Skip to content

DNS & Reverse Proxy Cutover Log (Nedbank PTI Rebuild)

Purpose

Track the DNS and edge routing changes required to bring the PTI receiver back online (and provide an auditable trail of what was changed, when, and why).

Context

  • Original historic endpoint hostname used by Nedbank: nedbank.banking.ctmarket.co.za
  • DNS ownership uncertainty existed around ctmarket.co.za vs capetownmarket.co.za.
  • Shortcut approach chosen for speed: create a controlled test hostname under capetownmarket.co.za that CNAMEs to the edge reverse proxy domain.

Change: introduce controlled hostname for testing

Created on capetownmarket.co.za

  • Hostname: nedbank.capetownmarket.co.za
  • Record type: CNAME
  • Target: nedbank.reverse-proxy.co.za (edge reverse proxy)

Created on reverse-proxy.co.za

  • Hostname: nedbank.reverse-proxy.co.za
  • Record type: A
  • Target IP: 154.65.108.7

DNS UI pitfall encountered

  • Initial CNAME target was entered without forcing an absolute FQDN.
  • Result: DNS panel auto-appended zone suffix, yielding a broken target:
  • nedbank.reverse-proxy.co.za.capetownmarket.co.za.

Fix applied

  • Updated CNAME target to an absolute FQDN.

Verification (authoritative DNS checks)

Nameservers

Command:

1
dig +short NS capetownmarket.co.za

Observed:

  • ns1.host-h.net.
  • ns1.dns-h.com.
  • ns2.host-h.net.

Authoritative CNAME

Commands:

1
dig @ns1.host-h.net +short nedbank.capetownmarket.co.za CNAME

Observed:

  • nedbank.reverse-proxy.co.za.

Also observed via another authoritative host:

1
dig @ns1.dns-h.net +short nedbank.capetownmarket.co.za CNAME

Observed:

  • nedbank.reverse-proxy.co.za.

NOTE: The authoritative NS list included ns1.dns-h.com; ns1.dns-h.net appears to answer correctly (likely alias/infra detail).

Next steps (edge routing)

Goal

Make both hostnames serve a simple comms check page and then proxy SOAP requests to the Python receiver:

  • https://nedbank.reverse-proxy.co.za/test/com_check.phpOK
  • https://nedbank.capetownmarket.co.za/test/com_check.phpOK
  • POST https://<host>/zoap/ctm/server → proxy to Python service

Required actions

  • Add Nginx vhost(s) with server_name entries for:
  • nedbank.reverse-proxy.co.za
  • nedbank.capetownmarket.co.za
  • Obtain TLS certificates covering the hostnames (SANs) via certbot.
  • Add proxy routes:
  • /zoap/ctm/server (prod)
  • /zoap/ctm-qa/server (qa)

Notes

  • DNS being correct does not imply routing is active; Nginx must explicitly serve the hostnames and paths.
  • Keep TTL low during iteration; raise after stable.

Update: reverse proxy routing completed (2026-01-28)

Edge routing implemented

  • WireGuard: new client peer created for this container (10.99.0.110/32), tunnel active.
  • Nginx (rpctm): site created and enabled for nedbank.reverse-proxy.co.za with upstream 10.99.0.110:8000.
  • SAN certificate: certbot expanded to include both:
  • nedbank.reverse-proxy.co.za
  • nedbank.capetownmarket.co.za

Validation

  • curl -I http://10.99.0.110:8000 from rpctm → 200 OK
  • https://nedbank.reverse-proxy.co.za200 OK
  • https://nedbank.capetownmarket.co.za200 OK

Temporary backend (for routing validation)

  • Temporary HTTP server running on this container:
  • python3 -m http.server 8000 --bind 0.0.0.0 --directory /opt/nedbank

Remaining

  • Replace temporary server with the Python SOAP service at /zoap/ctm/server and /zoap/ctm-qa/server.
  • Decide if/when to serve nedbank.banking.ctmarket.co.za (final production hostname).