proxmox/docs/05-network/CLOUDFLARE_NGINX_INTEGRATION.md

Cloudflare and Nginx Integration

Last Updated: 2025-01-20
Document Version: 1.0
Status: Active Documentation

---

Overview

Integration of Cloudflare (via cloudflared tunnel on VMID 102) with nginx-proxy-manager (VMID 105) for routing to RPC nodes.

---

Architecture

Internet → Cloudflare → cloudflared (VMID 102) → nginx-proxy-manager (VMID 105) → RPC Nodes (2500-2502)

Components

1. Cloudflare - Global CDN, DDoS protection, SSL termination
2. cloudflared (VMID 102) - Cloudflare tunnel client
3. nginx-proxy-manager (VMID 105) - Reverse proxy and routing
4. RPC Nodes (2500-2502) - Besu RPC endpoints

---

VMID 102: cloudflared

Status: Existing container (running)
Purpose: Cloudflare tunnel client
Configuration: Routes Cloudflare traffic to nginx-proxy-manager

Configuration Requirements

The cloudflared tunnel should be configured to route to nginx-proxy-manager (VMID 105):

# Example cloudflared config (config.yml)
tunnel: <your-tunnel-id>
credentials-file: /etc/cloudflared/credentials.json

ingress:
  # RPC Core
  - hostname: rpc-core.yourdomain.com
    service: http://192.168.11.105:80  # nginx-proxy-manager
  
  # RPC Permissioned
  - hostname: rpc-perm.yourdomain.com
    service: http://192.168.11.105:80  # nginx-proxy-manager
  
  # RPC Public
  - hostname: rpc.yourdomain.com
    service: http://192.168.11.105:80  # nginx-proxy-manager
  
  # Catch-all (optional)
  - service: http_status:404

---

VMID 105: nginx-proxy-manager

Status: Existing container (running)
Purpose: Reverse proxy and routing to RPC nodes

Proxy Host Configuration

Configure separate proxy hosts for each RPC type:

1. Core RPC Proxy

• Domain Names: rpc-core.yourdomain.com
• Scheme: http
• Forward Hostname/IP: 192.168.11.250
• Forward Port: 8545
• Websockets: Enabled (for WS-RPC on port 8546)
• SSL: Handle at Cloudflare level (or configure SSL here)
• Access: Restrict to internal network if needed

2. Permissioned RPC Proxy

• Domain Names: rpc-perm.yourdomain.com
• Scheme: http
• Forward Hostname/IP: 192.168.11.251
• Forward Port: 8545
• Websockets: Enabled
• SSL: Handle at Cloudflare level
• Access: Configure authentication/authorization

3. Public RPC Proxy

• Domain Names: rpc.yourdomain.com, rpc-public.yourdomain.com
• Scheme: http
• Forward Hostname/IP: 192.168.11.252
• Forward Port: 8545
• Websockets: Enabled
• SSL: Handle at Cloudflare level
• Cache Assets: Disabled (RPC responses shouldn't be cached)
• Block Common Exploits: Enabled
• Rate Limiting: Configure as needed

---

Network Flow

Request Flow

1. Client makes request to rpc.yourdomain.com
2. Cloudflare handles DNS, DDoS protection, SSL termination
3. cloudflared (VMID 102) receives request via Cloudflare tunnel
4. nginx-proxy-manager (VMID 105) receives request from cloudflared
5. nginx-proxy-manager routes based on domain to appropriate RPC node:
   • rpc-core.* → 192.168.11.250:8545 (Core RPC)
   • rpc-perm.* → 192.168.11.251:8545 (Permissioned RPC)
   • rpc.* → 192.168.11.252:8545 (Public RPC)
6. RPC Node processes request and returns response

Response Flow (Reverse)

1. RPC Node returns response
2. nginx-proxy-manager forwards response
3. cloudflared forwards to Cloudflare tunnel
4. Cloudflare delivers to client

---

Benefits

1. DDoS Protection: Cloudflare provides robust DDoS mitigation
2. Global CDN: Faster response times worldwide
3. SSL/TLS: Automatic SSL certificate management via Cloudflare
4. Rate Limiting: Cloudflare rate limiting + nginx-proxy-manager controls
5. Centralized Routing: Single point (nginx-proxy-manager) to manage routing logic
6. Type-Based Routing: Clear separation of RPC node types
7. Security: Validators remain behind firewall, only RPC nodes exposed

