bea1903ac9
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Co-authored-by: Cursor <cursoragent@cursor.com>
14 KiB
14 KiB
Cloudflare DNS Configuration for Specific Services
Last Updated: 2025-01-20
Document Version: 1.0
Status: Service-Specific DNS Mapping
Overview
This document provides specific Cloudflare DNS and tunnel configuration for:
- Mail Server (VMID 100) - Mail services for all domains
- Public RPC Node (VMID 2502) - Besu RPC-3 for public access
- Solace Frontend (VMID 300X) - Solace frontend application
Service 1: Mail Server (VMID 100)
Container Information
- VMID: 100
- Service: Mail server (Postfix, Dovecot, or similar)
- Purpose: Handle mail for all domains
- IP Address: To be determined (check with
pct config 100) - Ports:
- SMTP: 25 (or 587 for submission)
- IMAP: 143 (or 993 for IMAPS)
- POP3: 110 (or 995 for POP3S)
DNS Records Required
For each domain that will use this mail server:
MX Records (Mail Exchange)
Type: MX
Name: @ (or domain root)
Priority: 10
Target: mail.yourdomain.com
TTL: Auto
Proxy: ❌ DNS only (gray cloud) - MX records cannot be proxied
Example for multiple domains:
yourdomain.com→ MX 10mail.yourdomain.comanotherdomain.com→ MX 10mail.anotherdomain.com
A/CNAME Records for Mail Server
Type: A (or CNAME if using tunnel)
Name: mail
Target: <tunnel-id>.cfargotunnel.com (if using tunnel)
OR <server-ip> (if direct access)
TTL: Auto
Proxy: 🟠 Proxied (if using tunnel)
❌ DNS only (if direct access with public IP)
Note: Mail servers typically need direct IP access for MX records. If using Cloudflare tunnel, you may need to:
- Use A records pointing to public IPs for MX
- Use tunnel for webmail interface only
Tunnel Configuration (Optional - for Webmail)
If your mail server has a webmail interface:
In Cloudflare Tunnel Dashboard:
Subdomain: webmail
Domain: yourdomain.com
Service: http://<mail-server-ip>:80
OR https://<mail-server-ip>:443
DNS Record:
Type: CNAME
Name: webmail
Target: <tunnel-id>.cfargotunnel.com
Proxy: 🟠 Proxied
Mail Server Ports Configuration
Important: Cloudflare tunnels can handle HTTP/HTTPS traffic, but mail protocols (SMTP, IMAP, POP3) require direct connection or special configuration.
Options:
-
Direct Public IP (Recommended for mail):
- Assign public IP to mail server
- Create A records pointing to public IP
- Configure firewall rules
-
Cloudflare Tunnel for Webmail Only:
- Use tunnel for webmail interface
- Use direct IP for mail protocols (SMTP, IMAP, POP3)
-
SMTP Relay via Cloudflare (Advanced):
- Use Cloudflare Email Routing for incoming mail
- Configure mail server for outgoing mail only
Recommended Configuration
MX Records (All Domains):
yourdomain.com → MX 10 mail.yourdomain.com
anotherdomain.com → MX 10 mail.anotherdomain.com
A Record (Mail Server):
mail.yourdomain.com → A <public-ip> (if direct access)
OR
mail.yourdomain.com → CNAME <tunnel-id>.cfargotunnel.com (if tunnel)
CNAME Record (Webmail):
webmail.yourdomain.com → CNAME <tunnel-id>.cfargotunnel.com
Proxy: 🟠 Proxied
Service 2: Public RPC Node (VMID 2502)
Container Information
- VMID: 2502
- Hostname: besu-rpc-3
- IP Address: 192.168.11.252
- Service: Besu JSON-RPC API
- Port: 8545 (HTTP-RPC), 8546 (WebSocket-RPC)
- Purpose: Public access to blockchain RPC endpoint
DNS Records
Primary RPC Endpoint
Type: CNAME
Name: rpc
Target: <tunnel-id>.cfargotunnel.com
TTL: Auto
Proxy: 🟠 Proxied (orange cloud) - Required for tunnel
Alternative subdomains:
rpc-public.yourdomain.com
rpc-mainnet.yourdomain.com
api.yourdomain.com (if this is the primary API)
Tunnel Configuration
In Cloudflare Tunnel Dashboard:
Public Hostname:
Subdomain: rpc
Domain: yourdomain.com
Service: http://192.168.11.252:8545
For WebSocket Support:
Subdomain: rpc-ws
Domain: yourdomain.com
Service: http://192.168.11.252:8546
Or use single endpoint with path-based routing:
Subdomain: rpc
Domain: yourdomain.com
Service: http://192.168.11.252:8545
Path: /ws → http://192.168.11.252:8546
Complete Configuration Example
DNS Records:
| Type | Name | Target | Proxy |
|---|---|---|---|
| CNAME | rpc |
<tunnel-id>.cfargotunnel.com |
🟠 Proxied |
| CNAME | rpc-ws |
