d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
4f85e0bf0e59e78511998aefc5d2076ed13b0a14
proxmox/docs/04-configuration/DNS_NPMPLUS_VM_COMPREHENSIVE_ARCHITECTURE.md
defiQUG bea1903ac9
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
Sync all local changes: docs, config, scripts, submodule refs, verification evidence 
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-21 15:46:06 -08:00

17 KiB
Raw Blame History

DNS → NPMplus → VM Comprehensive Architecture Table

Last Updated: 2026-01-31
Document Version: 1.0
Status: Active Documentation

Date: 2026-01-20
Status: Complete Architecture Reference
Purpose: Streamlined DNS, SSL, and traffic routing documentation

Related Documentation:

  • HA Setup: docs/04-configuration/NPMPLUS_HA_SETUP_GUIDE.md - High Availability setup guide
  • Backup/Restore: docs/04-configuration/NPMPLUS_BACKUP_RESTORE.md - Backup and restore procedures
  • Verification: docs/04-configuration/INGRESS_VERIFICATION_RUNBOOK.md - Verification procedures
  • Risks: docs/04-configuration/INGRESS_RISKS_AND_HARDENING.md - Risk assessment and hardening

Architecture Overview

Internet
    ↓
Cloudflare DNS (A Records → 76.53.10.36)
    ↓
UDM Pro Port Forwarding (76.53.10.36:80/443 → 192.168.11.166:80/443)
    ↓
NPMplus (VMID 10233: 192.168.11.166) - SSL Termination & Routing
    ↓
Backend VMs (Various IPs) - Services with/without Nginx

Complete Service Mapping Table

Primary Table: Cloudflare DNS → NPMplus → VM Routing

Domain Cloudflare DNS NPMplus Config Backend VM Traffic Flow
DNS Type Target IP Proxy SSL Cert ID
------ ------ ------ ------ ------
d-bis.org Zone
explorer.d-bis.org A 76.53.10.36 DNS Only 49
rpc-http-pub.d-bis.org A 76.53.10.36 DNS Only 53
rpc-ws-pub.d-bis.org A 76.53.10.36 DNS Only 55
rpc-http-prv.d-bis.org A 76.53.10.36 DNS Only 52
rpc-ws-prv.d-bis.org A 76.53.10.36 DNS Only 54
dbis-admin.d-bis.org A 76.53.10.36 DNS Only 46
dbis-api.d-bis.org A 76.53.10.36 DNS Only 48
dbis-api-2.d-bis.org A 76.53.10.36 DNS Only 47
secure.d-bis.org A 76.53.10.36 DNS Only 58
mim4u.org Zone
mim4u.org A 76.53.10.36 DNS Only 50
www.mim4u.org A 76.53.10.36 DNS Only 50
secure.mim4u.org A 76.53.10.36 DNS Only 59
training.mim4u.org A 76.53.10.36 DNS Only 61
sankofa.nexus Zone (see ALL_VMIDS_ENDPOINTS.md — do not point these to explorer/192.168.11.140)
sankofa.nexus A 76.53.10.36 DNS Only 57
www.sankofa.nexus A 76.53.10.36 DNS Only 64
phoenix.sankofa.nexus A 76.53.10.36 DNS Only 51
www.phoenix.sankofa.nexus A 76.53.10.36 DNS Only 63
the-order.sankofa.nexus A 76.53.10.36 DNS Only 60
defi-oracle.io Zone
rpc.public-0138.defi-oracle.io A 76.53.10.36 DNS Only 56

Legend:

  • = Configured and working
  • = Not applicable
  • ⚠️ = Requires attention / Not deployed
  • TBD = To Be Determined

Notes:

  1. Sankofa/Phoenix domains must route to VMID 7801 (192.168.11.51:3000) and VMID 7800 (192.168.11.50:4000) respectively — not to Blockscout (192.168.11.140). See ALL_VMIDS_ENDPOINTS.md and RPC_ENDPOINTS_MASTER.md. If NPMplus currently points these to .140, update proxy hosts to the correct IP:port.
  2. NPMplus terminates SSL and proxies HTTP to backend VMs (except ThirdWeb RPC which uses HTTPS).
  3. VMID 7810 has nginx running on port 80 serving MIM4U sites.
  4. VMID 5000 has nginx on port 80 that proxies /api/* to port 4000 (Blockscout API).
  5. VMID 2400 has nginx on port 443 serving ThirdWeb RPC with SSL.

