Files

defiQUG cb47cce074 Complete markdown files cleanup and organization

- Organized 252 files across project
- Root directory: 187 → 2 files (98.9% reduction)
- Moved configuration guides to docs/04-configuration/
- Moved troubleshooting guides to docs/09-troubleshooting/
- Moved quick start guides to docs/01-getting-started/
- Moved reports to reports/ directory
- Archived temporary files
- Generated comprehensive reports and documentation
- Created maintenance scripts and guides

All files organized according to established standards.

2026-01-06 01:46:25 -08:00

12 KiB

Raw Blame History

RPC DNS Configuration for d-bis.org and defi-oracle.io

Last Updated: 2025-01-23
Status: Active Configuration

Overview

DNS configuration for RPC endpoints with Nginx SSL termination on port 443.

Architecture:

d-bis.org domain (Direct A records):

Internet → DNS (A records) → Nginx (port 443) → Besu RPC (8545/8546)

defi-oracle.io domain (Cloudflare Tunnel):

Internet → DNS (CNAME) → Cloudflare Tunnel → VMID 2400 → Nginx (port 443) → Besu RPC (8545/8546)

All HTTPS traffic arrives on port 443, and Nginx routes to the appropriate backend port based on the domain name (Server Name Indication - SNI). For VMID 2400, traffic flows through Cloudflare Tunnel first.

DNS Records Configuration

Cloudflare DNS Records

Important: A records in DNS do NOT include port numbers. All traffic comes to port 443 (HTTPS), and Nginx handles routing to the backend ports.

Permissioned RPC (VMID 2501 - 192.168.11.251) - JWT Authentication Required

Type	Name	Target	Proxy	Notes
A	`rpc-http-prv`	`192.168.11.251`	🟠 Proxied (optional)	HTTP RPC endpoint (JWT auth required)
A	`rpc-ws-prv`	`192.168.11.251`	🟠 Proxied (optional)	WebSocket RPC endpoint (JWT auth required)

DNS Configuration:

Type: A
Name: rpc-http-prv
Target: 192.168.11.251
TTL: Auto
Proxy: 🟠 Proxied (recommended for DDoS protection)

Type: A
Name: rpc-ws-prv
Target: 192.168.11.251
TTL: Auto
Proxy: 🟠 Proxied (recommended for DDoS protection)

Note: These endpoints require JWT token authentication. See RPC_JWT_AUTHENTICATION.md for details.

Public RPC (VMID 2502 - 192.168.11.252) - No Authentication

Type	Name	Target	Proxy	Notes
A	`rpc-http-pub`	`192.168.11.252`	🟠 Proxied (optional)	HTTP RPC endpoint (public, no auth)
A	`rpc-ws-pub`	`192.168.11.252`	🟠 Proxied (optional)	WebSocket RPC endpoint (public, no auth)

DNS Configuration:

Type: A
Name: rpc-http-pub
Target: 192.168.11.252
TTL: Auto
Proxy: 🟠 Proxied (recommended for DDoS protection)

Type: A
Name: rpc-ws-pub
Target: 192.168.11.252
TTL: Auto
Proxy: 🟠 Proxied (recommended for DDoS protection)

DNS Records Configuration for defi-oracle.io Domain

Note: The defi-oracle.io domain is used specifically for ThirdWeb RPC nodes and Thirdweb listing integration.

ThirdWeb RPC (VMID 2400 - 192.168.11.240) - defi-oracle.io Domain

Note: VMID 2400 uses Cloudflare Tunnel, so DNS records use CNAME (not A records).

Type	Name	Domain	Target	Proxy	Notes
CNAME	`rpc.public-0138`	`defi-oracle.io`	`26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com`	🟠 Proxied	Tunnel endpoint for ThirdWeb RPC
CNAME	`rpc`	`defi-oracle.io`	`rpc.public-0138.defi-oracle.io`	🟠 Proxied	Short alias for ThirdWeb RPC

DNS Configuration:

Record 1: Tunnel Endpoint

Type: CNAME
Name: rpc.public-0138
Domain: defi-oracle.io
Target: 26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com
TTL: Auto
Proxy: 🟠 Proxied (required for tunnel)

Record 2: Short Alias

Type: CNAME
Name: rpc
Domain: defi-oracle.io
Target: rpc.public-0138.defi-oracle.io
TTL: Auto
Proxy: 🟠 Proxied (required for tunnel)

Full FQDNs:

rpc.public-0138.defi-oracle.io (primary endpoint)
rpc.defi-oracle.io (short alias)

DNS Structure:

rpc.defi-oracle.io
    ↓ (CNAME)
rpc.public-0138.defi-oracle.io
    ↓ (CNAME)
26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com
    ↓ (Cloudflare Tunnel)
192.168.11.240 (VMID 2400)

Note: This endpoint is used for the Thirdweb listing for ChainID 138. Traffic flows through Cloudflare Tunnel to VMID 2400, where Nginx handles SSL termination and routes to Besu RPC (port 8545 for HTTP, port 8546 for WebSocket).

