The frontend is reachable at **https://explorer.d-bis.org** (FQDN) or by **VM IP** (**http://192.168.11.140**). In both cases it needs the **Blockscout v2 API** at the same origin under `/api/`. If you see **502 Bad Gateway**, **no blocks/transactions feeds**, or "Failed to load", the API may be unreachable. Use this checklist to verify and restore access.
## No feeds (blocks/transactions empty or stuck on “Loading…”)
- **Frontend** now loads stats, blocks, and transactions **immediately** on page load (it no longer waits for the ethers.js library). If feeds are still empty:
1.**Check the API**– Open DevTools → Network, reload the page, and look for requests to `/api/v2/blocks` and `/api/v2/transactions`. If they return **502** or fail, use [Fix 502 Bad Gateway](#fix-502-bad-gateway-one-script) and ensure Blockscout is up and nginx proxies `/api/` to port 4000.
2.**Same-origin /api**– When the site is served from the explorer host (FQDN `https://explorer.d-bis.org` or VM IP `http://192.168.11.140` / `https://192.168.11.140`), the frontend uses relative `/api` so all requests go through the same nginx proxy. If you open the frontend from elsewhere, the code falls back to the full Blockscout URL (CORS must allow it).
- If the API returns **200** but the UI still shows no data, check the browser console for JavaScript errors (e.g. CSP or network errors).
---
## CSP blocks eval / “script-src blocked”
The ethers.js v5 UMD bundle from the CDN uses `eval`/`new Function()` for ABI decoding, so the site’s CSP must allow **`'unsafe-eval'`** in **script-src**. The repo already includes it in:
-`frontend/public/index.html` (meta tag)
-`deployment/nginx/explorer.conf` (if nginx serves the page)
-`backend/api/middleware/security.go` (if the Go API serves the page)
If the browser still reports **“Content Security Policy blocks the use of 'eval'”** or **script-src blocked**:
1.**Redeploy the frontend** so the live site gets the current `index.html` (with the meta CSP including `'unsafe-eval'`). For VMID 5000, run **`scripts/deploy-frontend-to-vmid5000.sh`** (frontend-only) or **`scripts/complete-explorer-api-access.sh`** (full). Alternatively, copy `frontend/public/index.html` to the server’s web root (e.g. `/var/www/html/`).
2.**Check what CSP the browser sees**– DevTools → Network → select the document request (the HTML page) → Headers → **Response Headers** → `Content-Security-Policy`. It should contain `'unsafe-eval'` in `script-src`. If the response has a CSP header **without**`'unsafe-eval'`, that header is coming from your server (nginx or app) or from a proxy (e.g. Cloudflare). Update the config that serves the explorer so its CSP includes `'unsafe-eval'`, then reload (hard refresh or incognito).
3.**If you use Cloudflare**– In the dashboard, check Transform Rules, Page Rules, or Security → Settings for any **Content-Security-Policy** (or similar) header that might override the origin. Ensure that header’s `script-src` includes `'unsafe-eval'`, or remove the override so the origin CSP is used.
---
## One command: complete all steps
From the **explorer-monorepo** directory:
**On the Proxmox host that has VMID 5000** (e.g. r630-02):
```bash
cd /path/to/explorer-monorepo
bash scripts/complete-explorer-api-access.sh
```
**From your laptop** (if you have SSH to the Proxmox node):
```bash
cd /path/to/explorer-monorepo
# Uses PROXMOX_R630_02 from repo parent .env if set
The script will: start Blockscout in VMID 5000, deploy the frontend, configure nginx with `location /api/` → port 4000, wait up to 45s for the API, and run the verification script. If Blockscout does not respond in time, check inside VMID 5000: `docker ps` and `docker logs <blockscout-container>` (see [Check Blockscout](#a-ensure-blockscout-is-running-vmid-5000)).
---
## Fix 502 Bad Gateway (one script)
If the explorer shows **502 Bad Gateway** on `/api/`, Blockscout is not responding on port 4000. Run:
The script will: start PostgreSQL, **restart** Blockscout (so the app inside binds to port 4000 again), print container status and recent logs, wait for the API on port 4000, and report the public API check. If the container is "Up" but API still does not respond, the script restarts the container to recover. If the container keeps exiting, check logs for database/migrations or `command: bin/blockscout start` in docker-compose.
---
## Automated maintenance (cron, permanent)
To prevent 502s and disk-full from recurring, install cron jobs **inside VMID 5000**:
- **Every 5 min:** Health check; if API is not 200, restart Blockscout (or start from `/opt/blockscout`); if nginx is down, start it.
- **Daily 03:15:** Safe disk prune (unused images + build cache only) when disk usage ≥ 90%. Does **not** prune containers.
See `scripts/cron/README.md` for details and uninstall.
