Check All Updates and Cloudflare Tunnels

Last updated: 2026-02-15
Purpose: Single checklist for config updates (e.g. Dev VM IP) and all Cloudflare tunnels: IDs, origins, hostnames, and verification.

1. Config updates (applied)

Item	Before	After	Where
Dev VM (5700) IP	192.168.11.60	192.168.11.59	`config/ip-addresses.conf` (`IP_DEV_VM`), all docs, NPMplus Fourth proxy targets
NPMplus Fourth proxy	gitea/dev/codespaces → .60:3000	→ 192.168.11.59:3000	Run `update-npmplus-fourth-proxy-hosts.sh` so NPM reads `IP_DEV_VM` from config
UDM Pro port forward	22 → .60 (optional)	22 → 192.168.11.59	UDM_PRO_DEV_CODESPACES_PORT_FORWARD.md

Verify: CT 5700 on Proxmox has ip=192.168.11.59/24; NPMplus Fourth proxy hosts for gitea.d-bis.org, dev.d-bis.org, codespaces.d-bis.org point to 192.168.11.59:3000.

2. Cloudflare tunnels — inventory

Tunnel	.env variable	Origin (ingress target)	Hostnames	Connector / notes
RPC (Option B)	`CLOUDFLARE_TUNNEL_ID`	`https://192.168.11.167:443` (NPMplus #1)	rpc-http-pub, rpc, rpc2, rpc-http-prv, rpc.public-0138.defi-oracle.io, rpc.defi-oracle.io	VMID 102 (cloudflared); runbook OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md
Dev/Codespaces	`CLOUDFLARE_TUNNEL_ID_DEV_CODESPACES`	`https://192.168.11.170:443` (NPMplus #4)	dev.d-bis.org, gitea.d-bis.org, codespaces.d-bis.org, pve.ml110, pve.r630-01, pve.r630-02	LXC 10236 (NPMplus Fourth); script `configure-dev-codespaces-tunnel-and-dns.sh`
Alltra/HYBX	`CLOUDFLARE_TUNNEL_ID_ALLTRA_HYBX` or `CLOUDFLARE_TUNNEL_ID_SFVALLEY02`	`https://192.168.11.169:443` (NPMplus #3)	rpc-alltra, rpc-hybx, cacti-, firefly-, fabric-, indy-, rpc-core-2	NPMplus 10235; script `configure-alltra-hybx-tunnel-and-dns.sh`
Mifos (r630-02)	`CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02`	NPMplus 10237 or VMID 5800	mifos.d-bis.org	VMID 5800 / NPMplus 10237; script `configure-mifos-dns.sh` (MIFOS_DNS_MODE=tunnel)
DApp (5801)	`CLOUDFLARE_TUNNEL_ID` (same as RPC)	`https://192.168.11.167:443` (NPMplus #1)	dapp.d-bis.org	Add hostname to RPC tunnel; NPMplus 10233 proxies to 192.168.11.58:80 (VMID 5801); see DAPP_LXC_DEPLOYMENT.md § Full E2E

.env (from .env.example / repo):

CLOUDFLARE_TUNNEL_ID=ad9eb7c4-f522-480e-b640-bfc137518c94 — RPC (Option B)
CLOUDFLARE_TUNNEL_ID_DEV_CODESPACES=16062e5d-3393-448f-b639-4308b753b51e — Dev/Codespaces
CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02=8b0cee6f-9ab4-4d10-a870-9c3edd9bed42 — Mifos
Alltra/HYBX: CLOUDFLARE_TUNNEL_ID_ALLTRA_HYBX or 892bd3fe-c6fa-4ddf-8b60-a8ed2b849c3d (example)

3. FQDN → NPMplus Fourth (192.168.11.170:443)

The dev/Codespaces FQDN (gitea.d-bis.org, dev.d-bis.org, codespaces.d-bis.org) is correctly routed to https://192.168.11.170:443 (NPMplus Fourth). The 502 “Host Error” means the failure is after Cloudflare: either NPMplus Fourth cannot reach the backend, or the backend (Dev VM Gitea) is down.