How It Works

Request Flow

Client makes request to https://rpc-http-prv.d-bis.org (permissioned) or https://rpc-http-pub.d-bis.org (public)
DNS resolves to appropriate IP (A record)
HTTPS connection established on port 443 (standard HTTPS port)
Nginx receives request on port 443
Nginx uses Server Name Indication (SNI) to identify domain:
- rpc-http-pub.d-bis.org → proxies to 127.0.0.1:8545 (HTTP RPC)
- rpc-ws-pub.d-bis.org → proxies to 127.0.0.1:8546 (WebSocket RPC)
- rpc-http-prv.d-bis.org → proxies to 127.0.0.1:8545 (HTTP RPC)
- rpc-ws-prv.d-bis.org → proxies to 127.0.0.1:8546 (WebSocket RPC)
- rpc.public-0138.defi-oracle.io → Cloudflare Tunnel → VMID 2400 → proxies to 127.0.0.1:8545 (HTTP RPC) or 127.0.0.1:8546 (WebSocket RPC)
- rpc.defi-oracle.io → CNAME → rpc.public-0138.defi-oracle.io → Cloudflare Tunnel → VMID 2400 → proxies to 127.0.0.1:8545 (HTTP RPC) or 127.0.0.1:8546 (WebSocket RPC)
Besu RPC processes request and returns response
Nginx forwards response back to client

Port Mapping

Domain	DNS Target	Nginx Port	Backend Port	Service	Auth
`rpc-http-prv.d-bis.org`	`192.168.11.251`	443 (HTTPS)	8545	HTTP RPC	✅ JWT Required
`rpc-ws-prv.d-bis.org`	`192.168.11.251`	443 (HTTPS)	8546	WebSocket RPC	✅ JWT Required
`rpc-http-pub.d-bis.org`	`192.168.11.252`	443 (HTTPS)	8545	HTTP RPC	❌ No Auth
`rpc-ws-pub.d-bis.org`	`192.168.11.252`	443 (HTTPS)	8546	WebSocket RPC	❌ No Auth
`rpc.public-0138.defi-oracle.io`	Cloudflare Tunnel → `192.168.11.240`	443 (HTTPS)	8545/8546	HTTP/WS RPC	❌ No Auth
`rpc.defi-oracle.io`	CNAME → `rpc.public-0138` → Cloudflare Tunnel → `192.168.11.240`	443 (HTTPS)	8545/8546	HTTP/WS RPC	❌ No Auth

Note: DNS A records only contain IP addresses. Port numbers are handled by:

Port 443: Standard HTTPS port (handled automatically by browsers/clients)
Backend ports (8545/8546): Configured in Nginx server blocks

Testing

Test DNS Resolution

# Test DNS resolution
dig rpc-http-pub.d-bis.org
nslookup rpc-http-pub.d-bis.org

# Should resolve to: 192.168.11.251

Test HTTPS Endpoints

# Test HTTP RPC endpoint (port 443)
curl -k https://rpc-http-pub.d-bis.org/health
curl -k -X POST https://rpc-http-pub.d-bis.org \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

# Test WebSocket RPC endpoint (port 443)
# Use wscat or similar WebSocket client
wscat -c wss://rpc-ws-pub.d-bis.org

Test Direct IP Access (for troubleshooting)

# Test Nginx directly on container IP
curl -k https://192.168.11.251/health
curl -k https://192.168.11.252/health

# Test backend Besu RPC directly (bypassing Nginx)
curl -X POST http://192.168.11.251:8545 \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

Cloudflare Proxy Settings

When to Use Proxy (🟠 Proxied)

Recommended for:

DDoS protection
CDN caching (though RPC responses shouldn't be cached)
SSL/TLS termination at Cloudflare edge
Hiding origin server IP

Considerations:

Cloudflare may cache some responses (disable caching for RPC)
Additional latency (usually minimal)
WebSocket support requires Cloudflare WebSocket passthrough

When to Use DNS Only (❌ DNS only)

Use when:

Direct IP access needed
Cloudflare proxy causes issues
Testing/debugging
Internal network access

Nginx Configuration Summary

The Nginx configuration on each container:

VMID 2501 (Permissioned RPC):

Listens on port 443 (HTTPS)
rpc-http-prv.d-bis.org → proxies to 127.0.0.1:8545 (JWT auth required)
rpc-ws-prv.d-bis.org → proxies to 127.0.0.1:8546 (JWT auth required)

VMID 2502 (Public RPC):

Listens on port 443 (HTTPS)
rpc-http-pub.d-bis.org → proxies to 127.0.0.1:8545 (no auth)
rpc-ws-pub.d-bis.org → proxies to 127.0.0.1:8546 (no auth)

VMID 2400 (ThirdWeb RPC - Cloudflare Tunnel):

