Networking

Overview

Documentación de la configuración de red y comunicación entre componentes del ecosistema Nostromo.

Network Topology

Internet
   ↓
[Nginx Proxy - Port 80/443]
   ↓
[Sevastopol Frontend - Port 4321]
   ↓ API calls
[Orchestrator Backend - Port 8000]
   ↓ DB queries
[Mother (PostgreSQL) - Port 5432]

Diagrama Mermaid:

graph TB
    Internet([Internet])
    Nginx[Nginx Reverse Proxy<br/>:80, :443]
    Sevastopol[Sevastopol Frontend<br/>:4321]
    Orchestrator[Orchestrator Backend<br/>:8000]
    Mother[Mother PostgreSQL<br/>:5432]
    ETL[ETL Service Python<br/>N/A]

    Internet --> Nginx
    Nginx --> Sevastopol
    Sevastopol --> Orchestrator
    Orchestrator --> Mother
    ETL --> Mother

    style Internet fill:#e1f5ff
    style Nginx fill:#ff9999
    style Sevastopol fill:#99ccff
    style Orchestrator fill:#99ff99
    style Mother fill:#ffcc99
    style ETL fill:#cc99ff

IP Addresses

Production

Component	Internal IP	External IP	Hostname
Nginx Proxy	`<INTERNAL_IP_NGINX>`	`<EXTERNAL_IP>`	`app.nostromo.cl`
Sevastopol	`<INTERNAL_IP_SEVASTOPOL>`	N/A	`sevastopol.internal`
Orchestrator	`<INTERNAL_IP_ORCHESTRATOR>`	N/A	`orchestrator.internal`
Mother (PostgreSQL)	`<INTERNAL_IP_MOTHER>`	N/A	`mother.internal`
ETL Service	`<INTERNAL_IP_ETL>`	N/A	`etl.internal`

Development

Component	IP	Port
Sevastopol	`localhost`	4321
Orchestrator	`localhost`	8000
PostgreSQL	`localhost`	5432

Ports

Exposed Ports (External)

Port	Protocol	Service	Description
80	HTTP	Nginx	HTTP redirect a HTTPS
443	HTTPS	Nginx	Frontend (Sevastopol) público

Internal Ports

Port	Protocol	Service	Description
4321	HTTP	Sevastopol	Astro dev server (dev) / Nginx upstream (prod)
8000	HTTP	Orchestrator	Node.js API backend
5432	TCP	PostgreSQL	Database connections
22	SSH	Server	Admin access

Firewall Rules

Ingress (Incoming)

Source	Destination	Port	Action	Rule
`0.0.0.0/0`	Nginx	80	ALLOW	Public HTTP
`0.0.0.0/0`	Nginx	443	ALLOW	Public HTTPS
`<ADMIN_IPS>`	Server	22	ALLOW	SSH admin access
`*`	Orchestrator	8000	DENY	Backend NO público
`*`	PostgreSQL	5432	DENY	DB NO pública

Egress (Outgoing)

Source	Destination	Port	Action	Rule
Orchestrator	Mother (PostgreSQL)	5432	ALLOW	DB queries
ETL Service	Mother (PostgreSQL)	5432	ALLOW	Data ingestion
Sevastopol	Orchestrator	8000	ALLOW	API calls
Server	Internet	80/443	ALLOW	Package downloads, updates
Orchestrator	SII Websites	443	ALLOW	ETL scraping (si aplicable)

DNS Configuration

Root Domain

Domain: nostromo.cl

Nameservers:

ns1.cloudflare.com
ns2.cloudflare.com

Subdomains

Subdomain	Type	Value	TTL	Description
`app`	A	`<EXTERNAL_IP>`	300	Frontend público
`api`	CNAME	`app.nostromo.cl`	300	API endpoint (mismo servidor)
`www`	CNAME	`app.nostromo.cl`	300	Redirect a app

Cloudflare Settings:

✅ Proxy enabled (orange cloud)
✅ SSL/TLS: Full (strict)
✅ Always Use HTTPS: ON

SSL/TLS Certificates

Provider: Let’s Encrypt (auto-renew via Certbot)

Certificate Path:

/etc/letsencrypt/live/app.nostromo.cl/fullchain.pem
/etc/letsencrypt/live/app.nostromo.cl/privkey.pem

Renewal:

# Auto-renewal via cron (runs daily)
0 0 * * * certbot renew --quiet

Verify cert:

openssl x509 -in /etc/letsencrypt/live/app.nostromo.cl/fullchain.pem \
  -text -noout | grep "Not After"

Load Balancing

Estado actual: NO implementado - single server setup.

Futuro (si escala):

Nginx como load balancer entre múltiples nodos Orchestrator
Sticky sessions para mantener tenant context
Health checks: GET /health endpoint

Network Security

VPC (Virtual Private Cloud)

Status: Recomendado para producción, pero actualmente NO implementado.

Mejora futura: Mover servicios internos (Orchestrator, Mother) a VPC privada.

SSH Access

Key-based authentication ONLY (password auth disabled).

Authorized Keys: /home/user/.ssh/authorized_keys

Restrict SSH:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

Rate Limiting

Nginx rate limiting (previene DDoS):

limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;

server {
    location /api/ {
        limit_req zone=api_limit burst=20 nodelay;
        proxy_pass http://localhost:8000;
    }
}

Limits:

10 requests/second per IP
Burst up to 20 requests

Monitoring

Network Metrics

Tool: Grafana + Prometheus

Métricas:

Request/second por endpoint
Response time (p50, p95, p99)
Error rate (4xx, 5xx)
Bandwidth usage

Alerts

Configuración:

Alert si error rate > 5% por 5 minutos
Alert si response time p95 > 1000ms
Alert si Orchestrator unreachable (health check fails)

Troubleshooting

Cannot reach Orchestrator from Sevastopol

Síntoma: fetch('http://localhost:8000/api/...') fails with ECONNREFUSED

Debugging:

# Verify Orchestrator is running
pm2 status orchestrator

# Verify port 8000 is listening
lsof -i :8000

# Verify firewall allows internal traffic
sudo iptables -L -n | grep 8000

SSL certificate expired

Síntoma: ERR_CERT_DATE_INVALID en browser.

Fix:

# Renew cert manually
sudo certbot renew

# Reload Nginx
sudo systemctl reload nginx

Infrastructure: Docker - Container networking
Runbook: Deploy - Deploy procedures
ADR-002: Pool Management - Database connection pooling

Changelog

Fecha	Version	Cambios
2026-01-18	1.0	Documentación inicial creada