# Cloudflare and Nginx Integration **Last Updated:** 2025-01-20 **Document Version:** 1.0 **Status:** Active Documentation --- ## Overview Integration of Cloudflare (via cloudflared tunnel on VMID 102) with nginx-proxy-manager (VMID 105) for routing to RPC nodes. --- ## Architecture ``` Internet → Cloudflare → cloudflared (VMID 102) → nginx-proxy-manager (VMID 105) → RPC Nodes (2500-2502) ``` ### Components 1. **Cloudflare** - Global CDN, DDoS protection, SSL termination 2. **cloudflared (VMID 102)** - Cloudflare tunnel client 3. **nginx-proxy-manager (VMID 105)** - Reverse proxy and routing 4. **RPC Nodes (2500-2502)** - Besu RPC endpoints --- ## VMID 102: cloudflared **Status**: Existing container (running) **Purpose**: Cloudflare tunnel client **Configuration**: Routes Cloudflare traffic to nginx-proxy-manager ### Configuration Requirements The cloudflared tunnel should be configured to route to nginx-proxy-manager (VMID 105): ```yaml # Example cloudflared config (config.yml) tunnel: credentials-file: /etc/cloudflared/credentials.json ingress: # RPC Core - hostname: rpc-core.yourdomain.com service: http://192.168.11.105:80 # nginx-proxy-manager # RPC Permissioned - hostname: rpc-perm.yourdomain.com service: http://192.168.11.105:80 # nginx-proxy-manager # RPC Public - hostname: rpc.yourdomain.com service: http://192.168.11.105:80 # nginx-proxy-manager # Catch-all (optional) - service: http_status:404 ``` --- ## VMID 105: nginx-proxy-manager **Status**: Existing container (running) **Purpose**: Reverse proxy and routing to RPC nodes ### Proxy Host Configuration Configure separate proxy hosts for each RPC type: #### 1. Core RPC Proxy - **Domain Names**: `rpc-core.yourdomain.com` - **Scheme**: `http` - **Forward Hostname/IP**: `192.168.11.250` - **Forward Port**: `8545` - **Websockets**: Enabled (for WS-RPC on port 8546) - **SSL**: Handle at Cloudflare level (or configure SSL here) - **Access**: Restrict to internal network if needed #### 2. Permissioned RPC Proxy - **Domain Names**: `rpc-perm.yourdomain.com` - **Scheme**: `http` - **Forward Hostname/IP**: `192.168.11.251` - **Forward Port**: `8545` - **Websockets**: Enabled - **SSL**: Handle at Cloudflare level - **Access**: Configure authentication/authorization #### 3. Public RPC Proxy - **Domain Names**: `rpc.yourdomain.com`, `rpc-public.yourdomain.com` - **Scheme**: `http` - **Forward Hostname/IP**: `192.168.11.252` - **Forward Port**: `8545` - **Websockets**: Enabled - **SSL**: Handle at Cloudflare level - **Cache Assets**: Disabled (RPC responses shouldn't be cached) - **Block Common Exploits**: Enabled - **Rate Limiting**: Configure as needed --- ## Network Flow ### Request Flow 1. **Client** makes request to `rpc.yourdomain.com` 2. **Cloudflare** handles DNS, DDoS protection, SSL termination 3. **cloudflared (VMID 102)** receives request via Cloudflare tunnel 4. **nginx-proxy-manager (VMID 105)** receives request from cloudflared 5. **nginx-proxy-manager** routes based on domain to appropriate RPC node: - `rpc-core.*` → 192.168.11.250:8545 (Core RPC) - `rpc-perm.*` → 192.168.11.251:8545 (Permissioned RPC) - `rpc.*` → 192.168.11.252:8545 (Public RPC) 6. **RPC Node** processes request and returns response ### Response Flow (Reverse) 1. **RPC Node** returns response 2. **nginx-proxy-manager** forwards response 3. **cloudflared** forwards to Cloudflare tunnel 4. **Cloudflare** delivers to client --- ## Benefits 1. **DDoS Protection**: Cloudflare provides robust DDoS mitigation 2. **Global CDN**: Faster response times worldwide 3. **SSL/TLS**: Automatic SSL certificate management via Cloudflare 4. **Rate Limiting**: Cloudflare rate limiting + nginx-proxy-manager controls 5. **Centralized Routing**: Single point (nginx-proxy-manager) to manage routing logic 6. **Type-Based Routing**: Clear separation of RPC node types 7. **Security**: Validators remain behind firewall, only RPC nodes exposed --- ## Configuration Checklist ### Cloudflare (Cloudflare Dashboard) - [ ] Create Cloudflare tunnel - [ ] Configure DNS records (CNAME) for each RPC type: - `rpc-core.yourdomain.com` → tunnel - `rpc-perm.yourdomain.com` → tunnel - `rpc.yourdomain.com` → tunnel - [ ] Enable SSL/TLS (Full or Full (strict)) - [ ] Configure DDoS protection rules - [ ] Set up rate limiting rules (optional) - [ ] Configure WAF rules (optional) ### cloudflared (VMID 102) - [ ] Install/configure cloudflared - [ ] Set up tunnel configuration - [ ] Configure ingress rules to route to nginx-proxy-manager (192.168.11.105:80) - [ ] Test tunnel connectivity - [ ] Enable/start cloudflared service ### nginx-proxy-manager (VMID 105) - [ ] Access web UI (typically port 81) - [ ] Create proxy host for Core RPC (rpc-core.