diff --git a/docs/04-configuration/ALL_VMIDS_ENDPOINTS.md b/docs/04-configuration/ALL_VMIDS_ENDPOINTS.md
index d4f058f9..60e6303a 100644
--- a/docs/04-configuration/ALL_VMIDS_ENDPOINTS.md
+++ b/docs/04-configuration/ALL_VMIDS_ENDPOINTS.md
@@ -145,7 +145,7 @@ All RPC nodes have been migrated to a new VMID structure for better organization
 
 **Note**: VMID 2400 is the primary ThirdWeb RPC with Nginx and RPC Translator. VMID 2403 metrics disabled due to port conflict, node is syncing.
 
-**Public Domain**: `rpc.public-0138.defi-oracle.io` → Routes to VMID 2400:443
+**Public Domain**: `rpc.public-0138.defi-oracle.io` → Routes through NPMplus to VMID 2201 (`8545` for HTTPS JSON-RPC, `8546` for WSS Upgrade). VMID 2400 remains the ThirdWeb RPC/translator service, but it is not the ChainList-facing public RPC route.
 
 ### Additional Live Internal ALLTRA / HYBX RPC Nodes (SSH-verified 2026-04-24)
 
@@ -561,7 +561,7 @@ This section lists all endpoints that should be configured in NPMplus, extracted
 | Domain | Target | Scheme | Port | WebSocket | Notes |
 |--------|--------|--------|------|-----------|-------|
 | **RPC Services** |
-| `rpc.public-0138.defi-oracle.io` | `192.168.11.240` | `https` | `443` | ✅ Yes | ThirdWeb RPC (VMID 2400) |
+| `rpc.public-0138.defi-oracle.io` | `192.168.11.221` | `http` | `8545` | ✅ Yes | Public RPC (VMID 2201); WSS Upgrade internally routes to `8546` |
 | `rpc-http-pub.d-bis.org` | `192.168.11.221` | `https` | `443` | ✅ Yes | Public RPC (VMID 2201) |
 | `rpc-ws-pub.d-bis.org` | `192.168.11.221` | `https` | `443` | ✅ Yes | Public WebSocket RPC (VMID 2201) |
 | `rpc-http-prv.d-bis.org` | `192.168.11.211` | `https` | `443` | ✅ Yes | Private RPC with JWT (VMID 2101) |
diff --git a/docs/04-configuration/FQDN_EXPECTED_CONTENT.md b/docs/04-configuration/FQDN_EXPECTED_CONTENT.md
index 01ea18f8..ff6b1244 100644
--- a/docs/04-configuration/FQDN_EXPECTED_CONTENT.md
+++ b/docs/04-configuration/FQDN_EXPECTED_CONTENT.md
@@ -80,7 +80,7 @@
 | `dbis-api.d-bis.org` | API | DBIS **core API** (aggregation, OTC, exchange JSON). |
 | `dbis-api-2.d-bis.org` | API | Secondary DBIS API instance. |
 | `mim4u.org`, `www.mim4u.org`, `secure.mim4u.org`, `training.mim4u.org` | Web | **MIM4U** property sites (nginx on MIM stack). |
-| `rpc-http-pub.d-bis.org`, `rpc.d-bis.org`, `rpc2.d-bis.org` | RPC-HTTP | **Public Besu JSON-RPC** (Chain 138); `eth_chainId` → `0x8a`. |
+| `rpc-http-pub.d-bis.org`, `rpc.d-bis.org`, `rpc2.d-bis.org` | RPC-HTTP | **Public Besu JSON-RPC** (Chain 138); `eth_chainId` → `0x8a`. `rpc.d-bis.org` also accepts WSS via NPMplus Upgrade routing to port `8546`. |
 | `rpc-ws-pub.d-bis.org`, `ws.rpc.d-bis.org`, `ws.rpc2.d-bis.org` | RPC-WS | **Public Besu WebSocket** RPC. |
 | `rpc-http-prv.d-bis.org` | RPC-HTTP | **Core / private** JSON-RPC (permissioned use). |
 | `rpc-ws-prv.d-bis.org` | RPC-WS | **Core / private** WebSocket RPC. |
@@ -101,7 +101,7 @@
 
