocket | eth_chainId failed or timeout | **Yes — NPMplus** |
| `https://defi-oracle-meta.rpc.thirdweb.com/...` | HTTP | eth_blockNumber failed | **No** (thirdweb infra) |
| `https://138.rpc.thirdweb.com/...` | HTTP | eth_blockNumber failed | **No** (thirdweb infra) |

---

## 1. `https://rpc.defi-oracle.io` — **Cloudflare Tunnel ingress**

### Cause

- **DNS (docs):** `rpc.defi-oracle.io` is CNAME → `rpc.public-0138.defi-oracle.io` → CNAME → `26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com`.
- Traffic for `rpc.defi-oracle.io` therefore hits the **same** Cloudflare Tunnel as `rpc.public-0138.defi-oracle.io`, but the **Host header** is `rpc.defi-oracle.io`.
- The tunnel for VMID 2400 (Tunnel ID `26138c21-db00-4a02-95db-ec75c07bda5b`) is only configured with **one** public hostname: `rpc.public-0138.defi-oracle.io` (see `scripts/add-vmid2400-ingress.sh`).
- Cloudflare Tunnel matches ingress by hostname. There is **no** ingress rule for `rpc.defi-oracle.io`, so requests with `Host: rpc.defi-oracle.io` get no matching route (e.g. 404 or catch-all).

### Fix

Add `rpc.defi-oracle.io` (and, if desired, `wss.defi-oracle.io`) as **additional public hostnames** for the same tunnel, routing to the same service (`http://127.0.0.1:8545` or the same origin as `rpc.public-0138.defi-oracle.io`).

**Option A — Cloudflare Dashboard**

1. Zero Trust → **Networks** → **Tunnels** → tunnel `26138c21-db00-4a02-95db-ec75c07bda5b`.
2. **Public Hostname** tab → **Add a public hostname**.
3. Subdomain: `rpc`, Domain: `defi-oracle.io` → Service: same as `rpc.public-0138` (e.g. `http://127.0.0.1:8545` or `http://localhost:80` if Nginx is in front).
4. Save. Repeat for `wss` if you want `wss.defi-oracle.io` to use the same tunnel.

**Option B — Extend add-vmid2400-ingress.sh**

- When building the tunnel config via API, add ingress entries for:
  - `rpc.defi-oracle.io` → same service as `rpc.public-0138.defi-oracle.io`
  - `wss.defi-oracle.io` → same service (if using same hostname for HTTP and WebSocket).

**References**

- `docs/04-configuration/RPC_DNS_CONFIGURATION.md` (DNS structure, tunnel)
- `scripts/add-vmid2400-ingress.sh` (current single hostname)
- `docs/01-getting-started/THIRDWEB_RPC_CLOUDFLARE_QUICKSTART.md` (tunnel hostname setup)

---

## 2. `wss://rpc.d-bis.org` — **NPMplus custom config (WebSocket)**

### Cause

- NPMplus has **one proxy host per domain**. The host **rpc.d-bis.org** is set to forward to `http://192.168.11.221:8545` (HTTP RPC). WebSocket upgrade is allowed on that host, but the **backend is still 8545**.
- For **wss://rpc.d-bis.org** to work, WebSocket traffic must go to **8546**, not 8545. So the same hostname must route:
  - HTTP POST (JSON-RPC) → 8545  
  - WebSocket upgrade → 8546  
- By default NPM does not do this; it sends all traffic to one backend. So **wss://rpc.d-bis.org** fails unless **custom Nginx** is added to route by `Upgrade: websocket` to 8546.

### Fix

Add the **custom Nginx snippet** from `docs/04-configuration/NPM_CUSTOM_RPC_D_BIS_ORG_WSS.md` to the **rpc.d-bis.org** proxy host in NPMplus:

1. NPMplus → **Hosts** → edit **rpc.d-bis.org** → **Advanced** tab.
2. In **Custom Nginx Configuration**, add (at the top, before default `proxy_pass`):

```nginx
# Route WebSocket to 8546, HTTP stays on 8545
if ($http_upgrade ~* "websocket") {
    proxy_pass http://192.168.11.221:8546;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_cache_bypass $http_upgrade;
}
```

3. Save and let NPM reload Nginx.

**Alternative:** Use **wss://ws.rpc.d-bis.org** only (already works; no custom config). Update chainlist to use `wss://ws.rpc.d-bis.org` instead of `wss://rpc.d-bis.org` if you do not want to maintain custom Nginx.

**References**

- `docs/04-configuration/RPC_D_BIS_ORG_MAPPING.md`
- `docs/04-configuration/NPM_CUSTOM_RPC_D_BIS_ORG_WSS.md`

---

## 3. Thirdweb URLs — **Not Cloudflare/NPMplus**

- **defi-oracle-meta.rpc.thirdweb.com** and **138.rpc.thirdweb.com** are **thirdweb’s domains**. Requests go to their infrastructure; they then proxy to your chain (e.g. `rpc.public-0138.defi-oracle.io`).
- Failures (e.g. `eth_blockNumber` failed) are due to **thirdweb’s RPC proxy or auth** (API key, rate limit, or behavior), not your Cloudflare or NPMplus.
- No change to Cloudflare or NPMplus will fix these; use thirdweb dashboard/support or their RPC docs if you need these URLs to pass E2E.

---

## Checklist

- [ ] **rpc.defi-oracle.io (HTTP):** Add `rpc.defi-oracle.io` (and optionally `wss.defi-oracle.io`) to Cloudflare Tunnel `26138c21-db00-4a02-95db-ec75c07bda5b` public hostnames, same service as `rpc.public-0138.defi-oracle.io`.
- [ ] **wss://rpc.d-bis.org:** Add custom Nginx snippet to NPMplus proxy host **rpc.d-bis.org** (Advanced) to route WebSocket to `192.168.11.221:8546`, or standardise on `wss://ws.rpc.d-bis.org` in chainlist.
- [ ] **Thirdweb URLs:** Treat as thirdweb-side; no Cloudflare/NPMplus change.