<tunnel-id>.cfargotunnel.com |
🟠 Proxied |
Tunnel Ingress:
ingress:
# HTTP JSON-RPC
- hostname: rpc.yourdomain.com
service: http://192.168.11.252:8545
# WebSocket RPC
- hostname: rpc-ws.yourdomain.com
service: http://192.168.11.252:8546
# Catch-all
- service: http_status:404
Testing
Test HTTP-RPC:
curl -X POST https://rpc.yourdomain.com \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"method": "eth_blockNumber",
"params": [],
"id": 1
}'
Test WebSocket (from browser console):
const ws = new WebSocket('wss://rpc-ws.yourdomain.com');
ws.onopen = () => {
ws.send(JSON.stringify({
jsonrpc: "2.0",
method: "eth_blockNumber",
params: [],
id: 1
}));
};
Security Considerations
- Rate Limiting: Configure rate limiting in Cloudflare
- DDoS Protection: Cloudflare automatically provides DDoS protection
- Access Control: Consider adding Cloudflare Access for additional security
- API Keys: Implement API key authentication at application level
- CORS: Configure CORS headers if needed for web applications
Service 3: Solace Frontend (VMID 300X)
Container Information
- VMID: 300X (specific VMID to be determined)
- Service: Solace frontend application
- Purpose: User-facing web interface for Solace
- IP Address: To be determined
- Port: Typically 80 (HTTP) or 443 (HTTPS)
VMID Allocation Note
Important: Solace is not explicitly assigned a VMID range in the official allocation documents (VMID_ALLOCATION_FINAL.md).
The 300X range falls within the "Besu RPC / Gateways" allocation (2500-3499), which includes:
- 2500-2502: Initial Besu RPC nodes (3 nodes)
- 2503-3499: Reserved for RPC/Gateway expansion (997 VMIDs)
Since Solace frontend is deployed in the 300X range, it's using VMIDs from the RPC/Gateway expansion pool. This should be documented in the VMID allocation plan for future reference.
Finding the Solace Container
Check which container is Solace:
# List containers in 300X range
pct list | grep -E "^\s*3[0-9]{3}"
# Check container hostname
pct config <VMID> | grep hostname
# Check container IP
pct config <VMID> | grep ip
Or check running services:
# SSH into Proxmox host and check
for vmid in 3000 3001 3002 3003 3004 3005; do
echo "=== VMID $vmid ==="
pct exec $vmid -- hostname 2>/dev/null || echo "Not found"
done
DNS Records
Primary Frontend:
Type: CNAME
Name: solace
Target: <tunnel-id>.cfargotunnel.com
TTL: Auto
Proxy: 🟠 Proxied (orange cloud)
Alternative names:
app.yourdomain.com
solace-app.yourdomain.com
frontend.yourdomain.com
Tunnel Configuration
In Cloudflare Tunnel Dashboard:
Public Hostname:
Subdomain: solace
Domain: yourdomain.com
Service: http://<solace-container-ip>:<port>
Example (assuming VMID 3000, IP 192.168.11.300, port 80):
Subdomain: solace
Domain: yourdomain.com
Service: http://192.168.11.300:80
Complete Configuration Example
Once container details are confirmed:
DNS Record:
| Type | Name | Target | Proxy |
|---|---|---|---|
| CNAME | solace |
<tunnel-id>.cfargotunnel.com |
🟠 Proxied |
Tunnel Ingress:
ingress:
- hostname: solace.yourdomain.com
service: http://<solace-ip>:<port>
# Catch-all
- service: http_status:404
Additional Configuration (If Needed)
If Solace has API endpoints:
Subdomain: solace-api
Domain: yourdomain.com
Service: http://<solace-ip>:<api-port>
If Solace has WebSocket support:
Subdomain: solace-ws
Domain: yourdomain.com
Service: http://<solace-ip>:<ws-port>
Complete DNS Mapping Summary
All Services Together
| Service | VMID | IP | DNS Record | Tunnel Ingress |
|---|---|---|---|---|
| Mail Server | 100 | TBD | mail.yourdomain.com |
Webmail only (if applicable) |
| Public RPC | 2502 | 192.168.11.252 | rpc.yourdomain.com |
http://192.168.11.252:8545 |
| Solace Frontend | 300X | TBD | solace.yourdomain.com |
http://<ip>:<port> |
DNS Records to Create
In Cloudflare DNS Dashboard:
-
Mail Server:
Type: MX Name: @ Priority: 10 Target: mail.yourdomain.com Proxy: ❌ DNS only Type: A or CNAME Name: mail Target: <public-ip> or <tunnel-id>.cfargotunnel.com Proxy: Based on access method -
RPC Node:
Type: CNAME Name: rpc Target: <tunnel-id>.cfargotunnel.com Proxy: 🟠 Proxied Type: CNAME Name: rpc-ws Target: <tunnel-id>.cfargotunnel.com Proxy: 🟠 Proxied -