* → 192.168.11.250:8545) - [ ] Create proxy host for Permissioned RPC (rpc-perm.* → 192.168.11.251:8545) - [ ] Create proxy host for Public RPC (rpc.* → 192.168.11.252:8545) - [ ] Enable WebSocket support for all proxy hosts - [ ] Configure access control/authentication for Permissioned RPC - [ ] Configure rate limiting for Public RPC (optional) - [ ] Test routing to each RPC node ### RPC Nodes (2500-2502) - [ ] Ensure RPC nodes are running and accessible - [ ] Verify RPC endpoints respond on ports 8545/8546 - [ ] Test direct access to each RPC node - [ ] Verify correct config files are deployed: - 2500: `config-rpc-core.toml` - 2501: `config-rpc-perm.toml` - 2502: `config-rpc-public.toml` --- ## Testing ### Test Direct RPC Access ```bash # Test Core RPC curl -X POST http://192.168.11.250:8545 \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}' # Test Permissioned RPC curl -X POST http://192.168.11.251:8545 \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}' # Test Public RPC curl -X POST http://192.168.11.252:8545 \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}' ``` ### Test Through nginx-proxy-manager ```bash # Test Core RPC via nginx-proxy-manager curl -X POST http://192.168.11.105/rpc-core \ -H "Host: rpc-core.yourdomain.com" \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}' ``` ### Test Through Cloudflare ```bash # Test Public RPC via Cloudflare curl -X POST https://rpc.yourdomain.com \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}' ``` --- ## Security Considerations 1. **SSL/TLS**: Cloudflare handles SSL termination (Full mode recommended) 2. **Access Control**: - Core RPC: Restrict to internal network IPs - Permissioned RPC: Require authentication/authorization - Public RPC: Rate limiting and DDoS protection 3. **Firewall Rules**: Ensure only necessary ports are exposed 4. **Rate Limiting**: Configure at both Cloudflare and nginx-proxy-manager levels 5. **WAF**: Enable Cloudflare WAF for additional protection --- ## Troubleshooting ### Cloudflare Tunnel Not Connecting - Check cloudflared service status: `systemctl status cloudflared` - Verify tunnel configuration: `cloudflared tunnel info` - Check Cloudflare dashboard for tunnel status - Verify network connectivity from VMID 102 to VMID 105 ### nginx-proxy-manager Not Routing - Check proxy host configuration in web UI - Verify domain names match Cloudflare DNS records - Check nginx-proxy-manager logs - Test direct connection to RPC nodes ### RPC Nodes Not Responding - Check Besu service status: `systemctl status besu-rpc` - Verify RPC endpoints are enabled in config files - Check firewall rules on RPC nodes - Test direct connection from nginx-proxy-manager to RPC nodes --- ## Related Documentation ### Network Documents - **[CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md](CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md)** ⭐⭐⭐ - Cloudflare tunnel routing - **[CENTRAL_NGINX_ROUTING_SETUP.md](CENTRAL_NGINX_ROUTING_SETUP.md)** ⭐⭐⭐ - Central Nginx routing - **[NGINX_ARCHITECTURE_RPC.md](NGINX_ARCHITECTURE_RPC.md)** ⭐⭐ - NGINX architecture for RPC ### Configuration Documents - **[../04-configuration/cloudflare/CLOUDFLARE_ZERO_TRUST_GUIDE.md](../04-configuration/cloudflare/CLOUDFLARE_ZERO_TRUST_GUIDE.md)** - Cloudflare Zero Trust setup - **[../04-configuration/cloudflare/CLOUDFLARE_DNS_TO_CONTAINERS.md](../04-configuration/cloudflare/CLOUDFLARE_DNS_TO_CONTAINERS.md)** - DNS mapping to containers ### External References - [Cloudflare Tunnels](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/) - Official documentation - [nginx-proxy-manager](https://nginxproxymanager.com/) - Official documentation --- **Last Updated:** 2025-01-20 **Document Version:** 1.0 **Review Cycle:** Quarterly - **RPC Node Types**: `docs/RPC_NODE_TYPES_ARCHITECTURE.md` - **Nginx Architecture**: `docs/NGINX_ARCHITECTURE_RPC.md`