proxmox/docs/04-configuration/cloudflare/CLOUDFLARE_DNS_SPECIFIC_SERVICES.md

# Cloudflare DNS Configuration for Specific Services

**Last Updated:** 2025-01-20  
**Document Version:** 1.0  
**Status:** Service-Specific DNS Mapping

---

## Overview

This document provides specific Cloudflare DNS and tunnel configuration for:

1. **Mail Server** (VMID 100) - Mail services for all domains
2. **Public RPC Node** (VMID 2502) - Besu RPC-3 for public access
3. **Solace Frontend** (VMID 300X) - Solace frontend application

---

## Service 1: Mail Server (VMID 100)

### Container Information

- **VMID**: 100
- **Service**: Mail server (Postfix, Dovecot, or similar)
- **Purpose**: Handle mail for all domains
- **IP Address**: To be determined (check with `pct config 100`)
- **Ports**: 
  - SMTP: 25 (or 587 for submission)
  - IMAP: 143 (or 993 for IMAPS)
  - POP3: 110 (or 995 for POP3S)

### DNS Records Required

**For each domain that will use this mail server:**

#### MX Records (Mail Exchange)

```
Type: MX
Name: @ (or domain root)
Priority: 10
Target: mail.yourdomain.com
TTL: Auto
Proxy: ❌ DNS only (gray cloud) - MX records cannot be proxied
```

**Example for multiple domains:**
- `yourdomain.com` → MX 10 `mail.yourdomain.com`
- `anotherdomain.com` → MX 10 `mail.anotherdomain.com`

#### A/CNAME Records for Mail Server

```
Type: A (or CNAME if using tunnel)
Name: mail
Target: <tunnel-id>.cfargotunnel.com (if using tunnel)
       OR <server-ip> (if direct access)
TTL: Auto
Proxy: 🟠 Proxied (if using tunnel)
       ❌ DNS only (if direct access with public IP)
```

**Note**: Mail servers typically need direct IP access for MX records. If using Cloudflare tunnel, you may need to:
- Use A records pointing to public IPs for MX
- Use tunnel for webmail interface only

### Tunnel Configuration (Optional - for Webmail)

If your mail server has a webmail interface:

**In Cloudflare Tunnel Dashboard:**
```
Subdomain: webmail
Domain: yourdomain.com
Service: http://<mail-server-ip>:80
         OR https://<mail-server-ip>:443
```

**DNS Record:**
```
Type: CNAME
Name: webmail
Target: <tunnel-id>.cfargotunnel.com
Proxy: 🟠 Proxied
```

### Mail Server Ports Configuration

**Important**: Cloudflare tunnels can handle HTTP/HTTPS traffic, but mail protocols (SMTP, IMAP, POP3) require direct connection or special configuration.

**Options:**

1. **Direct Public IP** (Recommended for mail):
   - Assign public IP to mail server
   - Create A records pointing to public IP
   - Configure firewall rules

2. **Cloudflare Tunnel for Webmail Only**:
   - Use tunnel for webmail interface
   - Use direct IP for mail protocols (SMTP, IMAP, POP3)

3. **SMTP Relay via Cloudflare** (Advanced):
   - Use Cloudflare Email Routing for incoming mail
   - Configure mail server for outgoing mail only

### Recommended Configuration

```
MX Records (All Domains):
  yourdomain.com → MX 10 mail.yourdomain.com
  anotherdomain.com → MX 10 mail.anotherdomain.com

A Record (Mail Server):
  mail.yourdomain.com → A <public-ip> (if direct access)
  OR
  mail.yourdomain.com → CNAME <tunnel-id>.cfargotunnel.com (if tunnel)

CNAME Record (Webmail):
  webmail.yourdomain.com → CNAME <tunnel-id>.cfargotunnel.com
  Proxy: 🟠 Proxied
```

---

## Service 2: Public RPC Node (VMID 2502)

### Container Information

- **VMID**: 2502
- **Hostname**: besu-rpc-3
- **IP Address**: 192.168.11.252
- **Service**: Besu JSON-RPC API
- **Port**: 8545 (HTTP-RPC), 8546 (WebSocket-RPC)
- **Purpose**: Public access to blockchain RPC endpoint

