# Cloudflare DNS Configuration for Specific Services **Last Updated:** 2025-01-20 **Document Version:** 1.0 **Status:** Service-Specific DNS Mapping --- ## Overview This document provides specific Cloudflare DNS and tunnel configuration for: 1. **Mail Server** (VMID 100) - Mail services for all domains 2. **Public RPC Node** (VMID 2502) - Besu RPC-3 for public access 3. **Solace Frontend** (VMID 300X) - Solace frontend application --- ## Service 1: Mail Server (VMID 100) ### Container Information - **VMID**: 100 - **Service**: Mail server (Postfix, Dovecot, or similar) - **Purpose**: Handle mail for all domains - **IP Address**: To be determined (check with `pct config 100`) - **Ports**: - SMTP: 25 (or 587 for submission) - IMAP: 143 (or 993 for IMAPS) - POP3: 110 (or 995 for POP3S) ### DNS Records Required **For each domain that will use this mail server:** #### MX Records (Mail Exchange) ``` Type: MX Name: @ (or domain root) Priority: 10 Target: mail.yourdomain.com TTL: Auto Proxy: ❌ DNS only (gray cloud) - MX records cannot be proxied ``` **Example for multiple domains:** - `yourdomain.com` → MX 10 `mail.yourdomain.com` - `anotherdomain.com` → MX 10 `mail.anotherdomain.com` #### A/CNAME Records for Mail Server ``` Type: A (or CNAME if using tunnel) Name: mail Target: .cfargotunnel.com (if using tunnel) OR (if direct access) TTL: Auto Proxy: 🟠 Proxied (if using tunnel) ❌ DNS only (if direct access with public IP) ``` **Note**: Mail servers typically need direct IP access for MX records. If using Cloudflare tunnel, you may need to: - Use A records pointing to public IPs for MX - Use tunnel for webmail interface only ### Tunnel Configuration (Optional - for Webmail) If your mail server has a webmail interface: **In Cloudflare Tunnel Dashboard:** ``` Subdomain: webmail Domain: yourdomain.com Service: http://:80 OR https://:443 ``` **DNS Record:** ``` Type: CNAME Name: webmail Target: .cfargotunnel.com Proxy: 🟠 Proxied ``` ### Mail Server Ports Configuration **Important**: Cloudflare tunnels can handle HTTP/HTTPS traffic, but mail protocols (SMTP, IMAP, POP3) require direct connection or special configuration. **Options:** 1. **Direct Public IP** (Recommended for mail): - Assign public IP to mail server - Create A records pointing to public IP - Configure firewall rules 2. **Cloudflare Tunnel for Webmail Only**: - Use tunnel for webmail interface - Use direct IP for mail protocols (SMTP, IMAP, POP3) 3. **SMTP Relay via Cloudflare** (Advanced): - Use Cloudflare Email Routing for incoming mail - Configure mail server for outgoing mail only ### Recommended Configuration ``` MX Records (All Domains): yourdomain.com → MX 10 mail.yourdomain.com anotherdomain.com → MX 10 mail.anotherdomain.com A Record (Mail Server): mail.yourdomain.com → A (if direct access) OR mail.yourdomain.com → CNAME .cfargotunnel.com (if tunnel) CNAME Record (Webmail): webmail.yourdomain.com → CNAME .cfargotunnel.com Proxy: 🟠 Proxied ``` --- ## Service 2: Public RPC Node (VMID 2502) ### Container Information - **VMID**: 2502 - **Hostname**: besu-rpc-3 - **IP Address**: 192.168.11.252 - **Service**: Besu JSON-RPC API - **Port**: 8545 (HTTP-RPC), 8546 (WebSocket-RPC) - **Purpose**: Public access to blockchain RPC endpoint ### DNS Records #### Primary RPC Endpoint ``` Type: CNAME Name: rpc Target: .cfargotunnel.com TTL: Auto Proxy: 🟠 Proxied (orange cloud) - Required for tunnel ``` **Alternative subdomains:** ``` rpc-public.yourdomain.com rpc-mainnet.yourdomain.com api.yourdomain.com (if this is the primary API) ``` ### Tunnel Configuration **In Cloudflare Tunnel Dashboard:** **Public Hostname:** ``` Subdomain: rpc Domain: yourdomain.com Service: http://192.168.11.252:8545 ``` **For WebSocket Support:** ``` Subdomain: rpc-ws Domain: yourdomain.com Service: http://192.168.11.252:8546 ``` **Or use single endpoint with path-based routing:** ``` Subdomain: rpc Domain: yourdomain.com Service: http://192.168.11.252:8545 Path: /ws → http://192.168.11.252:8546 ``` ### Complete Configuration Example **DNS Records:** | Type | Name | Target | Proxy | |------|------|--------|-------| | CNAME | `rpc` | `.cfargotunnel.com` | 🟠 Proxied | | CNAME | `rpc-ws` | `.cfargotunnel.com` | 🟠 Proxied | **Tunnel Ingress:** ```yaml ingress: # HTTP JSON-RPC - hostname: rpc.yourdomain.com service: