d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
3f76bc950779f8c1a4403abddb952cdbce5fa420
proxmox/docs/04-configuration/VMID2400_RESTRICT_THIRDWEB_TRAFFIC.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

9.2 KiB
Raw Blame History

VMID 2400 - Restrict Traffic to *.thirdweb.com

Last Updated: 2026-01-31
Document Version: 1.0
Status: Active Documentation

Date: 2026-01-02
Purpose: Limit RPC endpoint access to only ThirdWeb domains
VMID: 2400
FQDN: rpc.public-0138.defi-oracle.io

Overview

This guide provides multiple methods to restrict access to the VMID 2400 RPC endpoint to only allow traffic originating from *.thirdweb.com domains.

Method 1: Cloudflare WAF Rules (Recommended)

Cloudflare WAF (Web Application Firewall) rules provide the best protection at the edge before traffic reaches your server.

Step 1: Create WAF Rule in Cloudflare Dashboard

  1. Navigate to WAF:

  2. Create Custom Rule:

    • Click: Create rule or Add rule
    • Rule name: Allow Only ThirdWeb

  3. Configure Rule:

    Rule Name: Allow Only ThirdWeb

When incoming requests match:
(http.request.headers.origin does not contain "thirdweb.com" AND
 http.request.headers.referer does not contain "thirdweb.com" AND
 http.request.headers.user_agent does not contain "thirdweb")

Then: Block

  4. Alternative - Use Expression Editor:

    (http.request.headers["origin"][*] contains "thirdweb.com" or 
 http.request.headers["referer"][*] contains "thirdweb.com" or
 http.request.headers["user-agent"][*] contains "thirdweb")
    • Action: Allow
    • Then add another rule that blocks everything else

Step 2: Configure WAF Rule Expression

More Precise Expression (allows only thirdweb.com):

(http.request.headers["origin"][*] matches "https?://.*\.thirdweb\.com(/.*)?$" or 
 http.request.headers["referer"][*] matches "https?://.*\.thirdweb\.com(/.*)?$")

Action: Allow

Then create a second rule:

  • Expression: Everything else
  • Action: Block

Step 3: Deploy Rule

  1. Review the rule
  2. Click Deploy or Save
  3. Wait a few seconds for propagation

Method 2: Cloudflare Access Application (Zero Trust)

This method requires authentication but provides more control.

Step 1: Create Access Application

  1. Navigate to Access:

  2. Configure Application:

    Application name: ThirdWeb RPC (VMID 2400)
Application domain: rpc.public-0138.defi-oracle.io
Session duration: 8 hours

  3. Configure Policy:

    • Click: Add a policy
    • Policy name: Allow ThirdWeb Team
    • Action: Allow
    • Include:
      • Select: Emails
      • Value: *@thirdweb.com (if you have ThirdWeb emails)
      • OR use: Access Service Tokens (more appropriate for API access)

Step 2: Use Service Token (Recommended for API Access)

  1. Create Service Token:

    • Go to: Zero TrustAccessService Tokens
    • Click: Create Service Token
    • Name: thirdweb-rpc-service
    • Copy the token (shown once)

  2. Update Policy:

    • Edit the Access policy
    • Include: Service Tokens
    • Select: thirdweb-rpc-service

  3. Share Token with ThirdWeb:

    • Provide the service token to ThirdWeb
    • They include it in requests: Authorization: Bearer <token>

Note: This method requires ThirdWeb to include the token in requests.

Method 3: Nginx Access Control (Less Secure - Can Be Spoofed)

This method checks HTTP headers but can be bypassed if headers are spoofed. Use this only as a secondary layer.

Step 1: Update Nginx Configuration on VMID 2400

# SSH to Proxmox host
ssh root@192.168.11.10

# Enter VMID 2400
pct exec 2400 -- bash

# Edit Nginx config
nano /etc/nginx/sites-available/rpc-thirdweb

Step 2: Add Access Control to Nginx Config

Add this to your server block:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name rpc.public-0138.defi-oracle.io;
    
    # ... existing SSL config ...
    
    # Restrict to ThirdWeb domains (check Origin and Referer headers)
    set $allow_request 0;
    
    # Check Origin header
    if ($http_origin ~* "^https?://.*\.thirdweb\.com") {
        set $allow_request 1;
    }
    
    # Check Referer header
    if ($http_referer ~* "^https?://.*\.thirdweb\.com") {
        set $allow_request 1;
    }
    
    # Block if not from ThirdWeb
    if ($allow_request = 0) {
        return 403 '{"jsonrpc":"2.0","error":{"code":-32000,"message":"Access denied. Only ThirdWeb domains are allowed."},"id":null}';
        access_log off;
        log_not_found off;
    }
    
    location / {
        proxy_pass http://127.0.0.1:8545;
        # ... existing proxy config ...
    }
}

Step 3: Test and Reload Nginx

# Test configuration
nginx -t

# Reload Nginx
systemctl reload nginx

⚠️ Warning: This method can be bypassed since headers can be spoofed. Use Cloudflare WAF for actual security.

