# Besu RPC Nodes Configuration - Fixed **Last Updated:** 2025-01-20 **Document Version:** 1.0 **Status:** Active Documentation --- ## Overview This document describes the corrected configuration for the three Besu RPC nodes (VMIDs 2500, 2501, 2502) in the Proxmox VE deployment. --- ## Node Roles and Requirements ### VMID 2500 - Core RPC Node - **Role**: Core/Internal infrastructure - **Access**: **NO public access or routing** - **Features**: **All features enabled** (ADMIN, DEBUG, TRACE, TXPOOL, QBFT) - **Config File**: `config-rpc-core.toml` - **IP**: 192.168.11.250 **Key Settings**: - ✅ Discovery **DISABLED** (no public routing) - ✅ All APIs enabled: `ETH`, `NET`, `WEB3`, `TXPOOL`, `QBFT`, `ADMIN`, `DEBUG`, `TRACE` - ✅ CORS origins empty (no public access) - ✅ Node permissioning enabled (only local nodes) - ✅ Account permissioning **disabled** (internal use only) ### VMID 2501 - Permissioned RPC Node (Prv) - **Role**: Permissioned public access - **Access**: **Public permissioned access** (requires authentication) - **Features**: **Non-Admin features only** (no ADMIN, DEBUG, TRACE) - **Config File**: `config-rpc-perm.toml` - **IP**: 192.168.11.251 **Key Settings**: - ✅ Discovery **ENABLED** (public access) - ✅ Non-Admin APIs only: `ETH`, `NET`, `WEB3`, `TXPOOL`, `QBFT` - ✅ **ADMIN API REMOVED** (as required) - ✅ **DEBUG API REMOVED** (as required) - ✅ CORS enabled for public access - ✅ **Account permissioning ENABLED** (requires authentication) - ✅ Node permissioning enabled ### VMID 2502 - Public RPC Node (Pub) - **Role**: Public non-authenticated access - **Access**: **Public non-auth access** - **Features**: **Minimal wallet features only** - **Config File**: `config-rpc-public.toml` - **IP**: 192.168.11.252 **Key Settings**: - ✅ Discovery **ENABLED** (public access) - ✅ Minimal APIs only: `ETH`, `NET`, `WEB3` (read-only) - ✅ WebSocket **DISABLED** (HTTP only) - ✅ CORS enabled for public access - ✅ Account permissioning **disabled** (public non-auth) - ✅ Node permissioning enabled --- ## Configuration Changes Made ### 1. Fixed `config-rpc-core.toml` (VMID 2500) - ✅ **Removed ADMIN from permissioned config** - ADMIN should only be in Core - ✅ **Disabled discovery** - Changed from `true` to `false` (no public routing) - ✅ **Removed CORS origins** - Changed from `["*"]` to `[]` (no public access) - ✅ **Fixed paths** - Updated to use `/data/besu`, `/genesis/`, `/permissions/` - ✅ **Removed deprecated options** - Removed `log-destination`, `max-remote-initiated-connections`, `accounts-enabled`, `database-path`, `trie-logs-enabled` ### 2. Fixed `config-rpc-perm.toml` (VMID 2501) - ✅ **Removed ADMIN API** - Changed from `["ETH","NET","WEB3","TXPOOL","QBFT","ADMIN"]` to `["ETH","NET","WEB3","TXPOOL","QBFT"]` - ✅ **Removed DEBUG API** - Not included (non-Admin features only) - ✅ **Account permissions enabled** - `permissions-accounts-config-file-enabled=true` (for permissioned access) - ✅ **Fixed paths** - Updated to use `/data/besu`, `/genesis/`, `/permissions/` - ✅ **Removed deprecated options** - Same cleanup as Core config ### 3. Fixed `config-rpc-public.toml` (VMID 2502) - ✅ **Minimal APIs confirmed** - Only `ETH`, `NET`, `WEB3` (correct) - ✅ **WebSocket disabled** - Already correct - ✅ **Account permissions disabled** - Correct for public non-auth - ✅ **Fixed paths** - Updated to use `/data/besu`, `/genesis/`, `/permissions/` - ✅ **Removed deprecated options** - Same cleanup as other configs --- ## Deployment ### Automated Deployment Script A new script has been created to deploy and verify the configurations: ```bash cd /home/intlc/projects/proxmox ./scripts/configure-besu-rpc-nodes.sh ``` This script will: 1. ✅ Check container status and start if needed 2. ✅ Copy correct config file to each RPC node 3. ✅ Update systemd service files 4. ✅ Verify configuration matches requirements 5. ✅ Restart services 6. ✅ Check if 2501 and 2502 are reversed ### Manual Deployment If you prefer to deploy manually: ```bash # For VMID 2500 (Core) pct push 2500 smom-dbis-138/config/config-rpc-core.toml /etc/besu/config-rpc-core.toml pct exec 2500 -- chown besu:besu /etc/besu/config-rpc-core.toml pct exec 2500 -- systemctl restart besu-rpc.service # For VMID 2501 (Permissioned) pct push 2501 smom-dbis-138/config/config-rpc-perm.toml /etc/besu/config-rpc-perm.toml pct exec 2501 -- chown besu:besu /etc/besu/config-rpc-perm.toml