Detailed VM Service Configuration

VMs with Nginx Web Server

VMID IP Hostname Host Status Nginx Version Config Location Purpose Public Domains
5000 192.168.11.140 blockscout-1 r630-02 Running 1.18.0+ /etc/nginx/sites-available/blockscout Blockscout Explorer explorer.d-bis.org
7810 192.168.11.37 mim-web-1 r630-02 Running 1.18.0 /etc/nginx/sites-available/mim4u MIM4U Web App mim4u.org, www.mim4u.org, secure.mim4u.org, training.mim4u.org
10130 192.168.11.130 dbis-frontend r630-01 Running TBD TBD DBIS Admin Frontend dbis-admin.d-bis.org, secure.d-bis.org
2400 192.168.11.240 thirdweb-rpc-1 ml110 Running TBD TBD ThirdWeb RPC (HTTPS) rpc.public-0138.defi-oracle.io

VMs without Nginx (Direct Service Access)

VMID IP Hostname Host Status Service Port Protocol Public Domains
2101 192.168.11.211 besu-rpc-core-1 ml110 Running Besu RPC 8545/8546 HTTP/WS rpc-http-prv.d-bis.org, rpc-ws-prv.d-bis.org
2201 192.168.11.221 besu-rpc-public-1 ml110 Running Besu RPC 8545/8546 HTTP/WS rpc-http-pub.d-bis.org, rpc-ws-pub.d-bis.org
10150 192.168.11.155 dbis-api-primary r630-01 Running Node.js API 3000 HTTP dbis-api.d-bis.org
10151 192.168.11.156 dbis-api-secondary r630-01 Running Node.js API 3000 HTTP dbis-api-2.d-bis.org

NPMplus Configuration Details

NPMplus Container Information

Primary NPMplus (10233)

Property Value
VMID 10233
Host r630-01 (192.168.11.11)
Internal IP (eth0) 192.168.11.166
Internal IP (eth1) 192.168.11.167
Management UI https://192.168.11.166:81
Public IP 76.53.10.36
Public Ports 80 (HTTP), 443 (HTTPS)
Status Running

NPMplus Alltra/HYBX (10235)

Property Value
VMID 10235
Host r630-01 (192.168.11.11)
Internal IP 192.168.11.169
Management UI https://192.168.11.169:81
Port forward 76.53.10.38:80/81/443 → 192.168.11.169
Designated public IP 76.53.10.42
Tunnel target https://192.168.11.169:443 (Option B)
Backends Alltra + HYBX Sentries, RPC, Cacti, Firefly, Fabric, Indy
Status To be deployed
Reference NPMPLUS_ALLTRA_HYBX_MASTER_PLAN.md

SSL Certificate Management

Cert ID Domains Provider Expires Auto-Renewal
46 dbis-admin.d-bis.org Let's Encrypt 2026-04-16 Enabled
47 dbis-api-2.d-bis.org Let's Encrypt 2026-04-16 Enabled
48 dbis-api.d-bis.org Let's Encrypt 2026-04-16 Enabled
49 explorer.d-bis.org Let's Encrypt 2026-04-16 Enabled
50 mim4u.org, www.mim4u.org Let's Encrypt 2026-04-16 Enabled
51 phoenix.sankofa.nexus Let's Encrypt 2026-04-16 Enabled
52 rpc-http-prv.d-bis.org Let's Encrypt 2026-04-16 Enabled
53 rpc-http-pub.d-bis.org Let's Encrypt 2026-04-16 Enabled
54 rpc-ws-prv.d-bis.org Let's Encrypt 2026-04-16 Enabled
55 rpc-ws-pub.d-bis.org Let's Encrypt 2026-04-16 Enabled
56 rpc.public-0138.defi-oracle.io Let's Encrypt 2026-04-16 Enabled
57 sankofa.nexus Let's Encrypt 2026-04-16 Enabled
58 secure.d-bis.org Let's Encrypt 2026-04-16 Enabled
59 secure.mim4u.org Let's Encrypt 2026-04-16 Enabled
60 the-order.sankofa.nexus Let's Encrypt 2026-04-16 Enabled
61 training.mim4u.org Let's Encrypt 2026-04-16 Enabled
62 www.mim4u.org Let's Encrypt 2026-04-16 Enabled
63 www.phoenix.sankofa.nexus Let's Encrypt 2026-04-16 Enabled
64 www.sankofa.nexus Let's Encrypt 2026-04-16 Enabled