Method 4: Cloudflare Transform Rules (Header-Based)

Use Cloudflare Transform Rules to add/check custom headers.

Step 1: Create Transform Rule

  1. Navigate to Transform Rules:

    • Go to: RulesTransform Rules
    • Click: Create rule

  2. Configure Rule:

    • Rule name: Add ThirdWeb Verification Header
    • When: http.request.headers["origin"][*] contains "thirdweb.com"
    • Then: Set static header X-ThirdWeb-Verified: true

  3. Create Second Rule (Block):

    • Rule name: Block Non-ThirdWeb
    • When: http.request.headers["x-thirdweb-verified"] is absent
    • Then: Block (use Firewall rule for blocking)

Recommended Approach: Cloudflare WAF Rules

Best Practice: Use Method 1 (Cloudflare WAF Rules) because:

  • Enforced at Cloudflare edge (before reaching your server)
  • Cannot be bypassed by spoofing headers
  • Provides DDoS protection
  • No code changes required
  • Centralized management

Implementation Steps (WAF Method)

Quick Setup:

  1. Go to Cloudflare Dashboard: https://dash.cloudflare.com/
  2. Select domain: defi-oracle.io
  3. Navigate: SecurityWAFCustom Rules
  4. Create Rule:
Rule Name: Allow Only ThirdWeb Traffic

Expression:
(http.request.headers["origin"][*] matches "https?://.*\.thirdweb\.com(/.*)?$" or 
 http.request.headers["referer"][*] matches "https?://.*\.thirdweb\.com(/.*)?$")

Action: Allow
Position: Last (bottom)
  1. Create Block Rule:
Rule Name: Block All Other Traffic

Expression: 
(http.request.uri.path contains "/")

Action: Block
Position: Last (bottom)

Important: Order matters! Allow rule must come before Block rule, or use "Skip remaining rules" in Allow rule.

Testing

Test Allowed Request (from ThirdWeb):

# Simulate request with ThirdWeb Origin header
curl -k https://rpc.public-0138.defi-oracle.io \
  -X POST \
  -H "Content-Type: application/json" \
  -H "Origin: https://dashboard.thirdweb.com" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

Expected: Should succeed

Test Blocked Request (without ThirdWeb headers):

# Request without ThirdWeb headers
curl -k https://rpc.public-0138.defi-oracle.io \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

Expected: Should be blocked (403 or custom error)

Limitations and Considerations

Important Notes:

  1. Direct RPC Calls: Direct RPC calls (from wallets, scripts) may not include Origin/Referer headers

    • Solution: Use API key authentication or IP whitelisting instead

  2. CORS Requests: Browser-based requests include Origin headers

    • WAF rules work well for browser/JavaScript requests from ThirdWeb

  3. API/SDK Requests: ThirdWeb SDK requests should include proper headers

    • Verify with ThirdWeb that their SDK sends appropriate headers

  4. IP Whitelisting Alternative: If headers don't work, consider:

    • Get ThirdWeb's IP ranges
    • Use Cloudflare WAF IP Access Rules
    • Less flexible but more reliable for API access

Alternative: IP-Based Restriction

If ThirdWeb provides their IP ranges:

  1. Go to: SecurityWAFToolsIP Access Rules
  2. Create Rule:
    • Action: Allow
    • IP Address: ThirdWeb IP ranges
  3. Create Block Rule:
    • Action: Block
    • IP Address: All other IPs

Summary

Method Security Ease of Setup Reliability Best For
WAF Rules Browser/Web requests
Access Application API with service tokens
Nginx Headers Secondary layer only
IP Whitelisting API/SDK requests

Recommendation: Start with Cloudflare WAF Rules (Method 1), and add Access Application with Service Tokens (Method 2) if you need API-level authentication.

Last Updated: 2026-01-02
Status: Ready for Implementation

Reference in New Issue View Git Blame Copy Permalink