proxmox/docs/04-configuration/THIRDWEB_RPC_CLOUDFLARE_SETUP.md

ThirdWeb RPC (VMID 2400) - Cloudflare Tunnel Setup

Last Updated: 2025-01-23
Status: Setup Guide
VMID: 2400
IP: 192.168.11.240
Domain: defi-oracle.io
FQDN: rpc.public-0138.defi-oracle.io

---

Overview

Since VMID 2400 is on a Proxmox host that doesn't have access to pve2 (192.168.11.12) where the existing Cloudflared tunnel is located, we need to install Cloudflared directly in VMID 2400 to create its own tunnel connection to Cloudflare.

Architecture:

Internet → Cloudflare → Cloudflare Tunnel (from VMID 2400) → Nginx (port 443) → Besu RPC (8545/8546)

---

Prerequisites

1. Access to Proxmox host where VMID 2400 is running
2. Access to VMID 2400 container (via pct exec 2400)
3. Cloudflare account with access to defi-oracle.io domain
4. Cloudflare Zero Trust access (free tier is sufficient)

---

Step 1: Create Cloudflare Tunnel

1.1 Create Tunnel in Cloudflare Dashboard

1. Go to: https://one.dash.cloudflare.com/
2. Navigate to: Zero Trust → Networks → Tunnels
3. Click Create a tunnel
4. Select Cloudflared as the connector type
5. Give it a name (e.g., thirdweb-rpc-2400)
6. Click Save tunnel

1.2 Copy the Tunnel Token

After creating the tunnel, you'll see a token. Copy it - you'll need it in the next step.

Token format: eyJhIjoi... (long base64 string)

---

Step 2: Install Cloudflared on VMID 2400

2.1 Access the Container

If you have SSH access to the Proxmox host:

# Replace with your Proxmox host IP
PROXMOX_HOST="192.168.11.10"  # or your Proxmox host IP

# Enter the container
ssh root@${PROXMOX_HOST} "pct exec 2400 -- bash"

If you have console access to the Proxmox host:

# List containers
pct list | grep 2400

# Enter the container
pct exec 2400 -- bash

2.2 Install Cloudflared

Once inside the container, run:

# Update package list
apt update

# Install wget if not available
apt install -y wget

# Download and install cloudflared
cd /tmp
wget -q https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
dpkg -i cloudflared-linux-amd64.deb || apt install -f -y

# Verify installation
cloudflared --version

2.3 Install Tunnel Service

Replace <TUNNEL_TOKEN> with the token you copied from Step 1.2:

# Install tunnel service with token
cloudflared service install <TUNNEL_TOKEN>

# Enable and start service
systemctl enable cloudflared
systemctl start cloudflared

# Check status
systemctl status cloudflared

2.4 Verify Tunnel is Running

# Check service status
systemctl status cloudflared --no-pager -l

# List tunnels (should show your tunnel)
cloudflared tunnel list

# Check tunnel configuration
cat /etc/cloudflared/config.yml

---

Step 3: Configure Tunnel Route in Cloudflare

3.1 Configure Public Hostname

1. Go back to Cloudflare Dashboard: Zero Trust → Networks → Tunnels
2. Click on your tunnel name (thirdweb-rpc-2400)
3. Click Configure
4. Go to Public Hostname tab
5. Click Add a public hostname

3.2 Add RPC Endpoint Configuration

For HTTP RPC:

Subdomain: rpc.public-0138
Domain: defi-oracle.io
Service Type: HTTP
URL: http://127.0.0.1:8545

Note: If you have Nginx configured on VMID 2400 with SSL on port 443, use:

URL: https://127.0.0.1:443

or

URL: http://127.0.0.1:443

3.3 Add WebSocket Support (Optional)

If you need WebSocket RPC support, you can either:

Option A: Use the same hostname (Cloudflare supports WebSocket on HTTP endpoints)

• The same rpc.public-0138.defi-oracle.io hostname will handle both HTTP and WebSocket
• Configure your Nginx to route WebSocket connections appropriately

Option B: Add a separate hostname for WebSocket:

Subdomain: rpc-ws.public-0138
Domain: defi-oracle.io
Service Type: HTTP
URL: http://127.0.0.1:8546

3.4 Save Configuration

Click Save hostname for each entry you add.

---

Step 4: Configure Nginx on VMID 2400 (If Needed)

If VMID 2400 doesn't have Nginx configured yet, you'll need to set it up to handle the RPC endpoints.

