Files

defiQUG bea1903ac9

Deploy to Phoenix / deploy (push) Has been cancelled

Details

Sync all local changes: docs, config, scripts, submodule refs, verification evidence

Co-authored-by: Cursor <cursoragent@cursor.com>

2026-02-21 15:46:06 -08:00

8.8 KiB

Raw Blame History

Edge Routing Master Reference (Fastly / Direct to NPMplus)

Navigation: Home > Network > Edge Routing Master

Last Updated: 2026-02-06
Document Version: 2.1
Status: Active Documentation

Overview

This is the authoritative reference for public edge routing. Web/api: Fastly (Option A) or DNS direct to 76.53.10.36 (Option C) → UDM Pro → NPMplus. RPC (6 hostnames): Option B — Cloudflare Tunnel (cloudflared) → NPMplus https://192.168.11.167:443; DNS for those 6 is CNAME to tunnel. See OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md and ../04-configuration/cloudflare/TUNNEL_SFVALLEY01_INSTALL.md. Cloudflare Tunnel is deprecated for primary web ingress (502 issues when used for all traffic); Option B uses tunnel for RPC only. Cloudflare DNS retained for all public hostnames.

Current edge: UDM Pro (76.53.10.34). Origin for public traffic: 76.53.10.36. Port forward: 76.53.10.36:80/443 → NPMplus (192.168.11.167:80/443). Proxmox hosts: 192.168.11.10–12. See NETWORK_CONFIGURATION_MASTER.md.

Pre-requisite: Verify 76.53.10.36:80 and :443 are open from the internet before using Fastly or direct; see EDGE_PORT_VERIFICATION_RUNBOOK.md.

ISP port filtering (e.g. Spectrum Business): If your ISP filters common ports (21, 22, 80, 443), Fastly does not offer tunnels. Use an outbound-only tunnel (e.g. Tailscale Funnel, ngrok, or self-hosted boringproxy/Frp); Cloudflare Tunnel often causes 502 errors in this project, so prefer the alternatives. See ISP port filtering (Spectrum and tunnels) below.

Architecture Overview

Primary: Fastly or Direct to NPMplus

Internet → Cloudflare DNS → Fastly (Option A) or 76.53.10.36 (Option C)
    → UDM Pro (76.53.10.36:80/443) → NPMplus (192.168.11.167) → Internal Services

Fastly (Option A): CNAME from each public hostname to Fastly; Fastly backend = 76.53.10.36. Forward original Host so NPMplus can route by hostname; enable WebSocket for RPC/WS.
Direct (Option C): A records to 76.53.10.36; Cloudflare proxy on or off. No CDN; single point of failure at edge.
NPMplus (VMID 10233 at 192.168.11.167) is the single proxy/director; all domain routing and WebSocket handling are configured there.

Option B: Cloudflare Tunnel for RPC (active)

The 6 RPC HTTP hostnames use Cloudflare Tunnel: CNAME to <tunnel-id>.cfargotunnel.com; cloudflared (e.g. VMID 102) → NPMplus https://192.168.11.167:443 (No TLS Verify). Runbook: OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md. Connector install: ../04-configuration/cloudflare/TUNNEL_SFVALLEY01_INSTALL.md.

Deprecated: Tunnel for all public ingress

Using Cloudflare Tunnel for all public hostnames (web + RPC) caused 502 errors. Tunnel is now used only for RPC (Option B). Legacy tunnel docs: CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md, CENTRAL_NGINX_ROUTING_SETUP.md.

Routing Rules (NPMplus)

All public hostnames are routed by NPMplus (192.168.11.167) by hostname. Key mappings (see RPC_ENDPOINTS_MASTER.md for full list):

Domain / type	NPMplus →	Backend
`rpc-http-pub.d-bis.org`, `rpc.d-bis.org`, `rpc2.d-bis.org`	HTTP 192.168.11.221:8545	Besu Public RPC (2201)
`rpc-ws-pub.d-bis.org`, `ws.rpc.d-bis.org`, `ws.rpc2.d-bis.org`	WS 192.168.11.221:8546	Besu Public RPC (2201)
`rpc-http-prv.d-bis.org`, `rpc-ws-prv.d-bis.org`	192.168.11.211:8545/8546	Besu Core RPC (2101)
`explorer.d-bis.org`	192.168.11.140:80, :4000	Blockscout (5000)
`dbis-admin.d-bis.org`, `dbis-api.d-bis.org`, `dbis-api-2.d-bis.org`	192.168.11.130/:155/:156	DBIS services
`mim4u.org`, `www.mim4u.org`	192.168.11.37:80	MIM4U (7810)
`rpc.defi-oracle.io`, `wss.defi-oracle.io`	192.168.11.221 or 192.168.11.240	RPC / ThirdWeb

WebSocket support must be enabled in NPMplus for all RPC/WS hostnames. No JWT or access lists on public RPC proxy hosts.

