PrivateDO
Search or ask AI
Infrastructure
Curated in-app view
Raw file remains authoritative
Back to documents
Document route

Read-Node Same-Domain Deploy

Deployment target for serving the static frontend and the read node behind one origin so `/api/v1` becomes a real product rail instead of a documentation-only target.

Boundary

Deployment target only; the current live site remains static until a separate backend host and reverse proxy are actually cut over.

Audience: Operators, infra leads, reviewers

Open raw file

Read Node Same-Domain Deploy

Goal

Serve the static PrivateDAO frontend and the read node behind the same origin so the browser uses:

  • wallet-signed writes in the client
  • pooled backend reads on `/api/v1`
  • direct RPC only as fallback

Deployment Shape

  • frontend static files
  • `https://app.privatedao.xyz/`
  • read node reverse-proxied
  • `https://app.privatedao.xyz/api/v1/*`
  • health and metrics
  • `https://app.privatedao.xyz/healthz`
  • `https://app.privatedao.xyz/api/v1/metrics`

Read Node Process

Run the read node on the host:

cd /home/x-pact/PrivateDAO
PRIVATE_DAO_READ_NODE_HOST=127.0.0.1 \
PRIVATE_DAO_READ_NODE_PORT=8787 \
PRIVATE_DAO_READ_ALLOWED_ORIGIN=https://app.privatedao.xyz \
npm run start:read-node

Reverse Proxy Shape

Example path mapping:

  • `/`
  • static site
  • `/api/v1/`
  • proxy to `http://127.0.0.1:8787/api/v1/`
  • `/healthz`
  • proxy to `http://127.0.0.1:8787/healthz`

Frontend Binding

When the frontend is served from the same domain, use:

?readApi=https://app.privatedao.xyz/api/v1

or inject the same value into the served HTML environment if the static host supports it.

Verification

After deployment, verify:

curl https://app.privatedao.xyz/healthz
curl https://app.privatedao.xyz/api/v1/runtime
curl https://app.privatedao.xyz/api/v1/ops/overview
curl https://app.privatedao.xyz/api/v1/devnet/profiles
curl https://app.privatedao.xyz/api/v1/metrics

In the Runtime Panel, confirm:

  • `READ PATH = Backend Indexer`
  • `REFHE BACKEND` shows live counts
  • `350-WALLET PROFILE` shows the seven-wave plan
  • `READ NODE METRICS` shows requests, failures, and rate-limited counters

Security Notes

  • keep the read node read-only
  • do not move any signing key or treasury authority server-side
  • keep rate limiting enabled
  • keep CORS pinned to the real frontend origin
  • terminate TLS at the reverse proxy
  • keep backend logs and route-hit metrics enabled for operator review