### DNS Records

#### Primary RPC Endpoint

```
Type: CNAME
Name: rpc
Target: <tunnel-id>.cfargotunnel.com
TTL: Auto
Proxy: 🟠 Proxied (orange cloud) - Required for tunnel
```

**Alternative subdomains:**
```
rpc-public.yourdomain.com
rpc-mainnet.yourdomain.com
api.yourdomain.com (if this is the primary API)
```

### Tunnel Configuration

**In Cloudflare Tunnel Dashboard:**

**Public Hostname:**
```
Subdomain: rpc
Domain: yourdomain.com
Service: http://192.168.11.252:8545
```

**For WebSocket Support:**
```
Subdomain: rpc-ws
Domain: yourdomain.com
Service: http://192.168.11.252:8546
```

**Or use single endpoint with path-based routing:**
```
Subdomain: rpc
Domain: yourdomain.com
Service: http://192.168.11.252:8545
Path: /ws → http://192.168.11.252:8546
```

### Complete Configuration Example

**DNS Records:**
| Type | Name | Target | Proxy |
|------|------|--------|-------|
| CNAME | `rpc` | `<tunnel-id>.cfargotunnel.com` | 🟠 Proxied |
| CNAME | `rpc-ws` | `<tunnel-id>.cfargotunnel.com` | 🟠 Proxied |

**Tunnel Ingress:**
```yaml
ingress:
  # HTTP JSON-RPC
  - hostname: rpc.yourdomain.com
    service: http://192.168.11.252:8545
  
  # WebSocket RPC
  - hostname: rpc-ws.yourdomain.com
    service: http://192.168.11.252:8546
  
  # Catch-all
  - service: http_status:404
```

### Testing

**Test HTTP-RPC:**
```bash
curl -X POST https://rpc.yourdomain.com \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "method": "eth_blockNumber",
    "params": [],
    "id": 1
  }'
```

**Test WebSocket (from browser console):**
```javascript
const ws = new WebSocket('wss://rpc-ws.yourdomain.com');
ws.onopen = () => {
  ws.send(JSON.stringify({
    jsonrpc: "2.0",
    method: "eth_blockNumber",
    params: [],
    id: 1
  }));
};
```

### Security Considerations

1. **Rate Limiting**: Configure rate limiting in Cloudflare
2. **DDoS Protection**: Cloudflare automatically provides DDoS protection
3. **Access Control**: Consider adding Cloudflare Access for additional security
4. **API Keys**: Implement API key authentication at application level
5. **CORS**: Configure CORS headers if needed for web applications

---

## Service 3: Solace Frontend (VMID 300X)

### Container Information

- **VMID**: 300X (specific VMID to be determined)
- **Service**: Solace frontend application
- **Purpose**: User-facing web interface for Solace
- **IP Address**: To be determined
- **Port**: Typically 80 (HTTP) or 443 (HTTPS)

### VMID Allocation Note

**Important**: Solace is not explicitly assigned a VMID range in the official allocation documents (`VMID_ALLOCATION_FINAL.md`). 

The 300X range falls within the **"Besu RPC / Gateways"** allocation (2500-3499), which includes:
- **2500-2502**: Initial Besu RPC nodes (3 nodes)
- **2503-3499**: Reserved for RPC/Gateway expansion (997 VMIDs)

Since Solace frontend is deployed in the 300X range, it's using VMIDs from the RPC/Gateway expansion pool. This should be documented in the VMID allocation plan for future reference.