Solace Frontend:
Type: CNAME Name: solace Target: <tunnel-id>.cfargotunnel.com Proxy: 🟠 Proxied
Tunnel Ingress Configuration (Complete)
In Cloudflare Zero Trust → Networks → Tunnels → Configure:
ingress:
# Mail Server Webmail (if applicable)
- hostname: webmail.yourdomain.com
service: http://<mail-server-ip>:80
# Public RPC - HTTP
- hostname: rpc.yourdomain.com
service: http://192.168.11.252:8545
# Public RPC - WebSocket
- hostname: rpc-ws.yourdomain.com
service: http://192.168.11.252:8546
# Solace Frontend
- hostname: solace.yourdomain.com
service: http://<solace-ip>:<port>
# Catch-all
- service: http_status:404
Verification Steps
1. Verify Container Status
# Check mail server
pct status 100
pct config 100 | grep -E "hostname|ip"
# Check RPC node
pct status 2502
pct config 2502 | grep -E "hostname|ip"
# Should show: hostname=besu-rpc-3, ip=192.168.11.252
# Find Solace container
pct list | grep -E "^\s*3[0-9]{3}"
2. Test Direct Container Access
# Test RPC node
curl -X POST http://192.168.11.252:8545 \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
# Test Solace (once IP is known)
curl -I http://<solace-ip>:<port>
# Test mail server webmail (if applicable)
curl -I http://<mail-ip>:80
3. Test DNS Resolution
# Test DNS records
dig rpc.yourdomain.com
dig solace.yourdomain.com
dig mail.yourdomain.com
nslookup rpc.yourdomain.com
4. Test Through Cloudflare
# Test RPC via Cloudflare
curl -X POST https://rpc.yourdomain.com \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
# Test Solace via Cloudflare
curl -I https://solace.yourdomain.com
# Test webmail via Cloudflare (if configured)
curl -I https://webmail.yourdomain.com
Security Recommendations
Mail Server
- MX Records: Use DNS-only (gray cloud) for MX records
- SPF Records: Add SPF records for email authentication
Type: TXT Name: @ Content: v=spf1 ip4:<mail-server-ip> include:_spf.google.com ~all - DKIM: Configure DKIM signing
- DMARC: Set up DMARC policy
- Firewall: Restrict mail ports to necessary IPs
RPC Node
- Rate Limiting: Configure in Cloudflare
- DDoS Protection: Enabled by default with proxy
- Access Logging: Monitor access patterns
- API Keys: Implement application-level authentication
- CORS: Configure if needed for web apps
Solace Frontend
- Cloudflare Access: Add access policies if needed
- SSL/TLS: Ensure Cloudflare SSL is enabled
- WAF Rules: Configure Web Application Firewall rules
- Rate Limiting: Protect against abuse
- Monitoring: Set up alerts for unusual traffic
Troubleshooting
Mail Server Issues
Problem: Mail not being received
Solutions:
- Verify MX records are correct
- Check mail server is accessible on port 25/587
- Verify SPF/DKIM/DMARC records
- Check mail server logs
- Ensure firewall allows mail traffic
RPC Node Issues
Problem: RPC requests failing
Solutions:
- Verify container is running:
pct status 2502 - Test direct access:
curl http://192.168.11.252:8545 - Check tunnel status in Cloudflare dashboard
- Verify DNS record is proxied (orange cloud)
- Check Cloudflare logs for errors
Solace Frontend Issues
Problem: Frontend not loading
Solutions:
- Verify container is running
- Check container IP and port
- Test direct access to container
- Verify tunnel configuration
- Check DNS resolution
- Review Cloudflare logs
Next Steps
-
Identify Solace Container:
- Determine exact VMID for Solace frontend
- Get container IP address
- Identify service port
-
Configure Mail Server:
- Determine mail server IP
- Set up MX records for all domains
- Configure SPF/DKIM/DMARC
- Set up webmail tunnel (if applicable)
-
Deploy Configurations:
- Create DNS records in Cloudflare
- Configure tunnel ingress rules
- Test each service
- Document final configuration
Related Documentation
- CLOUDFLARE_DNS_TO_CONTAINERS.md - General DNS mapping guide
- CLOUDFLARE_ZERO_TRUST_GUIDE.md - Cloudflare Zero Trust setup
- DEPLOYMENT_STATUS_CONSOLIDATED.md - Current container inventory
Document Status: Active
Maintained By: Infrastructure Team
Last Updated: 2025-01-20
Next Update: After Solace container details are confirmed