http://192.168.11.252:8545 # WebSocket RPC - hostname: rpc-ws.yourdomain.com service: http://192.168.11.252:8546 # Catch-all - service: http_status:404 ``` ### Testing **Test HTTP-RPC:** ```bash curl -X POST https://rpc.yourdomain.com \ -H "Content-Type: application/json" \ -d '{ "jsonrpc": "2.0", "method": "eth_blockNumber", "params": [], "id": 1 }' ``` **Test WebSocket (from browser console):** ```javascript const ws = new WebSocket('wss://rpc-ws.yourdomain.com'); ws.onopen = () => { ws.send(JSON.stringify({ jsonrpc: "2.0", method: "eth_blockNumber", params: [], id: 1 })); }; ``` ### Security Considerations 1. **Rate Limiting**: Configure rate limiting in Cloudflare 2. **DDoS Protection**: Cloudflare automatically provides DDoS protection 3. **Access Control**: Consider adding Cloudflare Access for additional security 4. **API Keys**: Implement API key authentication at application level 5. **CORS**: Configure CORS headers if needed for web applications --- ## Service 3: Solace Frontend (VMID 300X) ### Container Information - **VMID**: 300X (specific VMID to be determined) - **Service**: Solace frontend application - **Purpose**: User-facing web interface for Solace - **IP Address**: To be determined - **Port**: Typically 80 (HTTP) or 443 (HTTPS) ### VMID Allocation Note **Important**: Solace is not explicitly assigned a VMID range in the official allocation documents (`VMID_ALLOCATION_FINAL.md`). The 300X range falls within the **"Besu RPC / Gateways"** allocation (2500-3499), which includes: - **2500-2502**: Initial Besu RPC nodes (3 nodes) - **2503-3499**: Reserved for RPC/Gateway expansion (997 VMIDs) Since Solace frontend is deployed in the 300X range, it's using VMIDs from the RPC/Gateway expansion pool. This should be documented in the VMID allocation plan for future reference. ### Finding the Solace Container **Check which container is Solace:** ```bash # List containers in 300X range pct list | grep -E "^\s*3[0-9]{3}" # Check container hostname pct config | grep hostname # Check container IP pct config | grep ip ``` **Or check running services:** ```bash # SSH into Proxmox host and check for vmid in 3000 3001 3002 3003 3004 3005; do echo "=== VMID $vmid ===" pct exec $vmid -- hostname 2>/dev/null || echo "Not found" done ``` ### DNS Records **Primary Frontend:** ``` Type: CNAME Name: solace Target: .cfargotunnel.com TTL: Auto Proxy: 🟠 Proxied (orange cloud) ``` **Alternative names:** ``` app.yourdomain.com solace-app.yourdomain.com frontend.yourdomain.com ``` ### Tunnel Configuration **In Cloudflare Tunnel Dashboard:** **Public Hostname:** ``` Subdomain: solace Domain: yourdomain.com Service: http://: ``` **Example (assuming VMID 3000, IP 192.168.11.300, port 80):** ``` Subdomain: solace Domain: yourdomain.com Service: http://192.168.11.300:80 ``` ### Complete Configuration Example **Once container details are confirmed:** **DNS Record:** | Type | Name | Target | Proxy | |------|------|--------|-------| | CNAME | `solace` | `.cfargotunnel.com` | 🟠 Proxied | **Tunnel Ingress:** ```yaml ingress: - hostname: solace.yourdomain.com service: http://: # Catch-all - service: http_status:404 ``` ### Additional Configuration (If Needed) **If Solace has API endpoints:** ``` Subdomain: solace-api Domain: yourdomain.com Service: http://: ``` **If Solace has WebSocket support:** ``` Subdomain: solace-ws Domain: yourdomain.com Service: http://: ``` --- ## Complete DNS Mapping Summary ### All Services Together | Service | VMID | IP | DNS Record | Tunnel Ingress | |---------|------|-----|------------|----------------| | **Mail Server** | 100 | TBD | `mail.yourdomain.com` | Webmail only (if applicable) | | **Public RPC** | 2502 | 192.168.11.252 | `rpc.yourdomain.com` | `http://192.168.11.252:8545` | | **Solace Frontend** | 300X | TBD | `solace.yourdomain.com` | `http://:` | ### DNS Records to Create **In Cloudflare DNS Dashboard:** 1. **Mail Server:** ``` Type: MX Name: @ Priority: 10 Target: mail.yourdomain.com Proxy: ❌ DNS only Type: A or CNAME Name: mail Target: or .cfargotunnel.com Proxy: Based on access method ``` 2. **RPC Node:** ``` Type: CNAME Name: rpc Target: .cfargotunnel.com Proxy: 🟠 Proxied Type: CNAME Name: rpc-ws Target: .cfargotunnel.com Proxy: 🟠 Proxied ``` 3. **Solace Frontend:** ``` Type: CNAME Name: solace Target: .cfargotunnel.com Proxy: 