Cloudflare Tunnel endpoint: 26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com
Nginx listens on port 443 (HTTPS) inside container
rpc.public-0138.defi-oracle.io → Cloudflare Tunnel → proxies to 127.0.0.1:8545 (HTTP RPC, no auth) or 127.0.0.1:8546 (WebSocket RPC, no auth)
rpc.defi-oracle.io → CNAME → rpc.public-0138.defi-oracle.io → Cloudflare Tunnel → proxies to 127.0.0.1:8545 (HTTP RPC, no auth) or 127.0.0.1:8546 (WebSocket RPC, no auth)
Uses defi-oracle.io domain (Cloudflare Tunnel) for Thirdweb listing integration

Troubleshooting

DNS Not Resolving

# Check DNS resolution
dig rpc-http-pub.d-bis.org
nslookup rpc-http-pub.d-bis.org

# Verify DNS records in Cloudflare dashboard

Connection Refused

# Check if Nginx is running
ssh root@192.168.11.10 "pct exec 2501 -- systemctl status nginx"

# Check if port 443 is listening
ssh root@192.168.11.10 "pct exec 2501 -- ss -tuln | grep 443"

# Check Nginx configuration
ssh root@192.168.11.10 "pct exec 2501 -- nginx -t"

SSL Certificate Issues

# Check SSL certificate
ssh root@192.168.11.10 "pct exec 2501 -- openssl x509 -in /etc/nginx/ssl/rpc.crt -text -noout"

# Test SSL connection
openssl s_client -connect rpc-http-pub.d-bis.org:443 -servername rpc-http-pub.d-bis.org

Backend Connection Issues

# Test backend Besu RPC directly
curl -X POST http://192.168.11.251:8545 \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

# Check Besu service status
ssh root@192.168.11.10 "pct exec 2501 -- systemctl status besu-rpc"

CLOUDFLARE_DNS_SPECIFIC_SERVICES.md - General DNS configuration
NGINX_ARCHITECTURE_RPC.md - Nginx architecture details
CLOUDFLARE_NGINX_INTEGRATION.md - Cloudflare + Nginx integration

Quick Reference

DNS Records to Create:

d-bis.org domain:

rpc-http-prv.d-bis.org → A → 192.168.11.251 (Permissioned, JWT auth required)
rpc-ws-prv.d-bis.org → A → 192.168.11.251 (Permissioned, JWT auth required)
rpc-http-pub.d-bis.org → A → 192.168.11.252 (Public, no auth)
rpc-ws-pub.d-bis.org → A → 192.168.11.252 (Public, no auth)

defi-oracle.io domain (ThirdWeb RPC - Cloudflare Tunnel):

rpc.public-0138.defi-oracle.io → CNAME → 26138c21-db00-4a02-95db-ec75c07bda5b.cfargotunnel.com (Tunnel endpoint)
rpc.defi-oracle.io → CNAME → rpc.public-0138.defi-oracle.io (Short alias)

Endpoints:

d-bis.org domain:

https://rpc-http-prv.d-bis.org → Permissioned HTTP RPC (port 443 → 8545, JWT auth required)
wss://rpc-ws-prv.d-bis.org → Permissioned WebSocket RPC (port 443 → 8546, JWT auth required)
https://rpc-http-pub.d-bis.org → Public HTTP RPC (port 443 → 8545, no auth)
wss://rpc-ws-pub.d-bis.org → Public WebSocket RPC (port 443 → 8546, no auth)

defi-oracle.io domain (ThirdWeb RPC - Cloudflare Tunnel):

https://rpc.public-0138.defi-oracle.io → ThirdWeb HTTP RPC (Cloudflare Tunnel → port 443 → 8545, no auth)
wss://rpc.public-0138.defi-oracle.io → ThirdWeb WebSocket RPC (Cloudflare Tunnel → port 443 → 8546, no auth)
https://rpc.defi-oracle.io → ThirdWeb HTTP RPC (CNAME → Cloudflare Tunnel → port 443 → 8545, no auth)
wss://rpc.defi-oracle.io → ThirdWeb WebSocket RPC (CNAME → Cloudflare Tunnel → port 443 → 8546, no auth)

12 KiB Raw Blame History

RPC DNS Configuration for d-bis.org and defi-oracle.io

Overview

DNS Records Configuration

Cloudflare DNS Records

Permissioned RPC (VMID 2501 - 192.168.11.251) - JWT Authentication Required

Public RPC (VMID 2502 - 192.168.11.252) - No Authentication

DNS Records Configuration for defi-oracle.io Domain

ThirdWeb RPC (VMID 2400 - 192.168.11.240) - defi-oracle.io Domain

How It Works

Request Flow

Port Mapping

Testing

Test DNS Resolution

Test HTTPS Endpoints

Test Direct IP Access (for troubleshooting)

Cloudflare Proxy Settings

When to Use Proxy (🟠 Proxied)

When to Use DNS Only (❌ DNS only)

Nginx Configuration Summary

Troubleshooting

DNS Not Resolving

Connection Refused

SSL Certificate Issues

Backend Connection Issues

Related Documentation

Quick Reference

12 KiB

Raw Blame History