d-bis/proxmox
4
0
Fork 0
Code Issues 1 Pull Requests 4 Actions Packages Projects Releases Wiki Activity
Files
dc8abb06e2bbd33e30803ca59d284ead8ea970c6
proxmox/docs/archive/completion/NGINX_PUBLIC_ENDPOINTS_FIX_COMPLETE.md
defiQUG cb47cce074 Complete markdown files cleanup and organization 
- Organized 252 files across project
- Root directory: 187 → 2 files (98.9% reduction)
- Moved configuration guides to docs/04-configuration/
- Moved troubleshooting guides to docs/09-troubleshooting/
- Moved quick start guides to docs/01-getting-started/
- Moved reports to reports/ directory
- Archived temporary files
- Generated comprehensive reports and documentation
- Created maintenance scripts and guides

All files organized according to established standards.
2026-01-06 01:46:25 -08:00

5.5 KiB
Raw Blame History

Nginx Public Endpoints Fix - Complete

Date: 2025-01-27
Status: Nginx Configuration Fixed | ⚠️ Besu Host Allowlist Needs Update

What Was Fixed

1. Nginx Configuration on VMID 2500

Added public endpoint configuration without JWT authentication:

  • rpc-http-pub.d-bis.org → Proxies to 127.0.0.1:8545 (NO JWT)
  • rpc-ws-pub.d-bis.org → Proxies to 127.0.0.1:8546 (NO JWT)

Configuration File: /etc/nginx/sites-available/rpc-public on VMID 2500
Status: Enabled and active

2. Nginx Configuration on VMID 2501

Added public endpoint configuration without JWT authentication:

  • rpc-http-pub.d-bis.org → Proxies to 127.0.0.1:8545 (NO JWT)
  • rpc-ws-pub.d-bis.org → Proxies to 127.0.0.1:8546 (NO JWT)

Configuration File: /etc/nginx/sites-available/rpc-public on VMID 2501
Status: Enabled and active

Note: Added to VMID 2501 because Cloudflared tunnel currently routes rpc-http-pub.d-bis.org to 192.168.11.251:443 (VMID 2501).

⚠️ Remaining Issue: Besu Host Allowlist

Error: {"message":"Host not authorized."}

This error is coming from Besu RPC, not Nginx. Besu has a host-allowlist configuration that restricts which hosts can access the RPC endpoint.

Fix Required

Update Besu configuration to allow the public endpoints:

For VMID 2501 (if using for public endpoint):

ssh root@192.168.11.10 "pct exec 2501 -- bash"
# Edit Besu config file (location may vary)
# Add or update:
rpc-http-host-allowlist=["*"]
# Or specifically:
rpc-http-host-allowlist=["localhost","127.0.0.1","rpc-http-pub.d-bis.org","rpc-ws-pub.d-bis.org"]
# Restart Besu service
systemctl restart besu-rpc

For VMID 2500 (if routing to 2500):

ssh root@192.168.11.10 "pct exec 2500 -- bash"
# Edit Besu config file
# Add or update:
rpc-http-host-allowlist=["*"]
# Restart Besu service
systemctl restart besu-rpc

📋 Routing Architecture

Current Routing (based on Cloudflared tunnel config):

Internet → Cloudflare → Cloudflared Tunnel → VMID 2501 (192.168.11.251:443) → Besu RPC

Desired Routing (per user specification):

Internet → Cloudflare → Cloudflared Tunnel → VMID 2500 (192.168.11.250:443) → Besu RPC

Update Cloudflared Tunnel Configuration

If you want to route to VMID 2500 instead of 2501, update the Cloudflared tunnel configuration:

Option 1: Via Cloudflare Dashboard

  1. Go to Cloudflare Zero Trust → Networks → Tunnels
  2. Select your tunnel
  3. Find the hostname rpc-http-pub.d-bis.org
  4. Change service from https://192.168.11.251:443 to https://192.168.11.250:443
  5. Save and wait for tunnel to update

Option 2: Via Config File (if managed locally) Update /etc/cloudflared/config.yml:

ingress:
  - hostname: rpc-http-pub.d-bis.org
    service: https://192.168.11.250:443  # Changed from 251 to 250
  - hostname: rpc-ws-pub.d-bis.org
    service: https://192.168.11.250:443  # Changed from 251 to 250

Then restart cloudflared service.

Verification Steps

1. Test Nginx Configuration

# Test locally on VMID 2500
ssh root@192.168.11.10 "pct exec 2500 -- curl -k -X POST https://localhost \
  -H 'Host: rpc-http-pub.d-bis.org' \
  -H 'Content-Type: application/json' \
  -d '{\"jsonrpc\":\"2.0\",\"method\":\"eth_chainId\",\"params\":[],\"id\":1}'"

# Should return: {"jsonrpc":"2.0","id":1,"result":"0x8a"}

2. Test from External

curl -X POST https://rpc-http-pub.d-bis.org \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'

Expected: {"jsonrpc":"2.0","id":1,"result":"0x8a"}
Current: {"message":"Host not authorized."} (until Besu host-allowlist is fixed)

3. Verify MetaMask Connection

  1. Remove existing network in MetaMask
  2. Add network with:
    • RPC URL: https://rpc-http-pub.d-bis.org
    • Chain ID: 138
  3. Should connect successfully (after Besu fix)

📝 Configuration Files

VMID 2500

  • Nginx Config: /etc/nginx/sites-available/rpc-public
  • Enabled: /etc/nginx/sites-enabled/rpc-public
  • Besu Config: Check /etc/besu/config-rpc-core.toml or similar

VMID 2501

  • Nginx Config: /etc/nginx/sites-available/rpc-public
  • Enabled: /etc/nginx/sites-enabled/rpc-public
  • Besu Config: Check /etc/besu/config-rpc-perm.toml or similar

🔧 Next Steps

  1. DONE: Configured Nginx on both VMID 2500 and 2501 for public endpoints
  2. TODO: Update Besu host-allowlist configuration to allow public endpoints
  3. OPTIONAL: Update Cloudflared tunnel to route to VMID 2500 instead of 2501
  4. DONE: Verified Nginx configuration is correct (no JWT for public endpoints)

📞 Troubleshooting

Still Getting JWT Error?

  • Check which VMID Cloudflared is routing to
  • Verify Nginx config doesn't have auth_request for public endpoints
  • Check Nginx logs: /var/log/nginx/rpc-http-pub-error.log

Still Getting "Host not authorized"?

  • Update Besu rpc-http-host-allowlist to ["*"] or include the hostname
  • Restart Besu service after config change
  • Check Besu logs for more details

MetaMask Still Can't Connect?

  • Verify endpoint returns {"jsonrpc":"2.0","id":1,"result":"0x8a"} without errors
  • Check browser console for detailed error messages
  • Ensure Chain ID is exactly 138 (decimal) in MetaMask

Last Updated: 2025-01-27
Status: Nginx fixed | Besu host-allowlist needs update ⚠️

Reference in New Issue View Git Blame Copy Permalink