 | FQDN | Kind | What should be displayed or returned |
 |------|------|--------------------------------------|
-| `rpc.public-0138.defi-oracle.io` | RPC-HTTP | **ThirdWeb-style HTTPS RPC** terminator on VMID 2400; JSON-RPC to Chain 138. |
+| `rpc.public-0138.defi-oracle.io` | RPC-HTTP/WSS | **Public Chain 138 RPC**; normal HTTPS JSON-RPC routes to VMID 2201 port `8545`, and WSS Upgrade routes to port `8546`. |
 | `rpc.defi-oracle.io` | RPC-HTTP | Public JSON-RPC alias (same Besu public stack as `rpc.d-bis.org` family when healthy). |
 | `wss.defi-oracle.io` | RPC-WS | Public WebSocket RPC companion. |
 | `blockscout.defi-oracle.io` | Web | **Blockscout** explorer UI (generic / reference). When NPM proxies here, routing summaries align with **VMID 5000** (`192.168.11.140:80`, TLS at NPM). **Not** canonical **SolaceScanScout / Chain 138** branding—that is **`explorer.d-bis.org`**. Confirm live NPM if behavior differs. |
diff --git a/docs/04-configuration/PUBLIC_RPC_CHAIN138_LEDGER.md b/docs/04-configuration/PUBLIC_RPC_CHAIN138_LEDGER.md
index 81a2b3c3..f17e2625 100644
--- a/docs/04-configuration/PUBLIC_RPC_CHAIN138_LEDGER.md
+++ b/docs/04-configuration/PUBLIC_RPC_CHAIN138_LEDGER.md
@@ -18,16 +18,16 @@
 |--------|----------|-------------|----------------|---------|-----------|
 | `rpc-http-pub.d-bis.org` | HTTPS | 2201 | 192.168.11.221:8545 | besu-rpc-public-1 (Besu) | ✅ |
 | `rpc-ws-pub.d-bis.org` | WSS | 2201 | 192.168.11.221:8546 | besu-rpc-public-1 (Besu) | ✅ |
-| `rpc.d-bis.org` | HTTPS | 2201 | 192.168.11.221:8545 | besu-rpc-public-1 (Besu) | ✅ |
+| `rpc.d-bis.org` | HTTPS/WSS | 2201 | 192.168.11.221:8545 / 8546 | besu-rpc-public-1 (Besu) | ✅ |
 | `rpc2.d-bis.org` | HTTPS | 2201 | 192.168.11.221:8545 | besu-rpc-public-1 (Besu) | ✅ |
 | `ws.rpc.d-bis.org` | WSS | 2201 | 192.168.11.221:8546 | besu-rpc-public-1 (Besu) | ✅ |
 | `ws.rpc2.d-bis.org` | WSS | 2201 | 192.168.11.221:8546 | besu-rpc-public-1 (Besu) | ✅ |
-| `rpc.public-0138.defi-oracle.io` | HTTPS | 2400 | 192.168.11.240:443 | thirdweb-rpc-1 (Nginx + RPC Translator) | ✅ |
+| `rpc.public-0138.defi-oracle.io` | HTTPS/WSS | 2201 | 192.168.11.221:8545 / 8546 | besu-rpc-public-1 (Besu) | ✅ |
 | `rpc.defi-oracle.io` | HTTPS | 2201 | 192.168.11.221:8545 | besu-rpc-public-1 (same as rpc-http-pub) | ✅ |
 | `wss.defi-oracle.io` | WSS | 2201 | 192.168.11.221:8546 | besu-rpc-public-1 (same as rpc-ws-pub) | ✅ |
 
 - **d-bis.org** endpoints: direct Besu RPC (VMID 2201).
-- **defi-oracle.io** endpoints: Nginx on VMID 2400 fronts RPC Translator, which proxies to Besu.
+- **defi-oracle.io** ChainList endpoints: public JSON-RPC and WSS route through NPMplus to VMID 2201. VMID 2400 remains available for ThirdWeb translator workloads, but is not the ChainList-facing route for `rpc.public-0138.defi-oracle.io`.
 