🟠 Proxied ``` --- ## Tunnel Ingress Configuration (Complete) **In Cloudflare Zero Trust → Networks → Tunnels → Configure:** ```yaml ingress: # Mail Server Webmail (if applicable) - hostname: webmail.yourdomain.com service: http://:80 # Public RPC - HTTP - hostname: rpc.yourdomain.com service: http://192.168.11.252:8545 # Public RPC - WebSocket - hostname: rpc-ws.yourdomain.com service: http://192.168.11.252:8546 # Solace Frontend - hostname: solace.yourdomain.com service: http://: # Catch-all - service: http_status:404 ``` --- ## Verification Steps ### 1. Verify Container Status ```bash # Check mail server pct status 100 pct config 100 | grep -E "hostname|ip" # Check RPC node pct status 2502 pct config 2502 | grep -E "hostname|ip" # Should show: hostname=besu-rpc-3, ip=192.168.11.252 # Find Solace container pct list | grep -E "^\s*3[0-9]{3}" ``` ### 2. Test Direct Container Access ```bash # Test RPC node curl -X POST http://192.168.11.252:8545 \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}' # Test Solace (once IP is known) curl -I http://: # Test mail server webmail (if applicable) curl -I http://:80 ``` ### 3. Test DNS Resolution ```bash # Test DNS records dig rpc.yourdomain.com dig solace.yourdomain.com dig mail.yourdomain.com nslookup rpc.yourdomain.com ``` ### 4. Test Through Cloudflare ```bash # Test RPC via Cloudflare curl -X POST https://rpc.yourdomain.com \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}' # Test Solace via Cloudflare curl -I https://solace.yourdomain.com # Test webmail via Cloudflare (if configured) curl -I https://webmail.yourdomain.com ``` --- ## Security Recommendations ### Mail Server 1. **MX Records**: Use DNS-only (gray cloud) for MX records 2. **SPF Records**: Add SPF records for email authentication ``` Type: TXT Name: @ Content: v=spf1 ip4: include:_spf.google.com ~all ``` 3. **DKIM**: Configure DKIM signing 4. **DMARC**: Set up DMARC policy 5. **Firewall**: Restrict mail ports to necessary IPs ### RPC Node 1. **Rate Limiting**: Configure in Cloudflare 2. **DDoS Protection**: Enabled by default with proxy 3. **Access Logging**: Monitor access patterns 4. **API Keys**: Implement application-level authentication 5. **CORS**: Configure if needed for web apps ### Solace Frontend 1. **Cloudflare Access**: Add access policies if needed 2. **SSL/TLS**: Ensure Cloudflare SSL is enabled 3. **WAF Rules**: Configure Web Application Firewall rules 4. **Rate Limiting**: Protect against abuse 5. **Monitoring**: Set up alerts for unusual traffic --- ## Troubleshooting ### Mail Server Issues **Problem**: Mail not being received **Solutions:** - Verify MX records are correct - Check mail server is accessible on port 25/587 - Verify SPF/DKIM/DMARC records - Check mail server logs - Ensure firewall allows mail traffic ### RPC Node Issues **Problem**: RPC requests failing **Solutions:** - Verify container is running: `pct status 2502` - Test direct access: `curl http://192.168.11.252:8545` - Check tunnel status in Cloudflare dashboard - Verify DNS record is proxied (orange cloud) - Check Cloudflare logs for errors ### Solace Frontend Issues **Problem**: Frontend not loading **Solutions:** - Verify container is running - Check container IP and port - Test direct access to container - Verify tunnel configuration - Check DNS resolution - Review Cloudflare logs --- ## Next Steps 1. **Identify Solace Container:** - Determine exact VMID for Solace frontend - Get container IP address - Identify service port 2. **Configure Mail Server:** - Determine mail server IP - Set up MX records for all domains - Configure SPF/DKIM/DMARC - Set up webmail tunnel (if applicable) 3. **Deploy Configurations:** - Create DNS records in Cloudflare - Configure tunnel ingress rules - Test each service - Document final configuration --- ## Related Documentation - **[CLOUDFLARE_DNS_TO_CONTAINERS.md](CLOUDFLARE_DNS_TO_CONTAINERS.md)** - General DNS mapping guide - **[CLOUDFLARE_ZERO_TRUST_GUIDE.md](CLOUDFLARE_ZERO_TRUST_GUIDE.md)** - Cloudflare Zero Trust setup - **[DEPLOYMENT_STATUS_CONSOLIDATED.md](../../03-deployment/DEPLOYMENT_STATUS_CONSOLIDATED.md)** - Current container inventory --- **Document Status:** Active **Maintained By:** Infrastructure Team **Last Updated:** 2025-01-20 **Next Update:** After Solace container details are confirmed