blackroad-os/blackroad-operating-system
9
0
Fork 0
mirror of https://github.com/blackboxprogramming/BlackRoad-Operating-System.git synced 2026-03-17 05:57:21 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
5f852ab3c8156400bc080674f157194f671a08bc
blackroad-operating-system/ops/DOMAIN_FIX_GUIDE.md
Claude b51092bcbc Fix blackroad.systems domain configuration and Nginx setup 
## Problem
The blackroad.systems domain was returning HTTP 403 Forbidden with a
fallback page ("Status: Nginx API") instead of serving the BlackRoad OS
application. This was caused by:

1. Domain configured in "forward" mode instead of DNS mode
2. Missing or misconfigured Nginx server blocks
3. Requests falling through to default server block

## Solution

### 1. Updated Domain Configuration (ops/domains.yaml)
- Changed blackroad.systems from "forward" to "dns" mode
- Domain now points directly to application server via CNAME
- Established blackroad.systems as canonical apex domain
- www.blackroad.systems redirects to apex domain (301)
- Aligns with DOMAIN_SPEC.md positioning as flagship corporate site

### 2. Created Nginx Configuration (ops/nginx/blackroad.systems.conf)
- Proper server_name directives for blackroad.systems
- HTTP to HTTPS redirects (301)
- www to apex domain redirects (301)
- Modern SSL/TLS configuration
- Security headers (HSTS, X-Frame-Options, etc.)
- SPA fallback routing with try_files
- Static asset caching with versioning
- Health check endpoint at /healthz
- Separate server blocks for apex and www subdomains

### 3. Deployment Guide (ops/DOMAIN_FIX_GUIDE.md)
- Step-by-step deployment instructions
- DNS configuration and verification
- SSL certificate setup
- Nginx deployment and testing
- Troubleshooting guide
- Post-deployment validation checklist

## Testing Required

After deployment:
1. Apply DNS changes: python3 ops/scripts/apply_domains.py
2. Deploy Nginx config to server
3. Obtain SSL certificates
4. Verify all redirects and endpoints
5. Purge CDN caches if applicable

## References
- blackroad-universe/domains/blackroad-systems/DOMAIN_SPEC.md
- ops/scripts/apply_domains.py
2025-11-17 05:01:22 +00:00

