d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
master
proxmox/docs/05-network/BESU_RPC_CONFIGURATION_FIXED.md
defiQUG cb47cce074 Complete markdown files cleanup and organization 
- Organized 252 files across project
- Root directory: 187 → 2 files (98.9% reduction)
- Moved configuration guides to docs/04-configuration/
- Moved troubleshooting guides to docs/09-troubleshooting/
- Moved quick start guides to docs/01-getting-started/
- Moved reports to reports/ directory
- Archived temporary files
- Generated comprehensive reports and documentation
- Created maintenance scripts and guides

All files organized according to established standards.
2026-01-06 01:46:25 -08:00

8.8 KiB
Raw Permalink Blame History

Besu RPC Nodes Configuration - Fixed

Last Updated: 2025-01-20
Document Version: 1.0
Status: Active Documentation

Overview

This document describes the corrected configuration for the three Besu RPC nodes (VMIDs 2500, 2501, 2502) in the Proxmox VE deployment.

Node Roles and Requirements

VMID 2500 - Core RPC Node

  • Role: Core/Internal infrastructure
  • Access: NO public access or routing
  • Features: All features enabled (ADMIN, DEBUG, TRACE, TXPOOL, QBFT)
  • Config File: config-rpc-core.toml
  • IP: 192.168.11.250

Key Settings:

  • Discovery DISABLED (no public routing)
  • All APIs enabled: ETH, NET, WEB3, TXPOOL, QBFT, ADMIN, DEBUG, TRACE
  • CORS origins empty (no public access)
  • Node permissioning enabled (only local nodes)
  • Account permissioning disabled (internal use only)

VMID 2501 - Permissioned RPC Node (Prv)

  • Role: Permissioned public access
  • Access: Public permissioned access (requires authentication)
  • Features: Non-Admin features only (no ADMIN, DEBUG, TRACE)
  • Config File: config-rpc-perm.toml
  • IP: 192.168.11.251

Key Settings:

  • Discovery ENABLED (public access)
  • Non-Admin APIs only: ETH, NET, WEB3, TXPOOL, QBFT
  • ADMIN API REMOVED (as required)
  • DEBUG API REMOVED (as required)
  • CORS enabled for public access
  • Account permissioning ENABLED (requires authentication)
  • Node permissioning enabled

VMID 2502 - Public RPC Node (Pub)

  • Role: Public non-authenticated access
  • Access: Public non-auth access
  • Features: Minimal wallet features only
  • Config File: config-rpc-public.toml
  • IP: 192.168.11.252

Key Settings:

  • Discovery ENABLED (public access)
  • Minimal APIs only: ETH, NET, WEB3 (read-only)
  • WebSocket DISABLED (HTTP only)
  • CORS enabled for public access
  • Account permissioning disabled (public non-auth)
  • Node permissioning enabled

Configuration Changes Made

1. Fixed config-rpc-core.toml (VMID 2500)

  • Removed ADMIN from permissioned config - ADMIN should only be in Core
  • Disabled discovery - Changed from true to false (no public routing)
  • Removed CORS origins - Changed from ["*"] to [] (no public access)
  • Fixed paths - Updated to use /data/besu, /genesis/, /permissions/
  • Removed deprecated options - Removed log-destination, max-remote-initiated-connections, accounts-enabled, database-path, trie-logs-enabled

2. Fixed config-rpc-perm.toml (VMID 2501)

  • Removed ADMIN API - Changed from ["ETH","NET","WEB3","TXPOOL","QBFT","ADMIN"] to ["ETH","NET","WEB3","TXPOOL","QBFT"]
  • Removed DEBUG API - Not included (non-Admin features only)
  • Account permissions enabled - permissions-accounts-config-file-enabled=true (for permissioned access)
  • Fixed paths - Updated to use /data/besu, /genesis/, /permissions/
  • Removed deprecated options - Same cleanup as Core config

3. Fixed config-rpc-public.toml (VMID 2502)

  • Minimal APIs confirmed - Only ETH, NET, WEB3 (correct)
  • WebSocket disabled - Already correct
  • Account permissions disabled - Correct for public non-auth
  • Fixed paths - Updated to use /data/besu, /genesis/, /permissions/
  • Removed deprecated options - Same cleanup as other configs

Deployment

Automated Deployment Script

A new script has been created to deploy and verify the configurations:

cd /home/intlc/projects/proxmox
./scripts/configure-besu-rpc-nodes.sh

This script will:

  1. Check container status and start if needed
  2. Copy correct config file to each RPC node
  3. Update systemd service files
  4. Verify configuration matches requirements
  5. Restart services
  6. Check if 2501 and 2502 are reversed

Manual Deployment

If you prefer to deploy manually:

# For VMID 2500 (Core)
pct push 2500 smom-dbis-138/config/config-rpc-core.toml /etc/besu/config-rpc-core.toml
pct exec 2500 -- chown besu:besu /etc/besu/config-rpc-core.toml
pct exec 2500 -- systemctl restart besu-rpc.service

