fbda1b4beb
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com>
5.5 KiB
SFValley2 tunnel — manual completion runbook
Use this when completing the sfvalley02 tunnel for RPC Core-2 (Nathan) after the container 2102 and NPMplus are in place.
Prerequisites: VMID 2102 running at 192.168.11.212 with Besu RPC on 8545; third NPMplus at 192.168.11.169 (VMID 10235) — Nathan's RPC, Alltra, and HYBX use this instance (76.53.10.38).
1. Cloudflare Zero Trust — add published application route
- Open Zero Trust → Networks → Tunnels → sfvalley02.
- Open the Published application routes tab (same view as your screenshot).
- Click + Add a published application route.
- Configure:
- Published application route (hostname):
rpc-core-2.d-bis.org - Path:
* - Service:
https://192.168.11.169:443(third NPMplus — same instance as Alltra/HYBX, not .167) - Origin: Use No TLS Verify so cloudflared can talk to NPMplus on 192.168.11.169.
- Published application route (hostname):
- Save. You should see a 9th row with
rpc-core-2.d-bis.org, Path*, Servicehttps://192.168.11.169:443.
Note: If rpc-core-2.d-bis.org is not in “connected domains”, use Manage connected domains on that page to add the domain for the tunnel.
2. NPMplus (third instance) — add proxy host for rpc-core-2
Nathan's RPC uses the third NPMplus (192.168.11.169, VMID 10235 — same as Alltra/HYBX). Either use the script via SSH to Proxmox (uses pct to get password, or NPM_PASSWORD from .env):
# From repo root. SSHs to r630-01, runs update on Proxmox; set NPM_PASSWORD (and NPM_EMAIL if needed) in .env for third NPMplus (192.168.11.169)
./scripts/nginx-proxy-manager/run-update-npmplus-alltra-hybx-via-ssh.sh
Or run the update script directly (from a host that can reach 192.168.11.169):
NPM_URL=https://192.168.11.169:81 NPM_PASSWORD=xxx ./scripts/nginx-proxy-manager/update-npmplus-alltra-hybx-proxy-hosts.sh
Or in the third NPMplus UI (https://192.168.11.169:81):
- Hosts → Proxy Hosts → Add Proxy Host.
- Details:
- Domain Names:
rpc-core-2.d-bis.org - Scheme: HTTP
- Forward Hostname / IP:
192.168.11.212 - Forward Port:
8545
- Domain Names:
- Advanced: Enable WebSocket Support (for future WS use).
- Save. Optionally request SSL certificate for the domain.
3. DNS
In Cloudflare (or wherever d-bis.org is hosted):
- Type: CNAME
- Name:
rpc-core-2(or fullrpc-core-2.d-bis.orgdepending on UI) - Target:
<sfvalley02-tunnel-id>.cfargotunnel.com
(Get the tunnel ID from Zero Trust → Networks → Tunnels → sfvalley02 → Overview.)
4. Verify
- From outside (or via tunnel):
curl -s -X POST -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}' https://rpc-core-2.d-bis.org
Expect JSON with"result":"0x8a"(138 in hex).
If you get 405 Not Allowed: NPMplus “Block Exploits” is blocking POST to/. Edit therpc-core-2.d-bis.orgproxy host in the third NPMplus (https://192.168.11.169:81) → Advanced → turn off “Block Exploits” and save. Or run./scripts/nginx-proxy-manager/update-npmplus-alltra-hybx-proxy-hosts.sh(it setsblock_exploits: falsefor all RPC hosts on that instance). - Or in a browser: open https://rpc-core-2.d-bis.org and confirm it’s not 502 (NPMplus and Besu are reachable).
Summary
| Step | Where | Action |
|---|---|---|
| 1 | Cloudflare Zero Trust | sfvalley02 → Published application routes → Add route: rpc-core-2.d-bis.org, Path *, Service https://192.168.11.169:443 (third NPMplus), No TLS Verify |
| 2 | NPMplus #3 (192.168.11.169) | Add Proxy Host: rpc-core-2.d-bis.org → http://192.168.11.212:8545, WebSocket on |
| 3 | DNS | CNAME rpc-core-2.d-bis.org → <sfvalley02-tunnel-id>.cfargotunnel.com |
See also: RPC_CORE_2_NATHAN_SFVALLEY2_TUNNEL.md.
5. All Alltra/HYBX hostnames (tunnel + NPMplus)
Yes — all Alltra and HYBX services that should be public belong on the same tunnel (sfvalley02) and same NPMplus (third instance, 192.168.11.169). The script update-npmplus-alltra-hybx-proxy-hosts.sh (and run-update-npmplus-alltra-hybx-via-ssh.sh) manages proxy hosts for all of these.
| Hostname | Backend | Port | In tunnel? |
|---|---|---|---|
| rpc-core-2.d-bis.org | 192.168.11.212 | 8545 | Yes (add route if missing) |
| rpc-alltra.d-bis.org, rpc-alltra-2, rpc-alltra-3 | .172, .173, .174 | 8545 | Yes |
| rpc-hybx.d-bis.org, rpc-hybx-2, rpc-hybx-3 | .246, .247, .248 | 8545 | Yes |
| cacti-alltra.d-bis.org, cacti-hybx.d-bis.org | .177, .251 | 80 | Yes |
| firefly-alltra-1, firefly-alltra-2, firefly-hybx-1, firefly-hybx-2 | .175, .176, .249, .250 | 80 | Add route for each |
| fabric-alltra, indy-alltra, fabric-hybx, indy-hybx | .178, .179, .252, .253 | 80 | Add route for each |
Cloudflare: For each hostname above that you want public, in sfvalley02 → Published application routes → + Add a published application route: set Published application route = hostname, Path = *, Service = https://192.168.11.169:443, No TLS Verify. Then add a DNS CNAME for that hostname → <sfvalley02-tunnel-id>.cfargotunnel.com.
NPMplus: Run ./scripts/nginx-proxy-manager/run-update-npmplus-alltra-hybx-via-ssh.sh from repo root; it adds or updates all proxy hosts (RPC, Cacti, Firefly, Fabric, Indy). Adjust Firefly/Fabric/Indy ports in the third NPMplus UI if your backends use something other than 80.