NPMplus Fourth must proxy gitea.d-bis.org → 192.168.11.59:3000 (not .60). Run:
NPM_PASSWORD=xxx bash scripts/nginx-proxy-manager/update-npmplus-fourth-proxy-hosts.sh
Backend: CT 5700 must be running at 192.168.11.59 and Gitea listening on port 3000. From Proxmox host:
pct status 5700; pct exec 5700 -- systemctl is-active gitea; curl -s -o /dev/null -w '%{http_code}' http://192.168.11.59:3000/

4. Tunnel ingress (no IP in URL)

RPC tunnel: All 6 RPC hostnames → URL https://192.168.11.167:443 (No TLS Verify). No change for Dev VM IP.
Dev/Codespaces tunnel: All 6 hostnames → URL https://192.168.11.170:443 (No TLS Verify). Ingress points to NPMplus Fourth; NPMplus then forwards gitea/dev/codespaces to 192.168.11.59:3000 (so only NPMplus proxy config needed the .59 update).
Alltra/HYBX: → https://192.168.11.169:443.
Mifos: → NPMplus 10237 or 5800 per your config.
DApp: Add dapp.d-bis.org → https://192.168.11.167:443 to RPC tunnel; NPMplus 10233 → 192.168.11.58:80.

5. DNS (Cloudflare)

RPC (Option B): 6 hostnames = CNAME to <CLOUDFLARE_TUNNEL_ID>.cfargotunnel.com (Proxied). Script: set-rpc-dns-to-tunnel.sh.
Dev/Codespaces: dev, gitea, codespaces, pve.ml110, pve.r630-01, pve.r630-02 = CNAME to <CLOUDFLARE_TUNNEL_ID_DEV_CODESPACES>.cfargotunnel.com. Script: configure-dev-codespaces-tunnel-and-dns.sh.
Alltra/HYBX: Script: configure-alltra-hybx-tunnel-and-dns.sh.
Mifos: MIFOS_DNS_MODE=tunnel + configure-mifos-dns.sh → mifos.d-bis.org CNAME to tunnel.
DApp: CNAME dapp.d-bis.org → <CLOUDFLARE_TUNNEL_ID>.cfargotunnel.com (Proxied); same tunnel as RPC.

6. Verification commands

Check	Command
E2E (all domains incl. Gitea)	`bash scripts/verify/verify-end-to-end-routing.sh --profile=public`
RPC tunnel ingress (from host with VMID 102)	`bash scripts/verify/verify-cloudflare-tunnel-ingress.sh [--host 192.168.11.11]`
Dev/Codespaces tunnel + DNS	`bash scripts/cloudflare/configure-dev-codespaces-tunnel-and-dns.sh` (updates ingress + CNAMEs)
NPMplus Fourth proxy (gitea → .59:3000)	`NPM_PASSWORD=xxx bash scripts/nginx-proxy-manager/update-npmplus-fourth-proxy-hosts.sh`
Proxmox + Dev VM fix	`bash scripts/maintenance/resolve-and-fix-all-via-proxmox-ssh.sh`
All maintenance via Proxmox SSH	`bash scripts/maintenance/run-all-maintenance-via-proxmox-ssh.sh` [--no-npm] [--e2e]