 ---
 
@@ -49,11 +49,11 @@ Internet (DNS → 76.53.10.36) → NPMplus (10233) → Backend RPC
 |------------|---------------------|--------------|
 | `https://rpc-http-pub.d-bis.org` | `http://192.168.11.221:8545` | 2201 |
 | `wss://rpc-ws-pub.d-bis.org` | `http://192.168.11.221:8546` | 2201 |
-| `https://rpc.d-bis.org` | `http://192.168.11.221:8545` | 2201 |
+| `https://rpc.d-bis.org` / `wss://rpc.d-bis.org` | `http://192.168.11.221:8545`; WSS Upgrade internally routes to `8546` | 2201 |
 | `https://rpc2.d-bis.org` | `http://192.168.11.221:8545` | 2201 |
 | `wss://ws.rpc.d-bis.org` | `http://192.168.11.221:8546` | 2201 |
 | `wss://ws.rpc2.d-bis.org` | `http://192.168.11.221:8546` | 2201 |
-| `https://rpc.public-0138.defi-oracle.io` | `https://192.168.11.240:443` | 2400 |
+| `https://rpc.public-0138.defi-oracle.io` / `wss://rpc.public-0138.defi-oracle.io` | `http://192.168.11.221:8545`; WSS Upgrade internally routes to `8546` | 2201 |
 | `https://rpc.defi-oracle.io` | `http://192.168.11.221:8545` | 2201 |
 | `wss://wss.defi-oracle.io` | `http://192.168.11.221:8546` | 2201 |
 
diff --git a/docs/04-configuration/RPC_ENDPOINTS_MASTER.md b/docs/04-configuration/RPC_ENDPOINTS_MASTER.md
index a706eaf3..601f1d79 100644
--- a/docs/04-configuration/RPC_ENDPOINTS_MASTER.md
+++ b/docs/04-configuration/RPC_ENDPOINTS_MASTER.md
@@ -153,7 +153,7 @@ These duplicate VMIDs should be treated as historical legacy residue only. They
 |--------|----------|-------------|-----------|-------------|-----------|-------|
 | `rpc-http-pub.d-bis.org` | HTTPS | 2201 | 192.168.11.221 | 8545 | ✅ Yes | Public HTTP RPC |
 | `rpc-ws-pub.d-bis.org` | WSS | 2201 | 192.168.11.221 | 8546 | ✅ Yes | Public WebSocket RPC |
-| `rpc.d-bis.org` | HTTPS | 2201 | 192.168.11.221 | 8545 | ✅ Yes | Primary RPC (same as rpc-http-pub) |
+| `rpc.d-bis.org` | HTTPS/WSS | 2201 | 192.168.11.221 | 8545 / 8546 | ✅ Yes | Primary RPC; NPMplus routes normal HTTPS JSON-RPC to `8545` and WebSocket Upgrade requests to `8546` |
 | `rpc2.d-bis.org` | HTTPS | 2201 | 192.168.11.221 | 8545 | ✅ Yes | Secondary RPC (same as rpc-http-pub) |
 | `ws.rpc.d-bis.org` | WSS | 2201 | 192.168.11.221 | 8546 | ✅ Yes | Primary WebSocket (same as rpc-ws-pub) |
 | `ws.rpc2.d-bis.org` | WSS | 2201 | 192.168.11.221 | 8546 | ✅ Yes | Secondary WebSocket (same as rpc-ws-pub) |
@@ -166,7 +166,7 @@ These duplicate VMIDs should be treated as historical legacy residue only. They
 
 | Domain | Protocol | Target VMID | Target IP | Target Port | WebSocket | Notes |
 |--------|----------|-------------|-----------|-------------|-----------|-------|
-| `rpc.public-0138.defi-oracle.io` | HTTPS | 2400 | 192.168.11.240 | 443 | ✅ Yes | ThirdWeb RPC (via Nginx) |
+| `rpc.public-0138.defi-oracle.io` | HTTPS/WSS | 2201 | 192.168.11.221 | 8545 / 8546 | ✅ Yes | ChainList-visible public RPC; NPMplus routes normal HTTPS JSON-RPC to `8545` and WebSocket Upgrade requests to `8546` |
 | `rpc.defi-oracle.io` | HTTPS | 2201 | 192.168.11.221 | 8545 | ✅ Yes | Defi Oracle HTTP RPC (same as rpc-http-pub) |
 | `wss.defi-oracle.io` | WSS | 2201 | 192.168.11.221 | 8546 | ✅ Yes | Defi Oracle WebSocket RPC (same as rpc-ws-pub) |
 
