proxmox/docs/04-configuration/RPC_DNS_CONFIGURATION.md

# RPC DNS Configuration for d-bis.org and defi-oracle.io

**Last Updated:** 2025-01-23  
**Status:** Active Configuration

---

## Overview

DNS configuration for RPC endpoints with Nginx SSL termination on port 443.

**Architecture:**

**d-bis.org domain (Direct A records):**
```
Internet → DNS (A records) → Nginx (port 443) → Besu RPC (8545/8546)
```

**defi-oracle.io domain (Cloudflare Tunnel):**
```
Internet → DNS (CNAME) → Cloudflare Tunnel → VMID 2400 → Nginx (port 443) → Besu RPC (8545/8546)
```

All HTTPS traffic arrives on port 443, and Nginx routes to the appropriate backend port based on the domain name (Server Name Indication - SNI). For VMID 2400, traffic flows through Cloudflare Tunnel first.

---

## DNS Records Configuration

### Cloudflare DNS Records

**Important:** A records in DNS do NOT include port numbers. All traffic comes to port 443 (HTTPS), and Nginx handles routing to the backend ports.

#### Permissioned RPC (VMID 2501 - 192.168.11.251) - JWT Authentication Required

| Type | Name | Target | Proxy | Notes |
|------|------|--------|-------|-------|
| A | `rpc-http-prv` | `192.168.11.251` | 🟠 Proxied (optional) | HTTP RPC endpoint (JWT auth required) |
| A | `rpc-ws-prv` | `192.168.11.251` | 🟠 Proxied (optional) | WebSocket RPC endpoint (JWT auth required) |

**DNS Configuration:**
```
Type: A
Name: rpc-http-prv
Target: 192.168.11.251
TTL: Auto
Proxy: 🟠 Proxied (recommended for DDoS protection)

Type: A
Name: rpc-ws-prv
Target: 192.168.11.251
TTL: Auto
Proxy: 🟠 Proxied (recommended for DDoS protection)
```

**Note:** These endpoints require JWT token authentication. See [RPC_JWT_AUTHENTICATION.md](RPC_JWT_AUTHENTICATION.md) for details.

#### Public RPC (VMID 2502 - 192.168.11.252) - No Authentication

| Type | Name | Target | Proxy | Notes |
|------|------|--------|-------|-------|
| A | `rpc-http-pub` | `192.168.11.252` | 🟠 Proxied (optional) | HTTP RPC endpoint (public, no auth) |
| A | `rpc-ws-pub` | `192.168.11.252` | 🟠 Proxied (optional) | WebSocket RPC endpoint (public, no auth) |

**DNS Configuration:**
```
Type: A
Name: rpc-http-pub
Target: 192.168.11.252
TTL: Auto
Proxy: 🟠 Proxied (recommended for DDoS protection)

Type: A
Name: rpc-ws-pub
Target: 192.168.11.252
TTL: Auto
Proxy: 🟠 Proxied (recommended for DDoS protection)
```

### DNS Records Configuration for defi-oracle.io Domain

**Note:** The `defi-oracle.io` domain is used specifically for ThirdWeb RPC nodes and Thirdweb listing integration.

#### ThirdWeb RPC (VMID 2400 - 192.168.11.240) - defi-oracle.io Domain

**Note:** VMID 2400 uses Cloudflare Tunnel, so DNS records use CNAME (not A records).

| Type | Name | Domain | Target | Proxy | Notes |
|------|------|--------|--------|-------|-------|
| CNAME | `rpc.public-0138` | `defi-oracle.io` | `26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com` | 🟠 Proxied | Tunnel endpoint for ThirdWeb RPC |
| CNAME | `rpc` | `defi-oracle.io` | `rpc.public-0138.defi-oracle.io` | 🟠 Proxied | Short alias for ThirdWeb RPC |

**DNS Configuration:**

**Record 1: Tunnel Endpoint**
```
Type: CNAME
Name: rpc.public-0138
Domain: defi-oracle.io
Target: 26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com
TTL: Auto
Proxy: 🟠 Proxied (required for tunnel)
```

**Record 2: Short Alias**
```
Type: CNAME
Name: rpc
Domain: defi-oracle.io
Target: rpc.public-0138.defi-oracle.io
TTL: Auto
Proxy: 🟠 Proxied (required for tunnel)
```

**Full FQDNs:**
- `rpc.public-0138.defi-oracle.io` (primary endpoint)
- `rpc.defi-oracle.io` (short alias)

**DNS Structure:**
```
rpc.defi-oracle.io
    ↓ (CNAME)
rpc.public-0138.defi-oracle.io
    ↓ (CNAME)
26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com
    ↓ (Cloudflare Tunnel)
192.168.11.240 (VMID 2400)
```

**Note:** This endpoint is used for the Thirdweb listing for ChainID 138. Traffic flows through Cloudflare Tunnel to VMID 2400, where Nginx handles SSL termination and routes to Besu RPC (port 8545 for HTTP, port 8546 for WebSocket).