# For VMID 2501 (Permissioned)
pct push 2501 smom-dbis-138/config/config-rpc-perm.toml /etc/besu/config-rpc-perm.toml
pct exec 2501 -- chown besu:besu /etc/besu/config-rpc-perm.toml
pct exec 2501 -- systemctl restart besu-rpc.service

# For VMID 2502 (Public)
pct push 2502 smom-dbis-138/config/config-rpc-public.toml /etc/besu/config-rpc-public.toml
pct exec 2502 -- chown besu:besu /etc/besu/config-rpc-public.toml
pct exec 2502 -- systemctl restart besu-rpc.service

Verification

Check Configuration Files

# Verify Core RPC (2500)
pct exec 2500 -- grep "discovery-enabled" /etc/besu/config-rpc-core.toml
# Should show: discovery-enabled=false

pct exec 2500 -- grep "rpc-http-api" /etc/besu/config-rpc-core.toml
# Should include: ADMIN, DEBUG, TRACE

# Verify Permissioned RPC (2501)
pct exec 2501 -- grep "rpc-http-api" /etc/besu/config-rpc-perm.toml
# Should NOT include: ADMIN or DEBUG
# Should include: ETH, NET, WEB3, TXPOOL, QBFT

pct exec 2501 -- grep "permissions-accounts-config-file-enabled" /etc/besu/config-rpc-perm.toml
# Should show: permissions-accounts-config-file-enabled=true

# Verify Public RPC (2502)
pct exec 2502 -- grep "rpc-http-api" /etc/besu/config-rpc-public.toml
# Should only include: ETH, NET, WEB3

pct exec 2502 -- grep "rpc-ws-enabled" /etc/besu/config-rpc-public.toml
# Should show: rpc-ws-enabled=false

Check Service Status

pct exec 2500 -- systemctl status besu-rpc.service
pct exec 2501 -- systemctl status besu-rpc.service
pct exec 2502 -- systemctl status besu-rpc.service

Test RPC Endpoints

# Test Core RPC (should work from internal network)
curl -X POST http://192.168.11.250:8545 \
  -H 'Content-Type: application/json' \
  --data '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

# Test Permissioned RPC (should work with authentication)
curl -X POST http://192.168.11.251:8545 \
  -H 'Content-Type: application/json' \
  --data '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

# Test Public RPC (should work without authentication)
curl -X POST http://192.168.11.252:8545 \
  -H 'Content-Type: application/json' \
  --data '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

API Comparison

API Core (2500) Permissioned (2501) Public (2502)
ETH
NET
WEB3
TXPOOL
QBFT
ADMIN
DEBUG
TRACE

Security Considerations

VMID 2500 (Core)

  • Firewall: Should block external access to port 8545/8546
  • Discovery: Disabled (no public routing)
  • CORS: Empty (no cross-origin access)
  • Use Case: Internal infrastructure, monitoring, administrative operations

VMID 2501 (Permissioned)

  • Authentication: Account permissioning enabled (requires allowlist)
  • Discovery: Enabled (public access)
  • CORS: Enabled (public access)
  • Use Case: Enterprise/private applications with authentication

VMID 2502 (Public)

  • Authentication: None (public non-auth)
  • Discovery: Enabled (public access)
  • CORS: Enabled (public access)
  • APIs: Minimal (read-only wallet features)
  • Use Case: Public dApps, wallets, blockchain explorers

Files Modified

  1. smom-dbis-138/config/config-rpc-core.toml - Fixed for Core RPC
  2. smom-dbis-138/config/config-rpc-perm.toml - Fixed for Permissioned RPC
  3. smom-dbis-138/config/config-rpc-public.toml - Fixed for Public RPC
  4. scripts/configure-besu-rpc-nodes.sh - New deployment script

Next Steps

  1. Deploy configurations using the automated script:

    ./scripts/configure-besu-rpc-nodes.sh

  2. Verify services are running correctly

  3. Test RPC endpoints from appropriate networks

  4. Configure firewall rules to ensure:

    • VMID 2500 is only accessible from internal network
    • VMID 2501 and 2502 are accessible from public networks (if needed)

  5. Monitor logs for any configuration errors:

    pct exec 2500 -- journalctl -u besu-rpc.service -f
pct exec 2501 -- journalctl -u besu-rpc.service -f
pct exec 2502 -- journalctl -u besu-rpc.service -f

Summary

All configurations have been fixed and are ready for deployment

  • 2500 (Core): No public access, all features enabled
  • 2501 (Permissioned): Public permissioned access, non-Admin features only
  • 2502 (Public): Public non-auth access, minimal wallet features

The configurations now correctly match the requirements for each node type.

Reference in New Issue View Git Blame Copy Permalink