d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
fbda1b4bebd0be1036952f8343d54298f6026865
proxmox/docs/05-network/CLOUDFLARE_ROUTING_MASTER.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

8.8 KiB
Raw Blame History

Edge Routing Master Reference (Fastly / Direct to NPMplus)

Navigation: Home > Network > Edge Routing Master

Last Updated: 2026-02-06
Document Version: 2.1
Status: Active Documentation

Overview

This is the authoritative reference for public edge routing. Web/api: Fastly (Option A) or DNS direct to 76.53.10.36 (Option C) → UDM Pro → NPMplus. RPC (6 hostnames): Option B — Cloudflare Tunnel (cloudflared) → NPMplus https://192.168.11.167:443; DNS for those 6 is CNAME to tunnel. See OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md and ../04-configuration/cloudflare/TUNNEL_SFVALLEY01_INSTALL.md. Cloudflare Tunnel is deprecated for primary web ingress (502 issues when used for all traffic); Option B uses tunnel for RPC only. Cloudflare DNS retained for all public hostnames.

Current edge: UDM Pro (76.53.10.34). Origin for public traffic: 76.53.10.36. Port forward: 76.53.10.36:80/443 → NPMplus (192.168.11.167:80/443). Proxmox hosts: 192.168.11.1012. See NETWORK_CONFIGURATION_MASTER.md.

Pre-requisite: Verify 76.53.10.36:80 and :443 are open from the internet before using Fastly or direct; see EDGE_PORT_VERIFICATION_RUNBOOK.md.

ISP port filtering (e.g. Spectrum Business): If your ISP filters common ports (21, 22, 80, 443), Fastly does not offer tunnels. Use an outbound-only tunnel (e.g. Tailscale Funnel, ngrok, or self-hosted boringproxy/Frp); Cloudflare Tunnel often causes 502 errors in this project, so prefer the alternatives. See ISP port filtering (Spectrum and tunnels) below.

Architecture Overview

Primary: Fastly or Direct to NPMplus

Internet → Cloudflare DNS → Fastly (Option A) or 76.53.10.36 (Option C)
    → UDM Pro (76.53.10.36:80/443) → NPMplus (192.168.11.167) → Internal Services
  • Fastly (Option A): CNAME from each public hostname to Fastly; Fastly backend = 76.53.10.36. Forward original Host so NPMplus can route by hostname; enable WebSocket for RPC/WS.
  • Direct (Option C): A records to 76.53.10.36; Cloudflare proxy on or off. No CDN; single point of failure at edge.
  • NPMplus (VMID 10233 at 192.168.11.167) is the single proxy/director; all domain routing and WebSocket handling are configured there.

Option B: Cloudflare Tunnel for RPC (active)

The 6 RPC HTTP hostnames use Cloudflare Tunnel: CNAME to <tunnel-id>.cfargotunnel.com; cloudflared (e.g. VMID 102) → NPMplus https://192.168.11.167:443 (No TLS Verify). Runbook: OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md. Connector install: ../04-configuration/cloudflare/TUNNEL_SFVALLEY01_INSTALL.md.

Deprecated: Tunnel for all public ingress

Using Cloudflare Tunnel for all public hostnames (web + RPC) caused 502 errors. Tunnel is now used only for RPC (Option B). Legacy tunnel docs: CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md, CENTRAL_NGINX_ROUTING_SETUP.md.

