cb47cce074
- Organized 252 files across project - Root directory: 187 → 2 files (98.9% reduction) - Moved configuration guides to docs/04-configuration/ - Moved troubleshooting guides to docs/09-troubleshooting/ - Moved quick start guides to docs/01-getting-started/ - Moved reports to reports/ directory - Archived temporary files - Generated comprehensive reports and documentation - Created maintenance scripts and guides All files organized according to established standards.
8.1 KiB
8.1 KiB
DNS Conflict Resolution Plan
Critical Issue Summary
Problem: 9 hostnames pointing to the same Cloudflare tunnel (10ab22da-8ea3-4e2e-a896-27ece2211a05) without proper ingress rules.
Impact: Services failing, routing conflicts, difficult troubleshooting.
Root Cause Analysis
DNS Zone File Shows:
9 hostnames → 10ab22da-8ea3-4e2e-a896-27ece2211a05.cfargotunnel.com
Current Tunnel Status
- Tunnel ID:
10ab22da-8ea3-4e2e-a896-27ece2211a05 - Status: ⚠️ DOWN (needs configuration)
- Location: Should be in VMID 102 on r630-02
- Target: Should route to central Nginx at
192.168.11.21:80
Affected Services
| Hostname | Service | Expected Target |
|---|---|---|
dbis-admin.d-bis.org |
Admin UI | http://192.168.11.21:80 |
dbis-api.d-bis.org |
API v1 | http://192.168.11.21:80 |
dbis-api-2.d-bis.org |
API v2 | http://192.168.11.21:80 |
mim4u.org.d-bis.org |
MIM4U Site | http://192.168.11.21:80 |
www.mim4u.org.d-bis.org |
MIM4U WWW | http://192.168.11.21:80 |
rpc-http-prv.d-bis.org |
Private HTTP RPC | http://192.168.11.21:80 |
rpc-http-pub.d-bis.org |
Public HTTP RPC | http://192.168.11.21:80 |
rpc-ws-prv.d-bis.org |
Private WS RPC | http://192.168.11.21:80 |
rpc-ws-pub.d-bis.org |
Public WS RPC | http://192.168.11.21:80 |
Resolution Steps
Step 1: Verify Tunnel Configuration Location
# Check if tunnel config exists in VMID 102
ssh root@192.168.11.12 "pct exec 102 -- ls -la /etc/cloudflared/ | grep 10ab22da"
Step 2: Create/Update Tunnel Configuration
The tunnel needs a complete ingress configuration file:
File: /etc/cloudflared/tunnel-services.yml (in VMID 102)
tunnel: 10ab22da-8ea3-4e2e-a896-27ece2211a05
credentials-file: /etc/cloudflared/credentials-services.json
ingress:
# Admin Interface
- hostname: dbis-admin.d-bis.org
service: http://192.168.11.21:80
originRequest:
httpHostHeader: dbis-admin.d-bis.org
# API Endpoints
- hostname: dbis-api.d-bis.org
service: http://192.168.11.21:80
originRequest:
httpHostHeader: dbis-api.d-bis.org
- hostname: dbis-api-2.d-bis.org
service: http://192.168.11.21:80
originRequest:
httpHostHeader: dbis-api-2.d-bis.org
# MIM4U Services
- hostname: mim4u.org.d-bis.org
service: http://192.168.11.21:80
originRequest:
httpHostHeader: mim4u.org.d-bis.org
- hostname: www.mim4u.org.d-bis.org
service: http://192.168.11.21:80
originRequest:
httpHostHeader: www.mim4u.org.d-bis.org
# RPC Endpoints - HTTP
- hostname: rpc-http-prv.d-bis.org
service: http://192.168.11.21:80
originRequest:
httpHostHeader: rpc-http-prv.d-bis.org
- hostname: rpc-http-pub.d-bis.org
service: http://192.168.11.21:80
originRequest:
httpHostHeader: rpc-http-pub.d-bis.org
# RPC Endpoints - WebSocket
- hostname: rpc-ws-prv.d-bis.org
service: http://192.168.11.21:80
originRequest:
httpHostHeader: rpc-ws-prv.d-bis.org
- hostname: rpc-ws-pub.d-bis.org
service: http://192.168.11.21:80
originRequest:
httpHostHeader: rpc-ws-pub.d-bis.org
# Catch-all (MUST be last)
- service: http_status:404
# Metrics
metrics: 127.0.0.1:9090
# Logging
loglevel: info
# Grace period
gracePeriod: 30s
Step 3: Create Systemd Service
File: /etc/systemd/system/cloudflared-services.service
[Unit]
Description=Cloudflare Tunnel for Services (RPC, API, Admin, MIM4U)
After=network.target
[Service]
TimeoutStartSec=0
Type=notify
ExecStart=/usr/local/bin/cloudflared --config /etc/cloudflared/tunnel-services.yml tunnel run
Restart=on-failure
RestartSec=5s
[Install]
WantedBy=multi-user.target
Step 4: Fix TTL Values
In Cloudflare Dashboard:
- Go to DNS → Records
- For each CNAME record, change TTL from 1 to 300 (5 minutes) or Auto
- Save changes
Affected Records:
- All 9 CNAME records pointing to
10ab22da-8ea3-4e2e-a896-27ece2211a05.cfargotunnel.com
Step 5: Verify Nginx Configuration
Ensure Nginx on 192.168.11.21:80 has server blocks for all hostnames:
# Example server block
server {
listen 80;
server_name dbis-admin.d-bis.org;
location / {
proxy_pass http://<backend>;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
Automated Fix Script
Create a script to deploy the fix:
#!/bin/bash
# fix-shared-tunnel.sh
PROXMOX_HOST="192.168.11.12"
VMID="102"
TUNNEL_ID="10ab22da-8ea3-4e2e-a896-27ece2211a05"
echo "Fixing shared tunnel configuration..."