7. Quick checklist

config/ip-addresses.conf: IP_DEV_VM="192.168.11.59"
Proxmox CT 5700: running at 192.168.11.59 (reconfigure + start if needed; see DEV_VM_IP_CHANGE_59.md)
NPMplus Fourth: proxy hosts dev/gitea/codespaces → 192.168.11.59:3000 (run update script or set in UI)
UDM Pro: optional 76.53.10.40:22 → 192.168.11.59 (if you use SSH to dev VM from WAN)
Dev/Codespaces tunnel: ingress = https://192.168.11.170:443; DNS CNAMEs for dev, gitea, codespaces, pve.* (run configure-dev-codespaces-tunnel-and-dns.sh if needed)
RPC tunnel: ingress = https://192.168.11.167:443 for 6 RPC hostnames; cloudflared (e.g. VMID 102) running
Alltra/HYBX tunnel: ingress = https://192.168.11.169:443; connector running
Run E2E and fix any 502s (RPC backends, DBIS, or NPMplus → backend). One command for all RPC/502: ./scripts/maintenance/run-all-maintenance-via-proxmox-ssh.sh --e2e (writable → 2101 → Besu install → 502s → E2E). If issues remain, see §9 Remaining fixes.

8. Manual NPM Fourth proxy (if API update fails)

If update-npmplus-fourth-proxy-hosts.sh reports "could not update … via API" for some or all hosts, set Forward host/port in the NPM UI:

Proxy host	Forward host	Port	WebSocket
dev.d-bis.org	192.168.11.59	3000	off
gitea.d-bis.org	192.168.11.59	3000	off
codespaces.d-bis.org	192.168.11.59	3000	off
pve.ml110.d-bis.org	192.168.11.10	8006	on
pve.r630-01.d-bis.org	192.168.11.11	8006	on
pve.r630-02.d-bis.org	192.168.11.12	8006	on

UI: https://192.168.11.170:81 (or https://76.53.10.40:81 via UDM port forward). Hosts → Proxy Hosts → Edit each domain → set Forward Hostname / IP and Forward Port (and WebSocket for pve.*).
Debug script: run with DEBUG_NPM_FOURTH=1 to print GET/PUT responses, e.g. DEBUG_NPM_FOURTH=1 NPM_PASSWORD=... bash scripts/nginx-proxy-manager/update-npmplus-fourth-proxy-hosts.sh.

9. Remaining fixes (502s, RPC)

After tunnel/NPM/Dev VM are correct, fix any remaining 502s from RPC or other backends:

Issue	Fix (run from project root on LAN)	Doc
All-in-one (recommended)	`./scripts/maintenance/run-all-maintenance-via-proxmox-ssh.sh --e2e` — writable → 2101 → Besu install → 502s → E2E	502_DEEP_DIVE, MAINTENANCE_SCRIPTS_REVIEW
RPC CTs read-only	`./scripts/maintenance/make-rpc-vmids-writable-via-ssh.sh` first (2101, 2500–2505 on r630-01)	502_DEEP_DIVE §Read-only CT
2101 (rpc-http-prv) — JNA / Besu not starting	`./scripts/maintenance/fix-rpc-2101-jna-reinstall.sh` (CT must be writable; run make-rpc-vmids-writable first if needed)	502_DEEP_DIVE_ROOT_CAUSES_AND_FIXES.md, RPC_NODES_BLOCK_PRODUCTION_FIX.md
2500–2505 (rpc-alltra, rpc-hybx) — Besu binary missing	`./scripts/besu/install-besu-permanent-on-missing-nodes.sh` (use `--dry-run` to preview; CTs must be writable)	Same + BESU_NODES_TWEAKS_AND_FOLLOWUPS.md
All 502 backends (DBIS, Cacti, RPC)	`./scripts/maintenance/fix-all-502s-comprehensive.sh`	502_DEEP_DIVE

CLOUDFLARE_ROUTING_MASTER.md — Edge routing, Option B RPC tunnel
OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md — RPC tunnel steps
DEV_CODESPACES_76_53_10_40.md — Fourth NPMplus, Dev VM, tunnel
DEV_VM_IP_CHANGE_59.md — Dev VM IP change and Proxmox steps
NETWORK_CONFIGURATION_MASTER.md — IPs and NPMplus instances

9.9 KiB Raw Permalink Blame History Unescape Escape