d-bis/smom-dbis-138
4
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
6817f53591c41cc9ee0fbf404fda7ebfe2a5bcb9
smom-dbis-138/terraform/phases/phase1/CLOUDFLARE_TUNNEL_SETUP.md
defiQUG 1fb7266469 Add Oracle Aggregator and CCIP Integration 
- Introduced Aggregator.sol for Chainlink-compatible oracle functionality, including round-based updates and access control.
- Added OracleWithCCIP.sol to extend Aggregator with CCIP cross-chain messaging capabilities.
- Created .gitmodules to include OpenZeppelin contracts as a submodule.
- Developed a comprehensive deployment guide in NEXT_STEPS_COMPLETE_GUIDE.md for Phase 2 and smart contract deployment.
- Implemented Vite configuration for the orchestration portal, supporting both Vue and React frameworks.
- Added server-side logic for the Multi-Cloud Orchestration Portal, including API endpoints for environment management and monitoring.
- Created scripts for resource import and usage validation across non-US regions.
- Added tests for CCIP error handling and integration to ensure robust functionality.
- Included various new files and directories for the orchestration portal and deployment scripts.
2025-12-12 14:57:48 -08:00

4.4 KiB
Raw Blame History

Cloudflare Tunnel Setup for Phase 1

Architecture Overview

  • Backend VMs: Private IPs only (no public IPs exposed)
  • Nginx Proxy: Public IP (for Cloudflare Tunnel connection)
  • Cloudflare Tunnel: Connects to Nginx proxy public IP, handles DNS and SSL termination

Important Note: Cross-Region Connectivity

Backend VMs are in US regions (eastus, westus, centralus, eastus2, westus2) while the Nginx proxy is in West Europe. Since backend VMs use private IPs only, the Nginx proxy cannot directly reach them across regions.

Options for Backend Connectivity:

  1. Azure VPN/ExpressRoute (Recommended for production):

    • Deploy VPN Gateway or ExpressRoute
    • Connect all regions via VPN
    • Nginx proxy can reach backend VMs via private IPs

  2. Cloudflare Tunnel on Each Backend VM:

    • Install Cloudflare Tunnel agent on each backend VM
    • Each VM exposes its services via Cloudflare Tunnel
    • Nginx proxy connects to Cloudflare Tunnel endpoints

  3. Azure Private Link (Future enhancement):

    • Use Private Link for cross-region connectivity
    • More complex setup

Cloudflare Tunnel Configuration Steps

1. Install Cloudflare Tunnel (Already in cloud-init)

The Nginx proxy cloud-init script installs cloudflared package.

2. Login and Create Tunnel

SSH to the Nginx proxy VM:

ssh besuadmin@<nginx-proxy-public-ip>

Authenticate with Cloudflare:

sudo cloudflared tunnel login

Create a tunnel:

sudo cloudflared tunnel create phase1-nginx-proxy

Note the tunnel ID from the output.

3. Configure Tunnel

Edit /etc/cloudflared/config.yml:

tunnel: <your-tunnel-id>
credentials-file: /root/.cloudflared/<tunnel-id>.json

ingress:
  # Route your domain to Nginx HTTPS
  - hostname: your-domain.com
    service: https://localhost:443
    originRequest:
      noHappyEyeballs: true
      connectTimeout: 30s
      tcpKeepAlive: 30s
      keepAliveConnections: 100
      keepAliveTimeout: 90s
  # Catch-all rule
  - service: http_status:404

4. Start Cloudflare Tunnel Service

sudo systemctl enable cloudflared
sudo systemctl start cloudflared
sudo systemctl status cloudflared

5. Configure DNS in Cloudflare

In Cloudflare Dashboard:

  1. Go to your domain's DNS settings
  2. Add a CNAME record:
    • Name: @ (or subdomain like rpc)
    • Target: <tunnel-id>.cfargotunnel.com
    • Proxy: Enabled (orange cloud)

6. Configure SSL/TLS in Cloudflare

  1. Go to SSL/TLS settings
  2. Set encryption mode to "Full" or "Full (strict)"
  3. Cloudflare will automatically provision SSL certificates

Nginx Configuration

Nginx is configured to:

  • Listen on port 443 (HTTPS) for Cloudflare Tunnel
  • Use self-signed certificates initially (Cloudflare handles SSL termination)
  • Proxy to backend VMs via private IPs (requires VPN/ExpressRoute for cross-region)

Backend VM Connectivity

Current Limitation: Nginx proxy cannot reach backend VMs across regions using private IPs.

Solutions:

Option A: Deploy Azure VPN (Recommended)

  1. Create VPN Gateway in each region
  2. Connect regions via VPN
  3. Nginx proxy can reach backend VMs via private IPs

Option B: Cloudflare Tunnel on Each Backend VM

  1. Install Cloudflare Tunnel on each backend VM
  2. Configure each VM to expose RPC endpoints via Tunnel
  3. Update Nginx to use Cloudflare Tunnel endpoints instead of private IPs

Option C: Use Public IPs Temporarily

For initial testing, you can temporarily enable public IPs on backend VMs and restrict NSG rules to Nginx proxy IP only.

Security Considerations

  1. NSG Rules: Restrict RPC ports (8545, 8546) to Nginx proxy private IP only (once VPN is deployed)
  2. Cloudflare Tunnel: Uses secure outbound connection, no inbound ports needed
  3. SSL/TLS: Cloudflare handles SSL termination, Nginx uses HTTP internally
  4. DDoS Protection: Cloudflare provides DDoS protection automatically

Monitoring

  • Cloudflare Tunnel logs: journalctl -u cloudflared -f
  • Nginx logs: /var/log/nginx/access.log and /var/log/nginx/error.log
  • Tunnel status: cloudflared tunnel info <tunnel-id>

Troubleshooting

  1. Tunnel not connecting: Check Cloudflare Tunnel service status
  2. DNS not resolving: Verify CNAME record in Cloudflare
  3. Backend unreachable: Deploy VPN/ExpressRoute or use Cloudflare Tunnel on backend VMs
  4. SSL errors: Ensure Cloudflare SSL/TLS mode is set to "Full" or "Full (strict)"
Reference in New Issue View Git Blame Copy Permalink