@@ -222,7 +222,7 @@ These domains require WebSocket support enabled in NPMplus:
 ```
 rpc-http-pub.d-bis.org     → http://192.168.11.221:8545  (WebSocket: Yes)
 rpc-ws-pub.d-bis.org       → ws://192.168.11.221:8546   (WebSocket: Yes)
-rpc.d-bis.org              → http://192.168.11.221:8545 (WebSocket: Yes)
+rpc.d-bis.org              → http://192.168.11.221:8545; Upgrade requests internally route to 8546 (WebSocket: Yes)
 rpc2.d-bis.org             → http://192.168.11.221:8545 (WebSocket: Yes)
 ws.rpc.d-bis.org           → http://192.168.11.221:8546 (WebSocket: Yes)
 ws.rpc2.d-bis.org          → http://192.168.11.221:8546 (WebSocket: Yes)
@@ -230,7 +230,7 @@ rpc-http-prv.d-bis.org     → http://192.168.11.211:8545  (WebSocket: Yes)
 rpc-ws-prv.d-bis.org       → ws://192.168.11.211:8546   (WebSocket: Yes)
 rpc-fireblocks.d-bis.org   → http://192.168.11.232:8545 (WebSocket: Yes) — Fireblocks-dedicated
 ws.rpc-fireblocks.d-bis.org → http://192.168.11.232:8546 (WebSocket: Yes) — Fireblocks-dedicated
-rpc.public-0138.defi-oracle.io → https://192.168.11.240:443 (WebSocket: Yes)
+rpc.public-0138.defi-oracle.io → http://192.168.11.221:8545; Upgrade requests internally route to 8546 (WebSocket: Yes)
 rpc.defi-oracle.io         → http://192.168.11.221:8545 (WebSocket: Yes)
 wss.defi-oracle.io         → http://192.168.11.221:8546 (WebSocket: Yes)
 ```
diff --git a/scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh b/scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh
index d9486c61..372a9071 100755
--- a/scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh
+++ b/scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh
@@ -227,12 +227,14 @@ add_proxy_host() {
 # Function to update proxy host
 # block_exploits: set false for RPC hosts (JSON-RPC uses POST to /; block_exploits can cause 405)
 # Optional 5th arg: canonical HTTPS URL (no path) — sets advanced_config to 301 redirect (www → apex)
+# Optional 6th arg: raw advanced_config override (used when host-level routing is required).
 update_proxy_host() {
   local domain=$1
   local target=$2
   local websocket=$3
   local block_exploits=${4:-true}
   local canonical_https="${5:-}"
+  local advanced_config_override="${6:-}"
   if [ -n "$canonical_https" ] && ! validate_canonical_https_redirect "$canonical_https" "update_proxy_host($domain)"; then
     return 1
   fi
@@ -280,7 +282,9 @@ update_proxy_host() {
   local be_json="false"
   [ "$block_exploits" = "true" ] && be_json="true"
   local adv_line=""
-  if [ -n "$canonical_https" ]; then
+  if [ -n "$advanced_config_override" ]; then
+    adv_line="$advanced_config_override"
+  elif [ -n "$canonical_https" ]; then
     adv_line="return 301 ${canonical_https}\$request_uri;"
   fi
   UPDATE_PAYLOAD=$(jq -n \
@@ -306,7 +310,9 @@ update_proxy_host() {
   UPDATE_ID=$(echo "$UPDATE_RESPONSE" | jq -r '.id // empty' 2>/dev/null || echo "")
   