---

Configuration Checklist

Cloudflare (Cloudflare Dashboard)

• Create Cloudflare tunnel
• Configure DNS records (CNAME) for each RPC type:
  • rpc-core.yourdomain.com → tunnel
  • rpc-perm.yourdomain.com → tunnel
  • rpc.yourdomain.com → tunnel
• Enable SSL/TLS (Full or Full (strict))
• Configure DDoS protection rules
• Set up rate limiting rules (optional)
• Configure WAF rules (optional)

cloudflared (VMID 102)

• Install/configure cloudflared
• Set up tunnel configuration
• Configure ingress rules to route to nginx-proxy-manager (192.168.11.105:80)
• Test tunnel connectivity
• Enable/start cloudflared service

nginx-proxy-manager (VMID 105)

• Access web UI (typically port 81)
• Create proxy host for Core RPC (rpc-core.* → 192.168.11.250:8545)
• Create proxy host for Permissioned RPC (rpc-perm.* → 192.168.11.251:8545)
• Create proxy host for Public RPC (rpc.* → 192.168.11.252:8545)
• Enable WebSocket support for all proxy hosts
• Configure access control/authentication for Permissioned RPC
• Configure rate limiting for Public RPC (optional)
• Test routing to each RPC node

RPC Nodes (2500-2502)

• Ensure RPC nodes are running and accessible
• Verify RPC endpoints respond on ports 8545/8546
• Test direct access to each RPC node
• Verify correct config files are deployed:
  • 2500: config-rpc-core.toml
  • 2501: config-rpc-perm.toml
  • 2502: config-rpc-public.toml

---

Testing

Test Direct RPC Access

# Test Core RPC
curl -X POST http://192.168.11.250:8545 \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

# Test Permissioned RPC
curl -X POST http://192.168.11.251:8545 \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

# Test Public RPC
curl -X POST http://192.168.11.252:8545 \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

Test Through nginx-proxy-manager

# Test Core RPC via nginx-proxy-manager
curl -X POST http://192.168.11.105/rpc-core \
  -H "Host: rpc-core.yourdomain.com" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

Test Through Cloudflare

# Test Public RPC via Cloudflare
curl -X POST https://rpc.yourdomain.com \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

---

Security Considerations

1. SSL/TLS: Cloudflare handles SSL termination (Full mode recommended)
2. Access Control:
   • Core RPC: Restrict to internal network IPs
   • Permissioned RPC: Require authentication/authorization
   • Public RPC: Rate limiting and DDoS protection
3. Firewall Rules: Ensure only necessary ports are exposed
4. Rate Limiting: Configure at both Cloudflare and nginx-proxy-manager levels
5. WAF: Enable Cloudflare WAF for additional protection

---

Troubleshooting

Cloudflare Tunnel Not Connecting

• Check cloudflared service status: systemctl status cloudflared
• Verify tunnel configuration: cloudflared tunnel info
• Check Cloudflare dashboard for tunnel status
• Verify network connectivity from VMID 102 to VMID 105

nginx-proxy-manager Not Routing

• Check proxy host configuration in web UI
• Verify domain names match Cloudflare DNS records
• Check nginx-proxy-manager logs
• Test direct connection to RPC nodes

RPC Nodes Not Responding

• Check Besu service status: systemctl status besu-rpc
• Verify RPC endpoints are enabled in config files
• Check firewall rules on RPC nodes
• Test direct connection from nginx-proxy-manager to RPC nodes

---

Related Documentation

Network Documents

• CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md ⭐⭐⭐ - Cloudflare tunnel routing
• CENTRAL_NGINX_ROUTING_SETUP.md ⭐⭐⭐ - Central Nginx routing
• NGINX_ARCHITECTURE_RPC.md ⭐⭐ - NGINX architecture for RPC

Configuration Documents

• ../04-configuration/cloudflare/CLOUDFLARE_ZERO_TRUST_GUIDE.md - Cloudflare Zero Trust setup
• ../04-configuration/cloudflare/CLOUDFLARE_DNS_TO_CONTAINERS.md - DNS mapping to containers

External References

• Cloudflare Tunnels - Official documentation
• nginx-proxy-manager - Official documentation

---

Last Updated: 2025-01-20
Document Version: 1.0
Review Cycle: Quarterly

• RPC Node Types: docs/RPC_NODE_TYPES_ARCHITECTURE.md
• Nginx Architecture: docs/NGINX_ARCHITECTURE_RPC.md