---

## How It Works

### Request Flow

1. **Client** makes request to `https://rpc-http-prv.d-bis.org` (permissioned) or `https://rpc-http-pub.d-bis.org` (public)
2. **DNS** resolves to appropriate IP (A record)
3. **HTTPS connection** established on port 443 (standard HTTPS port)
4. **Nginx** receives request on port 443
5. **Nginx** uses Server Name Indication (SNI) to identify domain:
   - `rpc-http-pub.d-bis.org` → proxies to `127.0.0.1:8545` (HTTP RPC)
   - `rpc-ws-pub.d-bis.org` → proxies to `127.0.0.1:8546` (WebSocket RPC)
   - `rpc-http-prv.d-bis.org` → proxies to `127.0.0.1:8545` (HTTP RPC)
   - `rpc-ws-prv.d-bis.org` → proxies to `127.0.0.1:8546` (WebSocket RPC)
   - `rpc.public-0138.defi-oracle.io` → Cloudflare Tunnel → VMID 2400 → proxies to `127.0.0.1:8545` (HTTP RPC) or `127.0.0.1:8546` (WebSocket RPC)
   - `rpc.defi-oracle.io` → CNAME → `rpc.public-0138.defi-oracle.io` → Cloudflare Tunnel → VMID 2400 → proxies to `127.0.0.1:8545` (HTTP RPC) or `127.0.0.1:8546` (WebSocket RPC)
6. **Besu RPC** processes request and returns response
7. **Nginx** forwards response back to client

### Port Mapping

| Domain | DNS Target | Nginx Port | Backend Port | Service | Auth |
|--------|------------|------------|-------------|---------|------|
| `rpc-http-prv.d-bis.org` | `192.168.11.251` | 443 (HTTPS) | 8545 | HTTP RPC | ✅ JWT Required |
| `rpc-ws-prv.d-bis.org` | `192.168.11.251` | 443 (HTTPS) | 8546 | WebSocket RPC | ✅ JWT Required |
| `rpc-http-pub.d-bis.org` | `192.168.11.252` | 443 (HTTPS) | 8545 | HTTP RPC | ❌ No Auth |
| `rpc-ws-pub.d-bis.org` | `192.168.11.252` | 443 (HTTPS) | 8546 | WebSocket RPC | ❌ No Auth |
| `rpc.public-0138.defi-oracle.io` | Cloudflare Tunnel → `192.168.11.240` | 443 (HTTPS) | 8545/8546 | HTTP/WS RPC | ❌ No Auth |
| `rpc.defi-oracle.io` | CNAME → `rpc.public-0138` → Cloudflare Tunnel → `192.168.11.240` | 443 (HTTPS) | 8545/8546 | HTTP/WS RPC | ❌ No Auth |

**Note:** DNS A records only contain IP addresses. Port numbers are handled by:
- **Port 443**: Standard HTTPS port (handled automatically by browsers/clients)
- **Backend ports (8545/8546)**: Configured in Nginx server blocks

---

## Testing

### Test DNS Resolution

```bash
# Test DNS resolution
dig rpc-http-pub.d-bis.org
nslookup rpc-http-pub.d-bis.org

# Should resolve to: 192.168.11.251
```

### Test HTTPS Endpoints

```bash
# Test HTTP RPC endpoint (port 443)
curl -k https://rpc-http-pub.d-bis.org/health
curl -k -X POST https://rpc-http-pub.d-bis.org \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

# Test WebSocket RPC endpoint (port 443)
# Use wscat or similar WebSocket client
wscat -c wss://rpc-ws-pub.d-bis.org
```

### Test Direct IP Access (for troubleshooting)

```bash
# Test Nginx directly on container IP
curl -k https://192.168.11.251/health
curl -k https://192.168.11.252/health

# Test backend Besu RPC directly (bypassing Nginx)
curl -X POST http://192.168.11.251:8545 \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
```

---

## Cloudflare Proxy Settings

### When to Use Proxy (🟠 Proxied)

**Recommended for:**
- DDoS protection
- CDN caching (though RPC responses shouldn't be cached)
- SSL/TLS termination at Cloudflare edge
- Hiding origin server IP

**Considerations:**
- Cloudflare may cache some responses (disable caching for RPC)
- Additional latency (usually minimal)
- WebSocket support requires Cloudflare WebSocket passthrough

### When to Use DNS Only (❌ DNS only)

**Use when:**
- Direct IP access needed
- Cloudflare proxy causes issues
- Testing/debugging
- Internal network access

---

## Nginx Configuration Summary

The Nginx configuration on each container:

**VMID 2501 (Permissioned RPC):**
- Listens on port 443 (HTTPS)
- `rpc-http-prv.d-bis.org` → proxies to `127.0.0.1:8545` (JWT auth required)
- `rpc-ws-prv.d-bis.org` → proxies to `127.0.0.1:8546` (JWT auth required)