Fastly Configuration (Option A)

Backend: 76.53.10.36 (or hostname resolving to it). TLS to origin recommended; forward Host/SNI.
WebSocket: Enable for RPC WebSocket hostnames; no caching on those paths.
Caching: Bypass for /api, RPC, WebSocket; cache static assets if desired.
Origin health: Configure health checks; optional origin shield and restrict UDM Pro to Fastly egress IPs.

ISP port filtering (Spectrum and tunnels)

If your internet provider (e.g. Spectrum Business) filters or blocks common ports (21, 22, 80, 443), the following applies.

Fastly does not have tunnels

Fastly is a pull CDN: it connects to your origin on ports 80/443. It does not provide an outbound-only tunnel (no product like Cloudflare Tunnel).
Fastly Origin Connect is a physical cross-connect (fiber/BGP in a datacenter), not a software tunnel; it does not solve residential/small-business ISP port filtering.
If 80/443 are filtered (inbound or outbound), Fastly cannot reach 76.53.10.36, so Fastly is not usable as the edge for your origin.

Tunnel options when ports are filtered (Cloudflare often 502)

When the ISP blocks 80/443, you need an outbound-only tunnel. Cloudflare Tunnel is often problematic here (502 errors in this project), so prefer one of the alternatives below. Fastly has no tunnel product.

Option	How it works	Pros / cons
Tailscale Funnel	Run `tailscale funnel <port>` on the host; outbound to Tailscale, no inbound 80/443. Public URL like `https://<device>.ts.net`.	Simple, automatic HTTPS, no port forward. Requires Tailscale account and MagicDNS; good if you already use Tailscale.
ngrok	Run ngrok agent; outbound tunnel to ngrok edge. Public URL (or custom domain on paid).	Mature, widely used; free tier has limits and ngrok-branded URLs. Paid for custom domains and higher limits.
Self-hosted (boringproxy, Frp, Rathole)	Run tunnel server on a VPS (where ports are not filtered); run client at origin; origin only makes outbound connections to the VPS.	Full control, your domain, no Cloudflare. Requires a small VPS (or other unfiltered host) to run the tunnel server.
Cloudflare Tunnel (cloudflared)	Origin runs `cloudflared`; outbound to Cloudflare.	No inbound ports; this repo has config. Often causes 502 errors here—deprecated for that reason. See CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md if you want to retry and debug.

Recommendation when Spectrum (or similar) filters 21/22/80/443:

First try: Tailscale Funnel (if you use Tailscale) or ngrok (quick to try).
For production / custom domains: Self-hosted tunnel (e.g. boringproxy or Frp on a VPS); origin runs the client, only outbound to the VPS; no dependency on Cloudflare or Fastly tunnels.
Cloudflare Tunnel only if you are willing to debug the 502s (ingress rules, timeouts, backend health); doc: CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md.

Summary: Fastly has no tunnel. When ports are filtered, use Tailscale Funnel, ngrok, or a self-hosted tunnel (boringproxy/Frp on a VPS) rather than relying on Cloudflare Tunnel, which often causes 502 errors in this setup.

E2E_CLOUDFLARE_DOMAINS_RUNBOOK.md – E2E success for all Cloudflare-facing endpoints (DNS, SSL, HTTP, RPC, WebSocket)
EDGE_PORT_VERIFICATION_RUNBOOK.md – Phase 0: verify 76.53.10.36:80/443 from internet
RPC_PUBLIC_ENDPOINT_ROUTING.md – Public RPC path and NPMplus config
../11-references/NETWORK_CONFIGURATION_MASTER.md – Network and DNS
../04-configuration/NPMPLUS_HA_SETUP_GUIDE.md – NPMplus HA (Keepalived/HAProxy)
../04-configuration/cloudflare/CLOUDFLARE_TUNNEL_502_FIX_RUNBOOK.md – Fix Tunnel 502s (confirm location, verify ingress, align to NPMplus)
CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md – Deprecated tunnel reference
CENTRAL_NGINX_ROUTING_SETUP.md – Deprecated VMID 105 Nginx reference (replaced by NPMplus)

8.8 KiB Raw Blame History Unescape Escape