392 lines
11 KiB
Markdown
Raw Blame History

# BlackRoad.systems Domain Fix Guide
## Problem Summary
The `blackroad.systems` domain is currently returning **HTTP 403 Forbidden** with a fallback page ("Status: Nginx API") instead of serving the BlackRoad OS application.
### Root Cause
1. **Domain Configuration**: The domain was configured in "forward" mode to redirect to `os.blackroad.systems`, but this forwarding is not properly set up at the DNS/registrar level
2. **Nginx Misconfiguration**: The web server doesn't have a proper `server_name` directive matching `blackroad.systems`, causing requests to fall through to a default server block
3. **Missing Server Block**: No dedicated Nginx configuration exists for the `blackroad.systems` domain
## Solution Overview
We've updated the domain configuration to serve the application directly at `blackroad.systems` instead of using forwarding. This involves:
1.**Updated DNS configuration** in `ops/domains.yaml` to point `blackroad.systems` directly to the application server
2.**Created Nginx server blocks** in `ops/nginx/blackroad.systems.conf` for proper request handling
3. 📋 **Deployment steps** below to apply these changes
---
## Changes Made
### 1. Domain Configuration (`ops/domains.yaml`)
**Before:**
```yaml
- name: "blackroad.systems"
mode: "forward"
forward_to: "https://os.blackroad.systems"
```
**After:**
```yaml
- name: "blackroad.systems"
mode: "dns"
record:
type: "CNAME"
value: "YOUR-PROD-RAILWAY-APP.up.railway.app"
```
**Key Changes:**
- Changed from `forward` mode to `dns` mode
- Domain now points directly to the application server (Railway)
- `www.blackroad.systems` redirects to the apex domain
- Establishes `blackroad.systems` as the canonical domain
### 2. Nginx Configuration (`ops/nginx/blackroad.systems.conf`)
Created a complete Nginx server block configuration that:
- Redirects all HTTP traffic to HTTPS
- Redirects `www.blackroad.systems` to `blackroad.systems`
- Serves the BlackRoad OS application at the apex domain
- Includes proper SSL/TLS configuration
- Implements security headers
- Provides SPA fallback routing with `try_files`
- Configures static asset caching
- Includes health check endpoint at `/healthz`
---
## Deployment Steps
### Prerequisites
1. **Railway hostname**: Replace `YOUR-PROD-RAILWAY-APP.up.railway.app` in `ops/domains.yaml` with your actual Railway deployment URL
2. **SSL certificate**: Obtain SSL certificates for `blackroad.systems` (use Let's Encrypt or your provider)
3. **API credentials**: Ensure you have GoDaddy API credentials set as environment variables:
```bash
export GODADDY_API_KEY="your_key_here"
export GODADDY_API_SECRET="your_secret_here"
```
### Step 1: Update Domain DNS Records
Run the domain apply script to update DNS records at GoDaddy:
```bash
cd /path/to/BlackRoad-Operating-System
python3 ops/scripts/apply_domains.py
```
**Expected output:**
```
Updating DNS record for blackroad.systems: CNAME -> YOUR-PROD-RAILWAY-APP.up.railway.app
Updating forwarding for www.blackroad.systems -> https://blackroad.systems
```
**Verification:**
```bash
# Wait 5-10 minutes for DNS propagation, then check:
dig +short blackroad.systems
dig +short www.blackroad.systems
```
Both should resolve to your Railway server IP or CNAME.
### Step 2: Deploy Nginx Configuration
Copy the Nginx configuration to your server:
```bash
# SSH to your web server
ssh user@your-server
# Copy the config file
sudo cp /path/to/ops/nginx/blackroad.systems.conf /etc/nginx/sites-available/
# Create symlink to enable the site
sudo ln -s /etc/nginx/sites-available/blackroad.systems.conf /etc/nginx/sites-enabled/
# Remove any default server blocks that might conflict
sudo rm /etc/nginx/sites-enabled/default
```
**Update paths in the config:**
Edit `/etc/nginx/sites-available/blackroad.systems.conf` and ensure:
1. **Document root**: Set `root` to your actual deployment directory
```nginx
root /var/www/blackroad/current; # Adjust this path
```
2. **SSL certificates**: Update SSL certificate paths
```nginx
ssl_certificate /etc/ssl/certs/blackroad_systems.fullchain.pem;
ssl_certificate_key /etc/ssl/private/blackroad_systems.key;
```
3. **Backend API proxy** (if needed): Uncomment and configure the `/api/` location block
### Step 3: Obtain SSL Certificates
If you don't have SSL certificates yet, use Let's Encrypt:
```bash
# Install certbot
sudo apt update
sudo apt install certbot python3-certbot-nginx
# Obtain certificates for both apex and www
sudo certbot --nginx -d blackroad.systems -d www.blackroad.systems
# Certbot will automatically update your Nginx config
```
### Step 4: Test and Reload Nginx
```bash
# Test Nginx configuration syntax
sudo nginx -t
# If test passes, reload Nginx
sudo systemctl reload nginx
# Check Nginx status
sudo systemctl status nginx
```
### Step 5: Deploy Your Application Build
Ensure your BlackRoad OS application is built and deployed to the document root:
```bash
# Example deployment (adjust to your build process)
cd /var/www/blackroad
git pull origin main
npm install
npm run build
cp -r dist/* current/
# Verify index.html exists
ls -la /var/www/blackroad/current/index.html
```
### Step 6: Verify the Deployment
Test all endpoints:
```bash
