7.6 KiB
Option B: RPC via Cloudflare Tunnel — Runbook
Last Updated: 2026-02-06
Status: Active
Purpose: Get full E2E pass (including the 6 RPC HTTP checks)
Current state: DNS for the 6 RPC hostnames points to the tunnel; tunnel Public Hostnames use https://192.168.11.167:443 with No TLS Verify. RPC returns 200 when the connector (e.g. VMID 102) is running.
See also: E2E_RPC_EDGE_LIMITATION.md, CLOUDFLARE_TUNNEL_502_FIX_RUNBOOK.md. Tunnel sfvalley01: install connector steps → TUNNEL_SFVALLEY01_INSTALL.md.
Overview
Traffic path after Option B:
- Before: Internet → 76.53.10.36 (UDM Pro) → NPMplus → RPC → 405 for POST
- After (RPC only): Internet → Cloudflare → Tunnel (cloudflared) → NPMplus (https://192.168.11.167:443) → RPC → 200 for POST
The 6 RPC hostnames are switched in DNS from A 76.53.10.36 to CNAME <tunnel-id>.cfargotunnel.com (Proxied). All other hostnames can stay on A 76.53.10.36.
Prerequisites
- Cloudflare Tunnel (cloudflared) running and reachable (e.g. VMID 102).
- Tunnel Public Hostnames include the 6 RPC hostnames, each →
https://192.168.11.167:443(NPMplus), with No TLS Verify. If not, complete CLOUDFLARE_TUNNEL_502_FIX_RUNBOOK.md Step 4 first. - Cloudflare API credentials in
.env:CLOUDFLARE_API_TOKENorCLOUDFLARE_EMAIL+CLOUDFLARE_API_KEY. - Zone IDs in
.env:CLOUDFLARE_ZONE_IDorCLOUDFLARE_ZONE_ID_D_BIS_ORG,CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO. - Tunnel ID: set
CLOUDFLARE_TUNNEL_IDin.envto the tunnel that has cloudflared running (e.g. sfvalley01ad9eb7c4-f522-480e-b640-bfc137518c94). If RPC returns 530, ensure DNS CNAMEs point to this tunnel and the tunnel’s Public Hostnames include all 6 RPC hostnames →https://192.168.11.167:443(No TLS Verify).
Step 1: Ensure tunnel ingress for all 6 RPC hostnames
In Cloudflare Zero Trust → Networks → Tunnels → your public tunnel → Public Hostnames, ensure each of these has URL = https://192.168.11.167:443 and No TLS Verify enabled:
| Hostname | URL |
|---|---|
| rpc-http-pub.d-bis.org | https://192.168.11.167:443 (No TLS Verify) |
| rpc.d-bis.org | https://192.168.11.167:443 (No TLS Verify) |
| rpc2.d-bis.org | https://192.168.11.167:443 (No TLS Verify) |
| rpc-http-prv.d-bis.org | https://192.168.11.167:443 (No TLS Verify) |
| rpc.public-0138.defi-oracle.io | https://192.168.11.167:443 (No TLS Verify) |
| rpc.defi-oracle.io | https://192.168.11.167:443 (No TLS Verify) |
If any are missing or point to a different origin (e.g. 192.168.11.21), add or edit them per the 502 fix runbook. Then optionally restart cloudflared.
Note (API): The Cloudflare API PUT .../cfd_tunnel/{tunnel_id}/configurations may return 1002 Tunnel not found with the current API key (e.g. insufficient scope). In that case you must add the 6 hostnames above in the Zero Trust dashboard only. The tunnel that has cloudflared running (e.g. 26138c21 TUNNEL_TOKEN_VMID2400) must have these Public Hostnames; .env should set CLOUDFLARE_TUNNEL_ID to that tunnel so set-rpc-dns-to-tunnel.sh points DNS to it.
# From Proxmox node that runs VMID 102 (e.g. 192.168.11.11)
pct exec 102 -- systemctl restart cloudflared
Step 2: Verify origin from tunnel host (optional)
From the host that runs cloudflared (VMID 102), confirm NPMplus responds for an RPC hostname:
# From Proxmox node with VMID 102
pct exec 102 -- curl -s -o /dev/null -w "%{http_code}" --connect-timeout 5 "http://192.168.11.167:80/" -H "Host: rpc.d-bis.org" -X POST -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
# Expect 200 (or 301 then 200 via redirect)
Or run the verification script (from repo, with SSH to Proxmox):
bash scripts/verify/verify-cloudflare-tunnel-ingress.sh --host 192.168.11.11
Step 3: Switch RPC DNS to the tunnel
Set the 6 RPC hostnames to CNAME to your tunnel (Proxied) so traffic goes Cloudflare → tunnel → NPMplus.