Routing Rules (NPMplus)

All public hostnames are routed by NPMplus (192.168.11.167) by hostname. Key mappings (see RPC_ENDPOINTS_MASTER.md for full list):

Domain / type NPMplus → Backend
rpc-http-pub.d-bis.org, rpc.d-bis.org, rpc2.d-bis.org HTTP 192.168.11.221:8545 Besu Public RPC (2201)
rpc-ws-pub.d-bis.org, ws.rpc.d-bis.org, ws.rpc2.d-bis.org WS 192.168.11.221:8546 Besu Public RPC (2201)
rpc-http-prv.d-bis.org, rpc-ws-prv.d-bis.org 192.168.11.211:8545/8546 Besu Core RPC (2101)
explorer.d-bis.org 192.168.11.140:80, :4000 Blockscout (5000)
dbis-admin.d-bis.org, dbis-api.d-bis.org, dbis-api-2.d-bis.org 192.168.11.130/:155/:156 DBIS services
mim4u.org, www.mim4u.org 192.168.11.37:80 MIM4U (7810)
rpc.defi-oracle.io, wss.defi-oracle.io 192.168.11.221 or 192.168.11.240 RPC / ThirdWeb

WebSocket support must be enabled in NPMplus for all RPC/WS hostnames. No JWT or access lists on public RPC proxy hosts.

Fastly Configuration (Option A)

  • Backend: 76.53.10.36 (or hostname resolving to it). TLS to origin recommended; forward Host/SNI.
  • WebSocket: Enable for RPC WebSocket hostnames; no caching on those paths.
  • Caching: Bypass for /api, RPC, WebSocket; cache static assets if desired.
  • Origin health: Configure health checks; optional origin shield and restrict UDM Pro to Fastly egress IPs.

ISP port filtering (Spectrum and tunnels)

If your internet provider (e.g. Spectrum Business) filters or blocks common ports (21, 22, 80, 443), the following applies.

Fastly does not have tunnels

  • Fastly is a pull CDN: it connects to your origin on ports 80/443. It does not provide an outbound-only tunnel (no product like Cloudflare Tunnel).
  • Fastly Origin Connect is a physical cross-connect (fiber/BGP in a datacenter), not a software tunnel; it does not solve residential/small-business ISP port filtering.
  • If 80/443 are filtered (inbound or outbound), Fastly cannot reach 76.53.10.36, so Fastly is not usable as the edge for your origin.

Tunnel options when ports are filtered (Cloudflare often 502)

When the ISP blocks 80/443, you need an outbound-only tunnel. Cloudflare Tunnel is often problematic here (502 errors in this project), so prefer one of the alternatives below. Fastly has no tunnel product.

Option How it works Pros / cons
Tailscale Funnel Run tailscale funnel <port> on the host; outbound to Tailscale, no inbound 80/443. Public URL like https://<device>.ts.net. Simple, automatic HTTPS, no port forward. Requires Tailscale account and MagicDNS; good if you already use Tailscale.
ngrok Run ngrok agent; outbound tunnel to ngrok edge. Public URL (or custom domain on paid). Mature, widely used; free tier has limits and ngrok-branded URLs. Paid for custom domains and higher limits.
Self-hosted (boringproxy, Frp, Rathole) Run tunnel server on a VPS (where ports are not filtered); run client at origin; origin only makes outbound connections to the VPS. Full control, your domain, no Cloudflare. Requires a small VPS (or other unfiltered host) to run the tunnel server.
Cloudflare Tunnel (cloudflared) Origin runs cloudflared; outbound to Cloudflare. No inbound ports; this repo has config. Often causes 502 errors here—deprecated for that reason. See CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md if you want to retry and debug.

Recommendation when Spectrum (or similar) filters 21/22/80/443:

  1. First try: Tailscale Funnel (if you use Tailscale) or ngrok (quick to try).
  2. For production / custom domains: Self-hosted tunnel (e.g. boringproxy or Frp on a VPS); origin runs the client, only outbound to the VPS; no dependency on Cloudflare or Fastly tunnels.
  3. Cloudflare Tunnel only if you are willing to debug the 502s (ingress rules, timeouts, backend health); doc: CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md.

Summary: Fastly has no tunnel. When ports are filtered, use Tailscale Funnel, ngrok, or a self-hosted tunnel (boringproxy/Frp on a VPS) rather than relying on Cloudflare Tunnel, which often causes 502 errors in this setup.

Related Documentation

Reference in New Issue View Git Blame Copy Permalink