d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
fbda1b4bebd0be1036952f8343d54298f6026865
proxmox/docs/05-network/CLOUDFLARE_ROUTING_MASTER.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

114 lines
8.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Edge Routing Master Reference (Fastly / Direct to NPMplus)
**Navigation:** [Home](01-getting-started/README.md) > [Network](05-network/README.md) > Edge Routing Master
**Last Updated:** 2026-02-06
**Document Version:** 2.1
**Status:** Active Documentation
---
## Overview
This is the **authoritative reference** for public edge routing. **Web/api:** **Fastly** (Option A) or **DNS direct to 76.53.10.36** (Option C) → UDM Pro → NPMplus. **RPC (6 hostnames):** **Option B** — Cloudflare Tunnel (cloudflared) → NPMplus https://192.168.11.167:443; DNS for those 6 is CNAME to tunnel. See [OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md](OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md) and [../04-configuration/cloudflare/TUNNEL_SFVALLEY01_INSTALL.md](../04-configuration/cloudflare/TUNNEL_SFVALLEY01_INSTALL.md). Cloudflare Tunnel is deprecated for **primary web** ingress (502 issues when used for all traffic); Option B uses tunnel for RPC only. Cloudflare DNS retained for all public hostnames.
**Current edge:** UDM Pro (76.53.10.34). Origin for public traffic: **76.53.10.36**. Port forward: 76.53.10.36:80/443 → NPMplus (192.168.11.167:80/443). Proxmox hosts: 192.168.11.1012. See [NETWORK_CONFIGURATION_MASTER.md](../11-references/NETWORK_CONFIGURATION_MASTER.md).
**Pre-requisite:** Verify 76.53.10.36:80 and :443 are open from the internet before using Fastly or direct; see [EDGE_PORT_VERIFICATION_RUNBOOK.md](EDGE_PORT_VERIFICATION_RUNBOOK.md).
**ISP port filtering (e.g. Spectrum Business):** If your ISP filters common ports (21, 22, 80, 443), Fastly **does not offer tunnels**. Use an **outbound-only tunnel** (e.g. Tailscale Funnel, ngrok, or self-hosted boringproxy/Frp); **Cloudflare Tunnel often causes 502 errors** in this project, so prefer the alternatives. See [ISP port filtering (Spectrum and tunnels)](#isp-port-filtering-spectrum-and-tunnels) below.
---
## Architecture Overview
### Primary: Fastly or Direct to NPMplus
```
Internet → Cloudflare DNS → Fastly (Option A) or 76.53.10.36 (Option C)
→ UDM Pro (76.53.10.36:80/443) → NPMplus (192.168.11.167) → Internal Services
```
- **Fastly (Option A):** CNAME from each public hostname to Fastly; Fastly backend = 76.53.10.36. Forward original Host so NPMplus can route by hostname; enable WebSocket for RPC/WS.
- **Direct (Option C):** A records to 76.53.10.36; Cloudflare proxy on or off. No CDN; single point of failure at edge.
- **NPMplus** (VMID 10233 at 192.168.11.167) is the single proxy/director; all domain routing and WebSocket handling are configured there.
### Option B: Cloudflare Tunnel for RPC (active)
The **6 RPC HTTP hostnames** use Cloudflare Tunnel: CNAME to &lt;tunnel-id&gt;.cfargotunnel.com; cloudflared (e.g. VMID 102) → NPMplus https://192.168.11.167:443 (No TLS Verify). Runbook: [OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md](OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md). Connector install: [../04-configuration/cloudflare/TUNNEL_SFVALLEY01_INSTALL.md](../04-configuration/cloudflare/TUNNEL_SFVALLEY01_INSTALL.md).
### Deprecated: Tunnel for all public ingress
Using Cloudflare Tunnel for **all** public hostnames (web + RPC) caused 502 errors. Tunnel is now used only for RPC (Option B). Legacy tunnel docs: [CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md](CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md), [CENTRAL_NGINX_ROUTING_SETUP.md](CENTRAL_NGINX_ROUTING_SETUP.md).
---
## Routing Rules (NPMplus)
All public hostnames are routed by **NPMplus** (192.168.11.167) by hostname. Key mappings (see [RPC_ENDPOINTS_MASTER.md](../04-configuration/RPC_ENDPOINTS_MASTER.md) for full list):
| Domain / type | NPMplus → | Backend |
|---------------|-----------|---------|
| `rpc-http-pub.d-bis.org`, `rpc.d-bis.org`, `rpc2.d-bis.org` | HTTP 192.168.11.221:8545 | Besu Public RPC (2201) |
| `rpc-ws-pub.d-bis.org`, `ws.rpc.d-bis.org`, `ws.rpc2.d-bis.org` | WS 192.168.11.221:8546 | Besu Public RPC (2201) |
| `rpc-http-prv.d-bis.org`, `rpc-ws-prv.d-bis.org` | 192.168.11.211:8545/8546 | Besu Core RPC (2101) |
| `explorer.d-bis.org` | 192.168.11.140:80, :4000 | Blockscout (5000) |
| `dbis-admin.d-bis.org`, `dbis-api.d-bis.org`, `dbis-api-2.d-bis.org` | 192.168.11.130/:155/:156 | DBIS services |
| `mim4u.org`, `www.mim4u.org` | 192.168.11.37:80 | MIM4U (7810) |
| `rpc.defi-oracle.io`, `wss.defi-oracle.io` | 192.168.11.221 or 192.168.11.240 | RPC / ThirdWeb |
WebSocket support must be enabled in NPMplus for all RPC/WS hostnames. No JWT or access lists on public RPC proxy hosts.