   if [ -n "$UPDATE_ID" ] && [ "$UPDATE_ID" != "null" ]; then
-    if [ -n "$canonical_https" ]; then
+    if [ -n "$advanced_config_override" ]; then
+      echo "  ✅ Updated: $scheme://$hostname:$port (WebSocket: $websocket) + advanced_config override"
+    elif [ -n "$canonical_https" ]; then
       echo "  ✅ Updated: $scheme://$hostname:$port (WebSocket: $websocket) + 301 → ${canonical_https}\$request_uri"
     else
       echo "  ✅ Updated: $scheme://$hostname:$port (WebSocket: $websocket)"
@@ -342,14 +348,28 @@ update_proxy_host "wss.tw-core.d-bis.org" "http://${RPC_THIRDWEB_ADMIN_CORE}:854
 # Catch-all for foo.tw-core.d-bis.org → Besu HTTP JSON-RPC :8545 (exact rpc./wss. hosts above take precedence for nginx server_name)
 update_proxy_host '*.tw-core.d-bis.org' "http://${RPC_THIRDWEB_ADMIN_CORE}:8545" true false && updated_count=$((updated_count + 1)) || { add_proxy_host '*.tw-core.d-bis.org' "${RPC_THIRDWEB_ADMIN_CORE}" 8545 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 # RPC Core-2 (Nathan) is on the THIRD NPMplus (192.168.11.169) — use add-rpc-core-2-npmplus-proxy.sh and update-npmplus-alltra-hybx-proxy-hosts.sh
-# ThirdWeb / public-0138 edge (VMID 2400 nginx HTTPS) — default IP must match ALL_VMIDS_ENDPOINTS if env is unset
-RPC_THIRDWEB_PRIMARY="${RPC_THIRDWEB_PRIMARY:-192.168.11.240}"
-update_proxy_host "rpc.public-0138.defi-oracle.io" "https://${RPC_THIRDWEB_PRIMARY}:443" true false && updated_count=$((updated_count + 1)) || { sleep 2; echo "  ↪ Retry rpc.public-0138.defi-oracle.io after transient NPM/API error..."; update_proxy_host "rpc.public-0138.defi-oracle.io" "https://${RPC_THIRDWEB_PRIMARY}:443" true false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1)); }
+RPC_PUBLIC_SPLIT_ADVANCED_CONFIG=$(cat <<EOF
+error_page 418 = @chain138_ws_rpc;
+if (\$http_upgrade ~* "websocket") {
+    return 418;
+}
+
+location @chain138_ws_rpc {
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade \$http_upgrade;
+    proxy_set_header Connection "upgrade";
+    include conf.d/include/proxy-headers.conf;
+    proxy_pass http://${RPC_PUBLIC_1}:8546\$request_uri;
+}
+EOF
+)
+# ChainList-visible public edge: route browser JSON-RPC to the public Besu HTTP port and WSS Upgrade to the WS port.
+update_proxy_host "rpc.public-0138.defi-oracle.io" "http://${RPC_PUBLIC_1}:8545" true false "" "$RPC_PUBLIC_SPLIT_ADVANCED_CONFIG" && updated_count=$((updated_count + 1)) || { add_proxy_host "rpc.public-0138.defi-oracle.io" "${RPC_PUBLIC_1}" 8545 true false && update_proxy_host "rpc.public-0138.defi-oracle.io" "http://${RPC_PUBLIC_1}:8545" true false "" "$RPC_PUBLIC_SPLIT_ADVANCED_CONFIG" && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 # rpc.defi-oracle.io / wss.defi-oracle.io → same backend as rpc-http-pub / rpc-ws-pub (VMID 2201)
 update_proxy_host "rpc.defi-oracle.io" "http://${RPC_PUBLIC_1}:8545" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "rpc.defi-oracle.io" "${RPC_PUBLIC_1}" 8545 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 update_proxy_host "wss.defi-oracle.io" "http://${RPC_PUBLIC_1}:8546" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "wss.defi-oracle.io" "${RPC_PUBLIC_1}" 8546 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 # rpc.d-bis.org / rpc2.d-bis.org and WS variants → VMID 2201 (besu-rpc-public-1); add if missing to fix 405
-update_proxy_host "rpc.d-bis.org" "http://${RPC_PUBLIC_1}:8545" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "rpc.d-bis.org" "${RPC_PUBLIC_1}" 8545 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
+update_proxy_host "rpc.d-bis.org" "http://${RPC_PUBLIC_1}:8545" true false "" "$RPC_PUBLIC_SPLIT_ADVANCED_CONFIG" && updated_count=$((updated_count + 1)) || { add_proxy_host "rpc.d-bis.org" "${RPC_PUBLIC_1}" 8545 true false && update_proxy_host "rpc.d-bis.org" "http://${RPC_PUBLIC_1}:8545" true false "" "$RPC_PUBLIC_SPLIT_ADVANCED_CONFIG" && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 update_proxy_host "rpc2.d-bis.org" "http://${RPC_PUBLIC_1}:8545" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "rpc2.d-bis.org" "${RPC_PUBLIC_1}" 8545 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 update_proxy_host "ws.rpc.d-bis.org" "http://${RPC_PUBLIC_1}:8546" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "ws.rpc.d-bis.org" "${RPC_PUBLIC_1}" 8546 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 update_proxy_host "ws.rpc2.d-bis.org" "http://${RPC_PUBLIC_1}:8546" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "ws.rpc2.d-bis.org" "${RPC_PUBLIC_1}" 8546 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))