# 1. Create config file
ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- bash -c 'cat > /etc/cloudflared/tunnel-services.yml << \"EOF\"
tunnel: ${TUNNEL_ID}
credentials-file: /etc/cloudflared/credentials-services.json
ingress:
- hostname: dbis-admin.d-bis.org
service: http://192.168.11.21:80
originRequest:
httpHostHeader: dbis-admin.d-bis.org
- hostname: dbis-api.d-bis.org
service: http://192.168.11.21:80
originRequest:
httpHostHeader: dbis-api.d-bis.org
- hostname: dbis-api-2.d-bis.org
service: http://192.168.11.21:80
originRequest:
httpHostHeader: dbis-api-2.d-bis.org
- hostname: mim4u.org.d-bis.org
service: http://192.168.11.21:80
originRequest:
httpHostHeader: mim4u.org.d-bis.org
- hostname: www.mim4u.org.d-bis.org
service: http://192.168.11.21:80
originRequest:
httpHostHeader: www.mim4u.org.d-bis.org
- hostname: rpc-http-prv.d-bis.org
service: http://192.168.11.21:80
originRequest:
httpHostHeader: rpc-http-prv.d-bis.org
- hostname: rpc-http-pub.d-bis.org
service: http://192.168.11.21:80
originRequest:
httpHostHeader: rpc-http-pub.d-bis.org
- hostname: rpc-ws-prv.d-bis.org
service: http://192.168.11.21:80
originRequest:
httpHostHeader: rpc-ws-prv.d-bis.org
- hostname: rpc-ws-pub.d-bis.org
service: http://192.168.11.21:80
originRequest:
httpHostHeader: rpc-ws-pub.d-bis.org
- service: http_status:404
metrics: 127.0.0.1:9090
loglevel: info
gracePeriod: 30s
EOF'"
# 2. Create systemd service
ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- bash -c 'cat > /etc/systemd/system/cloudflared-services.service << \"EOF\"
[Unit]
Description=Cloudflare Tunnel for Services
After=network.target
[Service]
TimeoutStartSec=0
Type=notify
ExecStart=/usr/local/bin/cloudflared --config /etc/cloudflared/tunnel-services.yml tunnel run
Restart=on-failure
RestartSec=5s
[Install]
WantedBy=multi-user.target
EOF'"
# 3. Reload systemd and start service
ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- systemctl daemon-reload"
ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- systemctl enable cloudflared-services.service"
ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- systemctl start cloudflared-services.service"
# 4. Check status
ssh root@${PROXMOX_HOST} "pct exec ${VMID} -- systemctl status cloudflared-services.service"
echo "Done! Check tunnel status in Cloudflare dashboard."
Testing
After applying the fix:
# Test each hostname
for host in dbis-admin dbis-api dbis-api-2 mim4u.org www.mim4u.org rpc-http-prv rpc-http-pub rpc-ws-prv rpc-ws-pub; do
echo "Testing ${host}.d-bis.org..."
curl -I "https://${host}.d-bis.org" 2>&1 | head -1
done
Verification Checklist
- Tunnel configuration file created
- Systemd service created and enabled
- Tunnel service running
- All 9 hostnames accessible
- TTL values updated in Cloudflare
- Nginx routing correctly
- No 404 errors for valid hostnames
Long-term Recommendations
-
Separate Tunnels: Consider splitting into separate tunnels:
- RPC tunnel (4 hostnames)
- API tunnel (3 hostnames)
- Web tunnel (2 hostnames)
-
TTL Standardization: Use consistent TTL values (300 or 3600)
-
Monitoring: Set up alerts for tunnel health
-
Documentation: Document all tunnel configurations
Summary
Issue: 9 hostnames sharing one tunnel without proper ingress rules
Fix: Create complete ingress configuration with all hostnames
Status: ⚠️ Requires manual configuration
Priority: 🔴 HIGH - Services are likely failing