Total Certificates: 19 active SSL certificates
Certificate Storage: /data/tls/certbot/live/npm-XX/

Port Forwarding Configuration (UDM Pro)

Public to Internal Port Mapping

Public IP:Port Internal IP:Port Protocol Service Status
76.53.10.36:443 192.168.11.166:443 TCP NPMplus HTTPS Active
76.53.10.36:80 192.168.11.166:80 TCP NPMplus HTTP Active

Router: UDM Pro
Forwarding Rule: Port forwarding configured in UDM Pro firewall rules

Cloudflare DNS Records Summary

DNS Record Statistics

Zone Total Records A Records CNAME Records Proxied DNS Only
d-bis.org 9 9 0 0 9
mim4u.org 4 4 0 0 4
sankofa.nexus 5 5 0 0 5
defi-oracle.io 1 1 0 0 1
TOTAL 19 19 0 0 19

Note: All DNS records use "DNS Only" mode (gray cloud) to bypass Cloudflare proxy and route directly to NPMplus at 76.53.10.36. SSL termination is handled by NPMplus using Let's Encrypt certificates.

Service Types and Protocols

Web Services (HTTP/HTTPS)

Service Type Domain Example Port Protocol Backend Type
Web Application mim4u.org 80 HTTP Nginx
Admin Portal dbis-admin.d-bis.org 80 HTTP Nginx
API Service dbis-api.d-bis.org 3000 HTTP Node.js
Blockchain Explorer explorer.d-bis.org 80/4000 HTTP Nginx + Blockscout

RPC Services (JSON-RPC over HTTP/WebSocket)

Service Type Domain Example Port Protocol Backend Type
RPC HTTP rpc-http-pub.d-bis.org 8545 HTTP Besu
RPC WebSocket rpc-ws-pub.d-bis.org 8546 WebSocket Besu
RPC HTTPS rpc.public-0138.defi-oracle.io 443 HTTPS Nginx + Besu

Traffic Flow Examples

Example 1: MIM4U Main Site

User Request: https://mim4u.org
    ↓
DNS Resolution: mim4u.org → 76.53.10.36
    ↓
UDM Pro: Port Forward 76.53.10.36:443 → 192.168.11.166:443
    ↓
NPMplus (192.168.11.166:443):
    ├─ SSL Termination (Cert ID: 50)
    ├─ Hostname: mim4u.org
    ├─ Proxy Host ID: 17
    └─ Proxy Pass: http://192.168.11.37:80
        ↓
nginx on VMID 7810 (192.168.11.37:80):
    ├─ Server Name: mim4u.org
    ├─ Root: /var/www/html
    └─ Response → User (HTTPS)

Example 2: DBIS API

User Request: https://dbis-api.d-bis.org
    ↓
DNS Resolution: dbis-api.d-bis.org → 76.53.10.36
    ↓
UDM Pro: Port Forward 76.53.10.36:443 → 192.168.11.166:443
    ↓
NPMplus (192.168.11.166:443):
    ├─ SSL Termination (Cert ID: 48)
    ├─ Hostname: dbis-api.d-bis.org
    ├─ Proxy Host ID: 15
    └─ Proxy Pass: http://192.168.11.155:3000
        ↓
Node.js API on VMID 10150 (192.168.11.155:3000):
    ├─ Service: DBIS API Primary
    └─ Response → User (HTTPS)

