d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
master
proxmox/docs/05-network/CLOUDFLARE_NGINX_INTEGRATION.md
defiQUG cb47cce074 Complete markdown files cleanup and organization 
- Organized 252 files across project
- Root directory: 187 → 2 files (98.9% reduction)
- Moved configuration guides to docs/04-configuration/
- Moved troubleshooting guides to docs/09-troubleshooting/
- Moved quick start guides to docs/01-getting-started/
- Moved reports to reports/ directory
- Archived temporary files
- Generated comprehensive reports and documentation
- Created maintenance scripts and guides

All files organized according to established standards.
2026-01-06 01:46:25 -08:00

277 lines
8.9 KiB
Markdown
Raw Permalink Blame History

# Cloudflare and Nginx Integration
**Last Updated:** 2025-01-20
**Document Version:** 1.0
**Status:** Active Documentation
---
## Overview
Integration of Cloudflare (via cloudflared tunnel on VMID 102) with nginx-proxy-manager (VMID 105) for routing to RPC nodes.
---
## Architecture
```
Internet → Cloudflare → cloudflared (VMID 102) → nginx-proxy-manager (VMID 105) → RPC Nodes (2500-2502)
```
### Components
1. **Cloudflare** - Global CDN, DDoS protection, SSL termination
2. **cloudflared (VMID 102)** - Cloudflare tunnel client
3. **nginx-proxy-manager (VMID 105)** - Reverse proxy and routing
4. **RPC Nodes (2500-2502)** - Besu RPC endpoints
---
## VMID 102: cloudflared
**Status**: Existing container (running)
**Purpose**: Cloudflare tunnel client
**Configuration**: Routes Cloudflare traffic to nginx-proxy-manager
### Configuration Requirements
The cloudflared tunnel should be configured to route to nginx-proxy-manager (VMID 105):
```yaml
# Example cloudflared config (config.yml)
tunnel: <your-tunnel-id>
credentials-file: /etc/cloudflared/credentials.json
ingress:
# RPC Core
- hostname: rpc-core.yourdomain.com
service: http://192.168.11.105:80 # nginx-proxy-manager
# RPC Permissioned
- hostname: rpc-perm.yourdomain.com
service: http://192.168.11.105:80 # nginx-proxy-manager
# RPC Public
- hostname: rpc.yourdomain.com
service: http://192.168.11.105:80 # nginx-proxy-manager
# Catch-all (optional)
- service: http_status:404
```
---
## VMID 105: nginx-proxy-manager
**Status**: Existing container (running)
**Purpose**: Reverse proxy and routing to RPC nodes
### Proxy Host Configuration
Configure separate proxy hosts for each RPC type:
#### 1. Core RPC Proxy
- **Domain Names**: `rpc-core.yourdomain.com`
- **Scheme**: `http`
- **Forward Hostname/IP**: `192.168.11.250`
- **Forward Port**: `8545`
- **Websockets**: Enabled (for WS-RPC on port 8546)
- **SSL**: Handle at Cloudflare level (or configure SSL here)
- **Access**: Restrict to internal network if needed
#### 2. Permissioned RPC Proxy
- **Domain Names**: `rpc-perm.yourdomain.com`
- **Scheme**: `http`
- **Forward Hostname/IP**: `192.168.11.251`
- **Forward Port**: `8545`
- **Websockets**: Enabled
- **SSL**: Handle at Cloudflare level
- **Access**: Configure authentication/authorization
#### 3. Public RPC Proxy
- **Domain Names**: `rpc.yourdomain.com`, `rpc-public.yourdomain.com`
- **Scheme**: `http`
- **Forward Hostname/IP**: `192.168.11.252`
- **Forward Port**: `8545`
- **Websockets**: Enabled
- **SSL**: Handle at Cloudflare level
- **Cache Assets**: Disabled (RPC responses shouldn't be cached)
- **Block Common Exploits**: Enabled
- **Rate Limiting**: Configure as needed
---
## Network Flow
### Request Flow
1. **Client** makes request to `rpc.yourdomain.com`
2. **Cloudflare** handles DNS, DDoS protection, SSL termination
3. **cloudflared (VMID 102)** receives request via Cloudflare tunnel
4. **nginx-proxy-manager (VMID 105)** receives request from cloudflared
5. **nginx-proxy-manager** routes based on domain to appropriate RPC node:
- `rpc-core.*` → 192.168.11.250:8545 (Core RPC)
- `rpc-perm.*` → 192.168.11.251:8545 (Permissioned RPC)
- `rpc.*` → 192.168.11.252:8545 (Public RPC)
6. **RPC Node** processes request and returns response
### Response Flow (Reverse)
1. **RPC Node** returns response
2. **nginx-proxy-manager** forwards response
3. **cloudflared** forwards to Cloudflare tunnel
4. **Cloudflare** delivers to client
---
## Benefits
1. **DDoS Protection**: Cloudflare provides robust DDoS mitigation
2. **Global CDN**: Faster response times worldwide
3. **SSL/TLS**: Automatic SSL certificate management via Cloudflare
4. **Rate Limiting**: Cloudflare rate limiting + nginx-proxy-manager controls
5. **Centralized Routing**: Single point (nginx-proxy-manager) to manage routing logic
6. **Type-Based Routing**: Clear separation of RPC node types
7. **Security**: Validators remain behind firewall, only RPC nodes exposed
---