Option 3a: Script (recommended)
From repo root, with .env (and zone IDs + tunnel ID) set:
./scripts/set-rpc-dns-to-tunnel.sh
This deletes any existing A record for each hostname and creates/updates a CNAME to $CLOUDFLARE_TUNNEL_ID.cfargotunnel.com (Proxied). Requires jq.
Option 3b: Manual in Cloudflare Dashboard
For each hostname below, in the correct zone (d-bis.org or defi-oracle.io):
- DNS → Records → find the existing A record (76.53.10.36) for that name.
- Delete the A record (or edit if your UI allows type change).
- Add record: Type CNAME, Name = subdomain part (e.g.
rpcfor rpc.d-bis.org), Target = <your-tunnel-id>.cfargotunnel.com, Proxy status = Proxied (orange cloud).
| Full hostname | Zone | CNAME name (subdomain) | Target |
|---|---|---|---|
| rpc-http-pub.d-bis.org | d-bis.org | rpc-http-pub | <tunnel-id>.cfargotunnel.com |
| rpc.d-bis.org | d-bis.org | rpc | <tunnel-id>.cfargotunnel.com |
| rpc2.d-bis.org | d-bis.org | rpc2 | <tunnel-id>.cfargotunnel.com |
| rpc-http-prv.d-bis.org | d-bis.org | rpc-http-prv | <tunnel-id>.cfargotunnel.com |
| rpc.public-0138.defi-oracle.io | defi-oracle.io | rpc.public-0138 | <tunnel-id>.cfargotunnel.com |
| rpc.defi-oracle.io | defi-oracle.io | rpc | <tunnel-id>.cfargotunnel.com |
Step 4: Re-run E2E and RPC troubleshoot
After DNS propagates (1–5 minutes):
# RPC only
bash scripts/verify/troubleshoot-rpc-failures.sh
# Expect HTTP 200 for all 6 (or 200 + chainId in body)
# Full E2E (no need for E2E_SUCCESS_IF_ONLY_RPC_BLOCKED when RPC passes)
# Use ACCEPT_ANY_DNS=1 so the 6 RPC hostnames (resolving to Cloudflare) count as DNS pass
ACCEPT_ANY_DNS=1 ./scripts/verify/verify-end-to-end-routing.sh --profile=public
Troubleshooting: HTTP 530 / error 1033
After switching DNS to the tunnel, if RPC returns 530 with error code 1033 (instead of 405):
- Meaning: Cloudflare is receiving the request but cannot reach your origin via the tunnel (Argo Tunnel error).
- Cause: The tunnel’s Public Hostnames in Zero Trust do not yet include these 6 RPC hostnames, or they point to a wrong/unreachable URL (e.g. 192.168.11.21 instead of 192.168.11.167), or cloudflared is down/disconnected.
- Fix: Complete Step 1 in this runbook: in Zero Trust → Tunnels → your tunnel → Public Hostnames, add (or fix) each of the 6 RPC hostnames with URL
https://192.168.11.167:443(No TLS Verify). Restart cloudflared on the host that runs it (e.g.pct exec 102 -- systemctl restart cloudflared). Re-test after 1–2 minutes.
Reverting to direct IP (A record)
To send RPC traffic back through the UDM Pro (and accept 405 again):
# Restore all public DNS (including RPC) to A 76.53.10.36
./scripts/update-all-dns-to-public-ip.sh
Summary
| Step | Action |
|---|---|
| 1 | Tunnel Public Hostnames: all 6 RPC hostnames → https://192.168.11.167:443 (No TLS Verify) |
| 2 | (Optional) Verify origin from VMID 102 |
| 3 | DNS: 6 RPC hostnames → CNAME to <tunnel-id>.cfargotunnel.com (Proxied) |
| 4 | Re-run troubleshoot-rpc-failures.sh and verify-end-to-end-routing.sh --profile=public |