---
## Fastly Configuration (Option A)
- **Backend:** 76.53.10.36 (or hostname resolving to it). TLS to origin recommended; forward Host/SNI.
- **WebSocket:** Enable for RPC WebSocket hostnames; no caching on those paths.
- **Caching:** Bypass for `/api`, RPC, WebSocket; cache static assets if desired.
- **Origin health:** Configure health checks; optional origin shield and restrict UDM Pro to Fastly egress IPs.
---
## ISP port filtering (Spectrum and tunnels)
If your internet provider (e.g. **Spectrum Business**) filters or blocks common ports (21, 22, 80, 443), the following applies.
### Fastly does not have tunnels
- **Fastly** is a pull CDN: it connects **to** your origin on ports 80/443. It does **not** provide an outbound-only tunnel (no product like Cloudflare Tunnel).
- **Fastly Origin Connect** is a physical cross-connect (fiber/BGP in a datacenter), not a software tunnel; it does not solve residential/small-business ISP port filtering.
- If 80/443 are filtered (inbound or outbound), Fastly cannot reach 76.53.10.36, so Fastly is not usable as the edge for your origin.
### Tunnel options when ports are filtered (Cloudflare often 502)
When the ISP blocks 80/443, you need an **outbound-only tunnel**. **Cloudflare Tunnel** is often problematic here (502 errors in this project), so prefer one of the alternatives below. **Fastly has no tunnel product.**
| Option | How it works | Pros / cons |
|--------|----------------|-------------|
| **Tailscale Funnel** | Run `tailscale funnel <port>` on the host; outbound to Tailscale, no inbound 80/443. Public URL like `https://<device>.ts.net`. | Simple, automatic HTTPS, no port forward. Requires Tailscale account and MagicDNS; good if you already use Tailscale. |
| **ngrok** | Run ngrok agent; outbound tunnel to ngrok edge. Public URL (or custom domain on paid). | Mature, widely used; free tier has limits and ngrok-branded URLs. Paid for custom domains and higher limits. |
| **Self-hosted (boringproxy, Frp, Rathole)** | Run tunnel **server** on a VPS (where ports are not filtered); run **client** at origin; origin only makes outbound connections to the VPS. | Full control, your domain, no Cloudflare. Requires a small VPS (or other unfiltered host) to run the tunnel server. |
| **Cloudflare Tunnel** (cloudflared) | Origin runs `cloudflared`; outbound to Cloudflare. | No inbound ports; this repo has config. **Often causes 502 errors** here—deprecated for that reason. See [CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md](CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md) if you want to retry and debug. |
**Recommendation when Spectrum (or similar) filters 21/22/80/443:**
1. **First try:** **Tailscale Funnel** (if you use Tailscale) or **ngrok** (quick to try).
2. **For production / custom domains:** **Self-hosted tunnel** (e.g. boringproxy or Frp on a VPS); origin runs the client, only outbound to the VPS; no dependency on Cloudflare or Fastly tunnels.
3. **Cloudflare Tunnel** only if you are willing to debug the 502s (ingress rules, timeouts, backend health); doc: [CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md](CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md).
**Summary:** Fastly has no tunnel. When ports are filtered, use **Tailscale Funnel**, **ngrok**, or a **self-hosted tunnel** (boringproxy/Frp on a VPS) rather than relying on Cloudflare Tunnel, which often causes 502 errors in this setup.
---
## Related Documentation
- **[E2E_CLOUDFLARE_DOMAINS_RUNBOOK.md](E2E_CLOUDFLARE_DOMAINS_RUNBOOK.md)** E2E success for all Cloudflare-facing endpoints (DNS, SSL, HTTP, RPC, WebSocket)
- **[EDGE_PORT_VERIFICATION_RUNBOOK.md](EDGE_PORT_VERIFICATION_RUNBOOK.md)** Phase 0: verify 76.53.10.36:80/443 from internet
- **[RPC_PUBLIC_ENDPOINT_ROUTING.md](RPC_PUBLIC_ENDPOINT_ROUTING.md)** Public RPC path and NPMplus config
- **[../11-references/NETWORK_CONFIGURATION_MASTER.md](../11-references/NETWORK_CONFIGURATION_MASTER.md)** Network and DNS
- **[../04-configuration/NPMPLUS_HA_SETUP_GUIDE.md](../04-configuration/NPMPLUS_HA_SETUP_GUIDE.md)** NPMplus HA (Keepalived/HAProxy)
- **[../04-configuration/cloudflare/CLOUDFLARE_TUNNEL_502_FIX_RUNBOOK.md](../04-configuration/cloudflare/CLOUDFLARE_TUNNEL_502_FIX_RUNBOOK.md)** Fix Tunnel 502s (confirm location, verify ingress, align to NPMplus)
- **[CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md](CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md)** Deprecated tunnel reference
- **[CENTRAL_NGINX_ROUTING_SETUP.md](CENTRAL_NGINX_ROUTING_SETUP.md)** Deprecated VMID 105 Nginx reference (replaced by NPMplus)
Reference in New Issue View Git Blame Copy Permalink