### Finding the Solace Container

**Check which container is Solace:**
```bash
# List containers in 300X range
pct list | grep -E "^\s*3[0-9]{3}"

# Check container hostname
pct config <VMID> | grep hostname

# Check container IP
pct config <VMID> | grep ip
```

**Or check running services:**
```bash
# SSH into Proxmox host and check
for vmid in 3000 3001 3002 3003 3004 3005; do
  echo "=== VMID $vmid ==="
  pct exec $vmid -- hostname 2>/dev/null || echo "Not found"
done
```

### DNS Records

**Primary Frontend:**
```
Type: CNAME
Name: solace
Target: <tunnel-id>.cfargotunnel.com
TTL: Auto
Proxy: 🟠 Proxied (orange cloud)
```

**Alternative names:**
```
app.yourdomain.com
solace-app.yourdomain.com
frontend.yourdomain.com
```

### Tunnel Configuration

**In Cloudflare Tunnel Dashboard:**

**Public Hostname:**
```
Subdomain: solace
Domain: yourdomain.com
Service: http://<solace-container-ip>:<port>
```

**Example (assuming VMID 3000, IP 192.168.11.300, port 80):**
```
Subdomain: solace
Domain: yourdomain.com
Service: http://192.168.11.300:80
```

### Complete Configuration Example

**Once container details are confirmed:**

**DNS Record:**
| Type | Name | Target | Proxy |
|------|------|--------|-------|
| CNAME | `solace` | `<tunnel-id>.cfargotunnel.com` | 🟠 Proxied |

**Tunnel Ingress:**
```yaml
ingress:
  - hostname: solace.yourdomain.com
    service: http://<solace-ip>:<port>
  
  # Catch-all
  - service: http_status:404
```

### Additional Configuration (If Needed)

**If Solace has API endpoints:**
```
Subdomain: solace-api
Domain: yourdomain.com
Service: http://<solace-ip>:<api-port>
```

**If Solace has WebSocket support:**
```
Subdomain: solace-ws
Domain: yourdomain.com
Service: http://<solace-ip>:<ws-port>
```

---

## Complete DNS Mapping Summary

### All Services Together

| Service | VMID | IP | DNS Record | Tunnel Ingress |
|---------|------|-----|------------|----------------|
| **Mail Server** | 100 | TBD | `mail.yourdomain.com` | Webmail only (if applicable) |
| **Public RPC** | 2502 | 192.168.11.252 | `rpc.yourdomain.com` | `http://192.168.11.252:8545` |
| **Solace Frontend** | 300X | TBD | `solace.yourdomain.com` | `http://<ip>:<port>` |

### DNS Records to Create

**In Cloudflare DNS Dashboard:**

1. **Mail Server:**
   ```
   Type: MX
   Name: @
   Priority: 10
   Target: mail.yourdomain.com
   Proxy: ❌ DNS only
   
   Type: A or CNAME
   Name: mail
   Target: <public-ip> or <tunnel-id>.cfargotunnel.com
   Proxy: Based on access method
   ```

2. **RPC Node:**
   ```
   Type: CNAME
   Name: rpc
   Target: <tunnel-id>.cfargotunnel.com
   Proxy: 🟠 Proxied
   
   Type: CNAME
   Name: rpc-ws
   Target: <tunnel-id>.cfargotunnel.com
   Proxy: 🟠 Proxied
   ```

3. **Solace Frontend:**
   ```
   Type: CNAME
   Name: solace
   Target: <tunnel-id>.cfargotunnel.com
   Proxy: 🟠 Proxied
   ```

---

## Tunnel Ingress Configuration (Complete)

**In Cloudflare Zero Trust → Networks → Tunnels → Configure:**

```yaml
ingress:
  # Mail Server Webmail (if applicable)
  - hostname: webmail.yourdomain.com
    service: http://<mail-server-ip>:80
  
  # Public RPC - HTTP
  - hostname: rpc.yourdomain.com
    service: http://192.168.11.252:8545
  
  # Public RPC - WebSocket
  - hostname: rpc-ws.yourdomain.com
    service: http://192.168.11.252:8546
  
  # Solace Frontend
  - hostname: solace.yourdomain.com
    service: http://<solace-ip>:<port>
  
  # Catch-all
  - service: http_status:404
```

---

## Verification Steps

### 1. Verify Container Status

```bash
# Check mail server
pct status 100
pct config 100 | grep -E "hostname|ip"

# Check RPC node
pct status 2502
pct config 2502 | grep -E "hostname|ip"
# Should show: hostname=besu-rpc-3, ip=192.168.11.252

# Find Solace container
pct list | grep -E "^\s*3[0-9]{3}"
```