pct exec 2501 -- systemctl restart besu-rpc.service # For VMID 2502 (Public) pct push 2502 smom-dbis-138/config/config-rpc-public.toml /etc/besu/config-rpc-public.toml pct exec 2502 -- chown besu:besu /etc/besu/config-rpc-public.toml pct exec 2502 -- systemctl restart besu-rpc.service ``` --- ## Verification ### Check Configuration Files ```bash # Verify Core RPC (2500) pct exec 2500 -- grep "discovery-enabled" /etc/besu/config-rpc-core.toml # Should show: discovery-enabled=false pct exec 2500 -- grep "rpc-http-api" /etc/besu/config-rpc-core.toml # Should include: ADMIN, DEBUG, TRACE # Verify Permissioned RPC (2501) pct exec 2501 -- grep "rpc-http-api" /etc/besu/config-rpc-perm.toml # Should NOT include: ADMIN or DEBUG # Should include: ETH, NET, WEB3, TXPOOL, QBFT pct exec 2501 -- grep "permissions-accounts-config-file-enabled" /etc/besu/config-rpc-perm.toml # Should show: permissions-accounts-config-file-enabled=true # Verify Public RPC (2502) pct exec 2502 -- grep "rpc-http-api" /etc/besu/config-rpc-public.toml # Should only include: ETH, NET, WEB3 pct exec 2502 -- grep "rpc-ws-enabled" /etc/besu/config-rpc-public.toml # Should show: rpc-ws-enabled=false ``` ### Check Service Status ```bash pct exec 2500 -- systemctl status besu-rpc.service pct exec 2501 -- systemctl status besu-rpc.service pct exec 2502 -- systemctl status besu-rpc.service ``` ### Test RPC Endpoints ```bash # Test Core RPC (should work from internal network) curl -X POST http://192.168.11.250:8545 \ -H 'Content-Type: application/json' \ --data '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}' # Test Permissioned RPC (should work with authentication) curl -X POST http://192.168.11.251:8545 \ -H 'Content-Type: application/json' \ --data '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}' # Test Public RPC (should work without authentication) curl -X POST http://192.168.11.252:8545 \ -H 'Content-Type: application/json' \ --data '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}' ``` --- ## API Comparison | API | Core (2500) | Permissioned (2501) | Public (2502) | |-----|-------------|---------------------|---------------| | ETH | ✅ | ✅ | ✅ | | NET | ✅ | ✅ | ✅ | | WEB3 | ✅ | ✅ | ✅ | | TXPOOL | ✅ | ✅ | ❌ | | QBFT | ✅ | ✅ | ❌ | | ADMIN | ✅ | ❌ | ❌ | | DEBUG | ✅ | ❌ | ❌ | | TRACE | ✅ | ❌ | ❌ | --- ## Security Considerations ### VMID 2500 (Core) - **Firewall**: Should block external access to port 8545/8546 - **Discovery**: Disabled (no public routing) - **CORS**: Empty (no cross-origin access) - **Use Case**: Internal infrastructure, monitoring, administrative operations ### VMID 2501 (Permissioned) - **Authentication**: Account permissioning enabled (requires allowlist) - **Discovery**: Enabled (public access) - **CORS**: Enabled (public access) - **Use Case**: Enterprise/private applications with authentication ### VMID 2502 (Public) - **Authentication**: None (public non-auth) - **Discovery**: Enabled (public access) - **CORS**: Enabled (public access) - **APIs**: Minimal (read-only wallet features) - **Use Case**: Public dApps, wallets, blockchain explorers --- ## Files Modified 1. ✅ `smom-dbis-138/config/config-rpc-core.toml` - Fixed for Core RPC 2. ✅ `smom-dbis-138/config/config-rpc-perm.toml` - Fixed for Permissioned RPC 3. ✅ `smom-dbis-138/config/config-rpc-public.toml` - Fixed for Public RPC 4. ✅ `scripts/configure-besu-rpc-nodes.sh` - New deployment script --- ## Next Steps 1. **Deploy configurations** using the automated script: ```bash ./scripts/configure-besu-rpc-nodes.sh ``` 2. **Verify services** are running correctly 3. **Test RPC endpoints** from appropriate networks 4. **Configure firewall rules** to ensure: - VMID 2500 is only accessible from internal network - VMID 2501 and 2502 are accessible from public networks (if needed) 5. **Monitor logs** for any configuration errors: ```bash pct exec 2500 -- journalctl -u besu-rpc.service -f pct exec 2501 -- journalctl -u besu-rpc.service -f pct exec 2502 -- journalctl -u besu-rpc.service -f ``` --- ## Summary ✅ **All configurations have been fixed and are ready for deployment** - **2500 (Core)**: No public access, all features enabled - **2501 (Permissioned)**: Public permissioned access, non-Admin features only - **2502 (Public)**: Public non-auth access, minimal wallet features The configurations now correctly match the requirements for each node type.