Fix blackroad.systems domain configuration and Nginx setup

## Problem The blackroad.systems domain was returning HTTP 403 Forbidden with a fallback page ("Status: Nginx API") instead of serving the BlackRoad OS application. This was caused by: 1. Domain configured in "forward" mode instead of DNS mode 2. Missing or misconfigured Nginx server blocks 3. Requests falling through to default server block ## Solution ### 1. Updated Domain Configuration (ops/domains.yaml) - Changed blackroad.systems from "forward" to "dns" mode - Domain now points directly to application server via CNAME - Established blackroad.systems as canonical apex domain - www.blackroad.systems redirects to apex domain (301) - Aligns with DOMAIN_SPEC.md positioning as flagship corporate site ### 2. Created Nginx Configuration (ops/nginx/blackroad.systems.conf) - Proper server_name directives for blackroad.systems - HTTP to HTTPS redirects (301) - www to apex domain redirects (301) - Modern SSL/TLS configuration - Security headers (HSTS, X-Frame-Options, etc.) - SPA fallback routing with try_files - Static asset caching with versioning - Health check endpoint at /healthz - Separate server blocks for apex and www subdomains ### 3. Deployment Guide (ops/DOMAIN_FIX_GUIDE.md) - Step-by-step deployment instructions - DNS configuration and verification - SSL certificate setup - Nginx deployment and testing - Troubleshooting guide - Post-deployment validation checklist ## Testing Required After deployment: 1. Apply DNS changes: python3 ops/scripts/apply_domains.py 2. Deploy Nginx config to server 3. Obtain SSL certificates 4. Verify all redirects and endpoints 5. Purge CDN caches if applicable ## References - blackroad-universe/domains/blackroad-systems/DOMAIN_SPEC.md - ops/scripts/apply_domains.py
2026-03-17 03:57:13 -05:00 · 2025-11-17 05:01:22 +00:00
parent baca146637
commit b51092bcbc
3 changed files with 568 additions and 4 deletions
--- a/ops/nginx/blackroad.systems.conf
+++ b/ops/nginx/blackroad.systems.conf
@@ -0,0 +1,166 @@
+# Nginx server block configuration for blackroad.systems
+# This configuration ensures the domain serves the BlackRoad OS application
+# instead of falling back to a default server block
+
+# Redirect HTTP to HTTPS for apex domain
+server {
+    listen 80;
+    listen [::]:80;
+    server_name blackroad.systems;
+
+    # Redirect all HTTP requests to HTTPS
+    return 301 https://blackroad.systems$request_uri;
+}
+
+# Redirect HTTP to HTTPS for www subdomain
+server {
+    listen 80;
+    listen [::]:80;
+    server_name www.blackroad.systems;
+
+    # Redirect www to apex domain over HTTPS
+    return 301 https://blackroad.systems$request_uri;
+}
+
+# Redirect HTTPS www to apex domain
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name www.blackroad.systems;
+
+    # SSL certificate configuration
+    ssl_certificate /etc/ssl/certs/blackroad_systems.fullchain.pem;
+    ssl_certificate_key /etc/ssl/private/blackroad_systems.key;
+
+    # Modern SSL configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+
+    # Redirect www to apex domain
+    return 301 https://blackroad.systems$request_uri;
+}
+
+# Main HTTPS server block for blackroad.systems
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name blackroad.systems;
+
+    # SSL certificate configuration
+    ssl_certificate /etc/ssl/certs/blackroad_systems.fullchain.pem;
+    ssl_certificate_key /etc/ssl/private/blackroad_systems.key;
+
+    # Modern SSL configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    # Security headers
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    # Document root - point to your BlackRoad OS build
+    # Adjust this path to match your actual deployment location
+    root /var/www/blackroad/current;
+    index index.html index.htm;
+
+    # Health check endpoint (separate from main route)
+    location = /healthz {
+        access_log off;
+        return 200 "ok\n";
+        add_header Content-Type text/plain;
+    }
+
+    # API proxy (if you have a backend API)
+    # Uncomment and adjust if needed
+    # location /api/ {
+    #     proxy_pass http://localhost:3000/;
+    #     proxy_http_version 1.1;
+    #     proxy_set_header Upgrade $http_upgrade;
+    #     proxy_set_header Connection 'upgrade';
+    #     proxy_set_header Host $host;
+    #     proxy_set_header X-Real-IP $remote_addr;
+    #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    #     proxy_set_header X-Forwarded-Proto $scheme;
+    #     proxy_cache_bypass $http_upgrade;
+    # }
+
+    # Static assets with long cache
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+        access_log off;
+    }
+
+    # SPA fallback - serve index.html for all routes
+    # This ensures client-side routing works correctly
+    location / {
+        try_files $uri $uri/ /index.html;
+
+        # Cache control for HTML
+        add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
+    }
+
+    # Deny access to hidden files
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    # Custom error pages
+    error_page 404 /404.html;
+    error_page 500 502 503 504 /50x.html;
+    location = /50x.html {
+        root /var/www/blackroad/current;
+    }
+}
+
+# Optional: Server block for os.blackroad.systems
+# If you want os.blackroad.systems to also serve the application
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name os.blackroad.systems;
+
+    # SSL certificate configuration
+    ssl_certificate /etc/ssl/certs/blackroad_systems.fullchain.pem;
+    ssl_certificate_key /etc/ssl/private/blackroad_systems.key;
+
+    # Modern SSL configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+
+    # Same configuration as main domain
+    root /var/www/blackroad/current;
+    index index.html index.htm;
+
+    location = /healthz {
+        access_log off;
+        return 200 "ok\n";
+        add_header Content-Type text/plain;
+    }
+
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+        access_log off;
+    }
+
+    location / {
+        try_files $uri $uri/ /index.html;
+        add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
+    }
+
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+}