**VMID 2502 (Public RPC):**
- Listens on port 443 (HTTPS)
- `rpc-http-pub.d-bis.org` → proxies to `127.0.0.1:8545` (no auth)
- `rpc-ws-pub.d-bis.org` → proxies to `127.0.0.1:8546` (no auth)

**VMID 2400 (ThirdWeb RPC - Cloudflare Tunnel):**
- Cloudflare Tunnel endpoint: `26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com`
- Nginx listens on port 443 (HTTPS) inside container
- `rpc.public-0138.defi-oracle.io` → Cloudflare Tunnel → proxies to `127.0.0.1:8545` (HTTP RPC, no auth) or `127.0.0.1:8546` (WebSocket RPC, no auth)
- `rpc.defi-oracle.io` → CNAME → `rpc.public-0138.defi-oracle.io` → Cloudflare Tunnel → proxies to `127.0.0.1:8545` (HTTP RPC, no auth) or `127.0.0.1:8546` (WebSocket RPC, no auth)
- Uses `defi-oracle.io` domain (Cloudflare Tunnel) for Thirdweb listing integration

---

## Troubleshooting

### DNS Not Resolving

```bash
# Check DNS resolution
dig rpc-http-pub.d-bis.org
nslookup rpc-http-pub.d-bis.org

# Verify DNS records in Cloudflare dashboard
```

### Connection Refused

```bash
# Check if Nginx is running
ssh root@192.168.11.10 "pct exec 2501 -- systemctl status nginx"

# Check if port 443 is listening
ssh root@192.168.11.10 "pct exec 2501 -- ss -tuln | grep 443"

# Check Nginx configuration
ssh root@192.168.11.10 "pct exec 2501 -- nginx -t"
```

### SSL Certificate Issues

```bash
# Check SSL certificate
ssh root@192.168.11.10 "pct exec 2501 -- openssl x509 -in /etc/nginx/ssl/rpc.crt -text -noout"

# Test SSL connection
openssl s_client -connect rpc-http-pub.d-bis.org:443 -servername rpc-http-pub.d-bis.org
```

### Backend Connection Issues

```bash
# Test backend Besu RPC directly
curl -X POST http://192.168.11.251:8545 \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

# Check Besu service status
ssh root@192.168.11.10 "pct exec 2501 -- systemctl status besu-rpc"
```

---

## Related Documentation

- [CLOUDFLARE_DNS_SPECIFIC_SERVICES.md](CLOUDFLARE_DNS_SPECIFIC_SERVICES.md) - General DNS configuration
- [NGINX_ARCHITECTURE_RPC.md](../05-network/NGINX_ARCHITECTURE_RPC.md) - Nginx architecture details
- [CLOUDFLARE_NGINX_INTEGRATION.md](../05-network/CLOUDFLARE_NGINX_INTEGRATION.md) - Cloudflare + Nginx integration

---

## Quick Reference

**DNS Records to Create:**

**d-bis.org domain:**
```
rpc-http-prv.d-bis.org → A → 192.168.11.251 (Permissioned, JWT auth required)
rpc-ws-prv.d-bis.org → A → 192.168.11.251 (Permissioned, JWT auth required)
rpc-http-pub.d-bis.org → A → 192.168.11.252 (Public, no auth)
rpc-ws-pub.d-bis.org → A → 192.168.11.252 (Public, no auth)
```

**defi-oracle.io domain (ThirdWeb RPC - Cloudflare Tunnel):**
```
rpc.public-0138.defi-oracle.io → CNAME → 26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com (Tunnel endpoint)
rpc.defi-oracle.io → CNAME → rpc.public-0138.defi-oracle.io (Short alias)
```

**Endpoints:**

**d-bis.org domain:**
- `https://rpc-http-prv.d-bis.org` → Permissioned HTTP RPC (port 443 → 8545, JWT auth required)
- `wss://rpc-ws-prv.d-bis.org` → Permissioned WebSocket RPC (port 443 → 8546, JWT auth required)
- `https://rpc-http-pub.d-bis.org` → Public HTTP RPC (port 443 → 8545, no auth)
- `wss://rpc-ws-pub.d-bis.org` → Public WebSocket RPC (port 443 → 8546, no auth)

**defi-oracle.io domain (ThirdWeb RPC - Cloudflare Tunnel):**
- `https://rpc.public-0138.defi-oracle.io` → ThirdWeb HTTP RPC (Cloudflare Tunnel → port 443 → 8545, no auth)
- `wss://rpc.public-0138.defi-oracle.io` → ThirdWeb WebSocket RPC (Cloudflare Tunnel → port 443 → 8546, no auth)
- `https://rpc.defi-oracle.io` → ThirdWeb HTTP RPC (CNAME → Cloudflare Tunnel → port 443 → 8545, no auth)
- `wss://rpc.defi-oracle.io` → ThirdWeb WebSocket RPC (CNAME → Cloudflare Tunnel → port 443 → 8546, no auth)