## Configuration Checklist
### Cloudflare (Cloudflare Dashboard)
- [ ] Create Cloudflare tunnel
- [ ] Configure DNS records (CNAME) for each RPC type:
- `rpc-core.yourdomain.com` → tunnel
- `rpc-perm.yourdomain.com` → tunnel
- `rpc.yourdomain.com` → tunnel
- [ ] Enable SSL/TLS (Full or Full (strict))
- [ ] Configure DDoS protection rules
- [ ] Set up rate limiting rules (optional)
- [ ] Configure WAF rules (optional)
### cloudflared (VMID 102)
- [ ] Install/configure cloudflared
- [ ] Set up tunnel configuration
- [ ] Configure ingress rules to route to nginx-proxy-manager (192.168.11.105:80)
- [ ] Test tunnel connectivity
- [ ] Enable/start cloudflared service
### nginx-proxy-manager (VMID 105)
- [ ] Access web UI (typically port 81)
- [ ] Create proxy host for Core RPC (rpc-core.* → 192.168.11.250:8545)
- [ ] Create proxy host for Permissioned RPC (rpc-perm.* → 192.168.11.251:8545)
- [ ] Create proxy host for Public RPC (rpc.* → 192.168.11.252:8545)
- [ ] Enable WebSocket support for all proxy hosts
- [ ] Configure access control/authentication for Permissioned RPC
- [ ] Configure rate limiting for Public RPC (optional)
- [ ] Test routing to each RPC node
### RPC Nodes (2500-2502)
- [ ] Ensure RPC nodes are running and accessible
- [ ] Verify RPC endpoints respond on ports 8545/8546
- [ ] Test direct access to each RPC node
- [ ] Verify correct config files are deployed:
- 2500: `config-rpc-core.toml`
- 2501: `config-rpc-perm.toml`
- 2502: `config-rpc-public.toml`
---
## Testing
### Test Direct RPC Access
```bash
# Test Core RPC
curl -X POST http://192.168.11.250:8545 \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
# Test Permissioned RPC
curl -X POST http://192.168.11.251:8545 \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
# Test Public RPC
curl -X POST http://192.168.11.252:8545 \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
```
### Test Through nginx-proxy-manager
```bash
# Test Core RPC via nginx-proxy-manager
curl -X POST http://192.168.11.105/rpc-core \
-H "Host: rpc-core.yourdomain.com" \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
```
### Test Through Cloudflare
```bash
# Test Public RPC via Cloudflare
curl -X POST https://rpc.yourdomain.com \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
```
---
## Security Considerations
1. **SSL/TLS**: Cloudflare handles SSL termination (Full mode recommended)
2. **Access Control**:
- Core RPC: Restrict to internal network IPs
- Permissioned RPC: Require authentication/authorization
- Public RPC: Rate limiting and DDoS protection
3. **Firewall Rules**: Ensure only necessary ports are exposed
4. **Rate Limiting**: Configure at both Cloudflare and nginx-proxy-manager levels
5. **WAF**: Enable Cloudflare WAF for additional protection
---
## Troubleshooting
### Cloudflare Tunnel Not Connecting
- Check cloudflared service status: `systemctl status cloudflared`
- Verify tunnel configuration: `cloudflared tunnel info`
- Check Cloudflare dashboard for tunnel status
- Verify network connectivity from VMID 102 to VMID 105
### nginx-proxy-manager Not Routing
- Check proxy host configuration in web UI
- Verify domain names match Cloudflare DNS records
- Check nginx-proxy-manager logs
- Test direct connection to RPC nodes
### RPC Nodes Not Responding
- Check Besu service status: `systemctl status besu-rpc`
- Verify RPC endpoints are enabled in config files
- Check firewall rules on RPC nodes
- Test direct connection from nginx-proxy-manager to RPC nodes
---
## Related Documentation
### Network Documents
- **[CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md](CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md)** ⭐⭐⭐ - Cloudflare tunnel routing
- **[CENTRAL_NGINX_ROUTING_SETUP.md](CENTRAL_NGINX_ROUTING_SETUP.md)** ⭐⭐⭐ - Central Nginx routing
- **[NGINX_ARCHITECTURE_RPC.md](NGINX_ARCHITECTURE_RPC.md)** ⭐⭐ - NGINX architecture for RPC
### Configuration Documents
- **[../04-configuration/cloudflare/CLOUDFLARE_ZERO_TRUST_GUIDE.md](../04-configuration/cloudflare/CLOUDFLARE_ZERO_TRUST_GUIDE.md)** - Cloudflare Zero Trust setup
- **[../04-configuration/cloudflare/CLOUDFLARE_DNS_TO_CONTAINERS.md](../04-configuration/cloudflare/CLOUDFLARE_DNS_TO_CONTAINERS.md)** - DNS mapping to containers
### External References
- [Cloudflare Tunnels](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/) - Official documentation
- [nginx-proxy-manager](https://nginxproxymanager.com/) - Official documentation
---
**Last Updated:** 2025-01-20
**Document Version:** 1.0
**Review Cycle:** Quarterly
- **RPC Node Types**: `docs/RPC_NODE_TYPES_ARCHITECTURE.md`
- **Nginx Architecture**: `docs/NGINX_ARCHITECTURE_RPC.md`
Reference in New Issue View Git Blame Copy Permalink