### 2. Test Direct Container Access

```bash
# Test RPC node
curl -X POST http://192.168.11.252:8545 \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

# Test Solace (once IP is known)
curl -I http://<solace-ip>:<port>

# Test mail server webmail (if applicable)
curl -I http://<mail-ip>:80
```

### 3. Test DNS Resolution

```bash
# Test DNS records
dig rpc.yourdomain.com
dig solace.yourdomain.com
dig mail.yourdomain.com
nslookup rpc.yourdomain.com
```

### 4. Test Through Cloudflare

```bash
# Test RPC via Cloudflare
curl -X POST https://rpc.yourdomain.com \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

# Test Solace via Cloudflare
curl -I https://solace.yourdomain.com

# Test webmail via Cloudflare (if configured)
curl -I https://webmail.yourdomain.com
```

---

## Security Recommendations

### Mail Server

1. **MX Records**: Use DNS-only (gray cloud) for MX records
2. **SPF Records**: Add SPF records for email authentication
   ```
   Type: TXT
   Name: @
   Content: v=spf1 ip4:<mail-server-ip> include:_spf.google.com ~all
   ```
3. **DKIM**: Configure DKIM signing
4. **DMARC**: Set up DMARC policy
5. **Firewall**: Restrict mail ports to necessary IPs

### RPC Node

1. **Rate Limiting**: Configure in Cloudflare
2. **DDoS Protection**: Enabled by default with proxy
3. **Access Logging**: Monitor access patterns
4. **API Keys**: Implement application-level authentication
5. **CORS**: Configure if needed for web apps

### Solace Frontend

1. **Cloudflare Access**: Add access policies if needed
2. **SSL/TLS**: Ensure Cloudflare SSL is enabled
3. **WAF Rules**: Configure Web Application Firewall rules
4. **Rate Limiting**: Protect against abuse
5. **Monitoring**: Set up alerts for unusual traffic

---

## Troubleshooting

### Mail Server Issues

**Problem**: Mail not being received

**Solutions:**
- Verify MX records are correct
- Check mail server is accessible on port 25/587
- Verify SPF/DKIM/DMARC records
- Check mail server logs
- Ensure firewall allows mail traffic

### RPC Node Issues

**Problem**: RPC requests failing

**Solutions:**
- Verify container is running: `pct status 2502`
- Test direct access: `curl http://192.168.11.252:8545`
- Check tunnel status in Cloudflare dashboard
- Verify DNS record is proxied (orange cloud)
- Check Cloudflare logs for errors

### Solace Frontend Issues

**Problem**: Frontend not loading

**Solutions:**
- Verify container is running
- Check container IP and port
- Test direct access to container
- Verify tunnel configuration
- Check DNS resolution
- Review Cloudflare logs

---

## Next Steps

1. **Identify Solace Container:**
   - Determine exact VMID for Solace frontend
   - Get container IP address
   - Identify service port

2. **Configure Mail Server:**
   - Determine mail server IP
   - Set up MX records for all domains
   - Configure SPF/DKIM/DMARC
   - Set up webmail tunnel (if applicable)

3. **Deploy Configurations:**
   - Create DNS records in Cloudflare
   - Configure tunnel ingress rules
   - Test each service
   - Document final configuration

---

## Related Documentation

- **[CLOUDFLARE_DNS_TO_CONTAINERS.md](CLOUDFLARE_DNS_TO_CONTAINERS.md)** - General DNS mapping guide
- **[CLOUDFLARE_ZERO_TRUST_GUIDE.md](CLOUDFLARE_ZERO_TRUST_GUIDE.md)** - Cloudflare Zero Trust setup
- **[DEPLOYMENT_STATUS_CONSOLIDATED.md](../../03-deployment/DEPLOYMENT_STATUS_CONSOLIDATED.md)** - Current container inventory

---

**Document Status:** Active  
**Maintained By:** Infrastructure Team  
**Last Updated:** 2025-01-20  
**Next Update:** After Solace container details are confirmed