RFQ documentation

hummingbot0xcentur1on

Developer reference for the VVV/WETH RFQ service, deployment workflow, solver onboarding, and live risk controls.

Base mainnet VVV/WETH Static docs

Back to documentation home

HTTPS/TLS plan for VVV/WETH RFQ API

This is a preparation/runbook only. No certificate was requested and no public exposure was changed.

Current observed host state

  • NGINX is installed and active.
  • Certbot is not currently installed.
  • RFQ API service config is prepared to bind locally to 127.0.0.1:3000.
  • NGINX reverse proxy config is staged under deploy/nginx/ only.

Required inputs before execution

  • Approved DNS name, e.g. rfq.yourdomain.com.
  • DNS A/AAAA record pointing to this server.
  • Inbound TCP 80 open for HTTP-01 validation.
  • Inbound TCP 443 open before production HTTPS use.
  • Approval to enable the NGINX site publicly.

Install Certbot, gated

Ubuntu/Debian package route:

sudo apt-get update
sudo DEBIAN_FRONTEND=noninteractive apt-get install -y certbot python3-certbot-nginx
certbot --version

Pre-certificate NGINX enablement, gated

Replace rfq.example.com first:

sudo mkdir -p /var/www/letsencrypt
sudo cp /home/ubuntu/base-pmm-rfq/deploy/nginx/vvv-weth-rfq-api.conf /etc/nginx/sites-available/vvv-weth-rfq-api
sudo sed -i 's/rfq.example.com/<APPROVED_DOMAIN>/g' /etc/nginx/sites-available/vvv-weth-rfq-api
sudo ln -sfn /etc/nginx/sites-available/vvv-weth-rfq-api /etc/nginx/sites-enabled/vvv-weth-rfq-api
sudo nginx -t
sudo systemctl reload nginx

Smoke test with DNS/Host header:

curl -sS --max-time 5 http://<APPROVED_DOMAIN>/health

Request certificate, gated

NGINX plugin route:

sudo certbot --nginx -d <APPROVED_DOMAIN> --redirect --agree-tos -m <APPROVED_EMAIL> --no-eff-email

Webroot route if the NGINX plugin causes unwanted edits:

sudo certbot certonly --webroot -w /var/www/letsencrypt -d <APPROVED_DOMAIN> --agree-tos -m <APPROVED_EMAIL> --no-eff-email

Then install the HTTPS template manually:

sudo cp /home/ubuntu/base-pmm-rfq/deploy/letsencrypt/vvv-weth-rfq-api-https.conf.template /etc/nginx/sites-available/vvv-weth-rfq-api
sudo sed -i 's/rfq.example.com/<APPROVED_DOMAIN>/g' /etc/nginx/sites-available/vvv-weth-rfq-api
sudo nginx -t
sudo systemctl reload nginx

Renewal verification

systemctl list-timers 'certbot*' --no-pager || true
sudo certbot renew --dry-run

Post-TLS verification

curl -I -sS --max-time 10 https://<APPROVED_DOMAIN>/health
curl -sS --max-time 10 https://<APPROVED_DOMAIN>/health
curl -sS --max-time 10 https://<APPROVED_DOMAIN>/risk

Expected health body:

{"status":"ok","service":"vvv-weth-rfq","chainId":8453}

Abort criteria

Abort and do not expose hard quotes if any of these are true:

  • nginx -t fails.
  • API health check fails locally.
  • DNS does not resolve to this server.
  • TLS issuance fails.
  • signer is accidentally enabled before explicit approval.
  • risk controls/rate limits are not reviewed.