**If you see "no space left on device"** when restarting, the disk on VMID 5000 is full. Free space first, then rerun the fix script. On the Proxmox host run:
# Then rerun: EXPLORER_VM_HOST=root@192.168.11.12 bash scripts/fix-502-blockscout.sh
```
Or SSH into the VM (192.168.11.140) and run `df -h`, clear logs, remove unused Docker images/containers/volumes, then restart the Blockscout container.
---
## 1. What the frontend expects
| Purpose | URL pattern | Backend |
|--------|-------------|--------|
| Chain 138 (Blockscout) | `https://explorer.d-bis.org/api/v2/blocks`, `/api/v2/transactions`, `/api/v2/addresses`, `/api/v2/stats`, etc. | **Blockscout** (Elixir) on port **4000** |
| Stats (optional) | `/api/v2/stats` | Blockscout or Go API |
| Config | `/api/config/token-list`, `/api/config/networks` | Go API (if used) |
| Explorer backend v1 | `/explorer-api/v1/features`, `/explorer-api/v1/auth/*`, `/explorer-api/v1/ai/*` | **Explorer Config API** (Go) on port **8081** |
| Explorer AI metrics | `/explorer-api/v1/ai/metrics` | **Explorer Config API** (Go) on port **8081** |
| Token aggregation | `/token-aggregation/api/v1/routes/*`, `/token-aggregation/api/v1/partner-payloads*` | **token-aggregation** service on port **3001** |
For the **static frontend + Blockscout** setup (VMID 5000), **nginx** must proxy `/api/` to **Blockscout** at `http://127.0.0.1:4000`. A 502 means nginx is up but the upstream (Blockscout) is down or unreachable.
-`/api/*` is reserved for **Blockscout** compatibility and v2 explorer reads.
-`/explorer-api/v1/*` is reserved for the **Go explorer backend** (auth, features, AI, explorer-owned helpers).
-`/token-aggregation/api/v1/*` is reserved for the **token-aggregation** service.
Avoid routing mixed services behind the same `/api/v1/*` prefix. That pattern caused the earlier conflicts where AI and feature endpoints were accidentally sent to token-aggregation or Blockscout.
| **HTTPS** (e.g. `https://explorer.d-bis.org`) | **FQDN**: `https://rpc-http-pub.d-bis.org`, `wss://rpc-ws-pub.d-bis.org` | Avoids mixed-content blocking (HTTPS page cannot call plain `http://` or `ws://` in many browsers). |
| **HTTP** (e.g. `http://192.168.11.140`) | **IP and port**: `http://192.168.11.221:8545`, `ws://192.168.11.221:8546` (VMID 2201) | Same-LAN; no mixed content when the page is already HTTP. |
The explorer always uses **VMID 2201** (besu-rpc-public-1, 192.168.11.221) for Chain 138 RPC/WebSocket — via FQDN when the page is HTTPS and via IP:port when HTTP. So: **RPC/WebSocket are not required to be FQDN**; when the explorer is loaded over HTTPS, the frontend uses the public FQDN so MetaMask and provider calls are not blocked by mixed-content.
If `XAI_API_KEY` is omitted, the AI context endpoint will still work, but chat will remain disabled with a backend `service_unavailable` response. The deploy script will automatically source `~/.secure-secrets/explorer-ai.env` when it exists.
On VMID `5000`, the script also writes a dedicated `database.conf` drop-in for `explorer-config-api` so AI context can query the live Blockscout Postgres container instead of assuming `localhost:5432`.
The frontend is same-origin (`https://explorer.d-bis.org`), so `/api/` is same-origin and CORS is not required for same-origin requests. The `add_header Access-Control-Allow-Origin *` above helps if you ever call the API from another origin.
| **VMID 5000 static + Blockscout** | `/var/www/html/index.html` | `http://127.0.0.1:4000` (Blockscout) | What this doc and the fix scripts assume. 502 = Blockscout not running or not on 4000. |
| **Go stack** (`deployment/nginx/explorer.conf`) | `explorer_frontend` (port 3000) | `explorer_api` (port 8080) | Go API has `/api/v2/stats` and v1 routes but **not** Blockscout v2 blocks/transactions. For Chain 138 the frontend needs Blockscout; either proxy `/api/v2/*` to Blockscout or use the static + Blockscout setup above. |
---
## 6. Summary
1.**502 on `/api/v2/*`** → nginx is up, backend (Blockscout on 4000) is down or not proxied.
2.**Provide access**: Start Blockscout on 4000, ensure nginx has `location /api/ { proxy_pass http://127.0.0.1:4000; ... }`, then `nginx -t && systemctl reload nginx`.
**Authenticated API (api.explorer.d-bis.org):** Auth/nonce and full Track 2–4 require a database for nonce storage and operator data. Health may report DEGRADED when the DB is unavailable. See repo root `docs/00-meta/REMAINING_TASKS_AND_API_FEATURES.md` (Explorer API) and `explorer-monorepo/docs/DEPLOYMENT_COMPLETE.md`.