4.1 Install Nginx

# Inside VMID 2400 container
apt install -y nginx

4.2 Configure Nginx for RPC

Create Nginx configuration:

cat > /etc/nginx/sites-available/rpc-thirdweb << 'EOF'
# HTTP to HTTPS redirect (optional)
server {
    listen 80;
    listen [::]:80;
    server_name rpc.public-0138.defi-oracle.io;
    
    # Redirect all HTTP to HTTPS
    return 301 https://$host$request_uri;
}

# HTTPS server - HTTP RPC API (port 8545)
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name rpc.public-0138.defi-oracle.io;
    
    # SSL configuration (you'll need to generate certificates)
    # For Cloudflare tunnel, you can use self-signed or Cloudflare SSL
    ssl_certificate /etc/nginx/ssl/rpc.crt;
    ssl_certificate_key /etc/nginx/ssl/rpc.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    
    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    
    # Increase timeouts for RPC calls
    proxy_connect_timeout 300s;
    proxy_send_timeout 300s;
    proxy_read_timeout 300s;
    
    # HTTP RPC endpoint (port 8545)
    location / {
        proxy_pass http://127.0.0.1:8545;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# HTTPS server - WebSocket RPC API (port 8546)
server {
    listen 8443 ssl http2;
    listen [::]:8443 ssl http2;
    server_name rpc.public-0138.defi-oracle.io;
    
    # SSL configuration
    ssl_certificate /etc/nginx/ssl/rpc.crt;
    ssl_certificate_key /etc/nginx/ssl/rpc.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    
    # WebSocket RPC endpoint (port 8546)
    location / {
        proxy_pass http://127.0.0.1:8546;
        proxy_http_version 1.1;
        
        # WebSocket headers
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # Long timeouts for WebSocket connections
        proxy_read_timeout 86400;
        proxy_send_timeout 86400;
    }
}
EOF

# Enable the site
ln -sf /etc/nginx/sites-available/rpc-thirdweb /etc/nginx/sites-enabled/
rm -f /etc/nginx/sites-enabled/default

# Test configuration
nginx -t

# Reload Nginx
systemctl reload nginx

Note: If using Cloudflare tunnel, you can point the tunnel directly to http://127.0.0.1:8545 (bypassing Nginx) since Cloudflare handles SSL termination. In that case, Nginx is optional.

---

Step 5: Configure DNS Record

5.1 Create DNS Record in Cloudflare

1. Go to Cloudflare Dashboard: DNS → Records
2. Select domain: defi-oracle.io
3. Click Add record

5.2 Configure DNS Record

If using Cloudflare Tunnel (Recommended):

Type: CNAME
Name: rpc.public-0138
Target: <your-tunnel-id>.cfargotunnel.com
Proxy: 🟠 Proxied (orange cloud)
TTL: Auto

To find your tunnel ID:

• Go to Zero Trust → Networks → Tunnels
• Click on your tunnel name
• The tunnel ID is shown in the URL or tunnel details

Alternative: Direct A Record (If using public IP with port forwarding)

If you prefer to use a direct A record with port forwarding on the ER605 router:

Type: A
Name: rpc.public-0138
Target: <your-public-ip>
Proxy: 🟠 Proxied (recommended) or ❌ DNS only
TTL: Auto

Then configure port forwarding on ER605:

• External Port: 443
• Internal IP: 192.168.11.240
• Internal Port: 443
• Protocol: TCP

---

Step 6: Verify Setup

6.1 Check Tunnel Status

# Inside VMID 2400 container
systemctl status cloudflared
cloudflared tunnel list

6.2 Test DNS Resolution

# From your local machine
dig rpc.public-0138.defi-oracle.io
nslookup rpc.public-0138.defi-oracle.io

# Should resolve to Cloudflare IPs (if proxied) or your public IP

6.3 Test RPC Endpoint

# Test HTTP RPC endpoint
curl -k https://rpc.public-0138.defi-oracle.io \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

# Test WebSocket (using wscat)
wscat -c wss://rpc.public-0138.defi-oracle.io

---

Troubleshooting

Tunnel Not Connecting

# Check cloudflared logs
journalctl -u cloudflared -f

# Check tunnel status
cloudflared tunnel list

# Verify tunnel token
cat /etc/cloudflared/credentials.json

DNS Not Resolving

1. Verify DNS record is created correctly in Cloudflare
2. Wait a few minutes for DNS propagation
3. Check if tunnel is healthy in Cloudflare Dashboard

Connection Refused

# Check if Besu RPC is running
systemctl status besu-rpc

# Test Besu RPC locally
curl -X POST http://127.0.0.1:8545 \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

# Check Nginx (if using)
systemctl status nginx
nginx -t

SSL Certificate Issues

If using Nginx with SSL, you may need to generate certificates. For Cloudflare tunnel, SSL is handled by Cloudflare, so you can use HTTP internally.

---

Summary

After completing these steps:

✅ Cloudflared installed on VMID 2400
✅ Cloudflare tunnel created and connected
✅ Tunnel route configured for rpc.public-0138.defi-oracle.io
✅ DNS record created (CNAME to tunnel)
✅ RPC endpoint accessible at https://rpc.public-0138.defi-oracle.io

Next Steps:

• Verify the endpoint works with Thirdweb SDK
• Update Thirdweb listing with the new RPC URL
• Monitor tunnel status and logs

---

Related Documentation

• RPC_DNS_CONFIGURATION.md - DNS configuration overview
• THIRDWEB_RPC_SETUP.md - ThirdWeb RPC node setup guide
• CLOUDFLARE_TUNNEL_CONFIGURATION_GUIDE.md - General tunnel configuration