Example 3: RPC Endpoint (ThirdWeb)

User Request: https://rpc.public-0138.defi-oracle.io
    ↓
DNS Resolution: rpc.public-0138.defi-oracle.io → 76.53.10.36
    ↓
UDM Pro: Port Forward 76.53.10.36:443 → 192.168.11.166:443
    ↓
NPMplus (192.168.11.166:443):
    ├─ SSL Termination (Cert ID: 56)
    ├─ Hostname: rpc.public-0138.defi-oracle.io
    ├─ Proxy Host ID: 26
    └─ Proxy Pass: https://192.168.11.240:443
        ↓
nginx on VMID 2400 (192.168.11.240:443):
    ├─ SSL Termination (Internal)
    ├─ Backend: Besu RPC + Translator
    └─ Response → User (HTTPS)

Issues and Action Items

Sankofa/Phoenix routing (authoritative)

Source of truth: ALL_VMIDS_ENDPOINTS.md, RPC_ENDPOINTS_MASTER.md. Sankofa and Phoenix services are deployed. Correct NPMplus backend targets:

Domain Correct backend Wrong (do not use)
sankofa.nexus, www.sankofa.nexus 192.168.11.51:3000 (VMID 7801) 192.168.11.140
phoenix.sankofa.nexus, www.phoenix.sankofa.nexus 192.168.11.50:4000 (VMID 7800) 192.168.11.140
the-order.sankofa.nexus TBD when The Order portal is deployed 192.168.11.140

Action: If any Sankofa/Phoenix proxy host in NPMplus points to 192.168.11.140 (Blockscout), update it to the correct IP:port above. Only explorer.d-bis.org should point to 192.168.11.140.

📋 Recommended Improvements

  1. Documentation

    • This comprehensive table created
    • ⚠️ Add nginx config file paths for all VMs with nginx
    • ⚠️ Document custom nginx configurations

  2. Monitoring

    • Set up certificate expiration alerts
    • Monitor backend VM health
    • Track DNS resolution status

  3. Security

    • All SSL certificates auto-renewing
    • HSTS enabled on all domains
    • Security headers configured

Quick Reference Commands

Test DNS Resolution

dig +short mim4u.org
dig +short explorer.d-bis.org
dig +short rpc-http-pub.d-bis.org

Test SSL Certificates

curl -vI https://mim4u.org 2>&1 | grep -E "(certificate|SSL|TLS)"
curl -vI https://explorer.d-bis.org 2>&1 | grep -E "(certificate|SSL|TLS)"

Test Backend Services

# Test Blockscout
curl -I http://192.168.11.140:80

# Test MIM4U
curl -I http://192.168.11.37:80

# Test DBIS API
curl -I http://192.168.11.155:3000

# Test RPC
curl -X POST http://192.168.11.221:8545 \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'

Check NPMplus Status

# From Proxmox host
ssh root@192.168.11.11 "pct exec 10233 -- docker ps --filter 'name=npmplus'"

# Check NPMplus logs
ssh root@192.168.11.11 "pct exec 10233 -- docker logs npmplus --tail 50"

Check VM Status

# Check specific VM
ssh root@192.168.11.12 "pct status 7810"

# Check nginx status on VM
ssh root@192.168.11.12 "pct exec 7810 -- systemctl status nginx"

Related Documentation

  • VMID Endpoints: docs/04-configuration/ALL_VMIDS_ENDPOINTS.md
  • NPMplus Setup: docs/04-configuration/NPMPLUS_COMPLETE_SETUP_SUMMARY.md
  • NPMplus Service Mapping: docs/04-configuration/NPMPLUS_SERVICE_MAPPING_COMPLETE.md
  • MIM4U DNS Config: reports/VMID_7810_DNS_NPMPLUS_CONFIGURATION.md
  • Cloudflare DNS: docs/04-configuration/cloudflare/CLOUDFLARE_DNS_SPECIFIC_SERVICES.md

Last Updated: 2026-01-20
Maintained By: Infrastructure Team
Status: Complete Architecture Reference

Reference in New Issue View Git Blame Copy Permalink