# Test HTTP -> HTTPS redirect
curl -I http://blackroad.systems
# Should return: HTTP/1.1 301 Moved Permanently
# Location: https://blackroad.systems
# Test www -> apex redirect
curl -I https://www.blackroad.systems
# Should return: HTTP/2 301
# Location: https://blackroad.systems
# Test main site
curl -I https://blackroad.systems
# Should return: HTTP/2 200
# Test health check
curl https://blackroad.systems/healthz
# Should return: ok
# Full response check
curl -s https://blackroad.systems | head -n 20
# Should return your HTML content (not "Status: Nginx API")
```
### Step 7: Purge CDN/Edge Caches (if applicable)
If you're using a CDN or edge cache:
```bash
# Cloudflare example
curl -X POST "https://api.cloudflare.com/client/v4/zones/{zone_id}/purge_cache" \
-H "Authorization: Bearer {token}" \
-H "Content-Type: application/json" \
--data '{"purge_everything":true}'
# Fastly example
curl -X POST "https://api.fastly.com/service/{service_id}/purge_all" \
-H "Fastly-Key: {token}"
```
---
## Troubleshooting
### Issue: Still seeing 403 Forbidden
**Cause**: Nginx config not properly loaded or file permissions issue
**Solution**:
```bash
# Check Nginx error logs
sudo tail -f /var/log/nginx/error.log
# Verify file permissions
sudo chown -R www-data:www-data /var/www/blackroad/current
sudo chmod -R 755 /var/www/blackroad/current
# Restart Nginx
sudo systemctl restart nginx
```
### Issue: DNS not resolving
**Cause**: DNS propagation delay or incorrect CNAME value
**Solution**:
```bash
# Check current DNS records
dig blackroad.systems
# Force refresh DNS
sudo systemd-resolve --flush-caches
# Wait 5-15 minutes for global DNS propagation
```
### Issue: SSL certificate errors
**Cause**: Certificate not covering domain or expired
**Solution**:
```bash
# Check certificate validity
sudo openssl x509 -in /etc/ssl/certs/blackroad_systems.fullchain.pem -text -noout
# Renew Let's Encrypt certificate
sudo certbot renew
# Test SSL configuration
openssl s_client -connect blackroad.systems:443 -servername blackroad.systems
```
### Issue: 404 on SPA routes
**Cause**: `try_files` directive not working or missing index.html
**Solution**:
```bash
# Verify index.html exists
ls -la /var/www/blackroad/current/index.html
# Test Nginx try_files manually
curl -I https://blackroad.systems/some/spa/route
# Should return 200 and serve index.html
```
---
## Post-Deployment Validation Checklist
- [ ] `http://blackroad.systems` redirects to `https://blackroad.systems`
- [ ] `https://www.blackroad.systems` redirects to `https://blackroad.systems`
- [ ] `https://blackroad.systems` returns HTTP 200 and serves the application
- [ ] `/healthz` endpoint returns "ok"
- [ ] No "Status: Nginx API" fallback page
- [ ] No 403 Forbidden errors
- [ ] SSL certificate is valid and trusted
- [ ] SPA client-side routes work correctly
- [ ] Static assets load with proper caching headers
---
## Architecture Decision
### Why Apex Domain Instead of Subdomain?
Based on the `blackroad-universe/domains/blackroad-systems/DOMAIN_SPEC.md`:
- `blackroad.systems` is defined as the **flagship corporate & OS site**
- It should serve as the primary entry point for enterprise decision-makers
- The domain positioning emphasizes credibility, trust, and professional authority
- Using a subdomain (`os.blackroad.systems`) would dilute the brand and reduce SEO authority
### Domain Hierarchy
```
blackroad.systems (APEX) → Main application (canonical)
├── www.blackroad.systems → Redirects to apex
└── os.blackroad.systems → Alternative alias (serves same app)
```
This establishes `blackroad.systems` as the canonical domain while maintaining backwards compatibility with `os.blackroad.systems`.
---
## Monitoring
Set up monitoring to ensure the domain stays healthy:
```bash
# Uptime monitoring
curl -fsS -m 10 --retry 5 https://blackroad.systems/healthz || echo "Site down!"
# Response time monitoring
curl -w "@curl-format.txt" -o /dev/null -s https://blackroad.systems
# SSL certificate expiration monitoring
echo | openssl s_client -servername blackroad.systems -connect blackroad.systems:443 2>/dev/null | openssl x509 -noout -dates
```
Consider using monitoring services like:
- Uptime Robot
- Pingdom
- StatusCake
- Datadog
---
## Rollback Plan
If issues occur after deployment:
```bash
# Revert DNS (run apply_domains.py with old config)
git checkout HEAD~1 ops/domains.yaml
python3 ops/scripts/apply_domains.py
# Disable new Nginx config
sudo rm /etc/nginx/sites-enabled/blackroad.systems.conf
sudo systemctl reload nginx
# Wait for DNS propagation (5-15 minutes)
```
---
## Next Steps
1. **Replace Railway placeholder**: Update `YOUR-PROD-RAILWAY-APP.up.railway.app` in `domains.yaml` with actual hostname
2. **Obtain SSL certificates**: Use Let's Encrypt or your certificate provider
3. **Deploy application build**: Ensure latest build is in `/var/www/blackroad/current`
4. **Run apply_domains.py**: Update DNS records at GoDaddy
5. **Deploy Nginx config**: Copy and enable the server block
6. **Test thoroughly**: Verify all redirects and endpoints work correctly
7. **Monitor**: Set up uptime and SSL monitoring
---
## Contact
For issues with this deployment:
- Review logs: `/var/log/nginx/error.log` and `/var/log/nginx/access.log`
- Check domain status: `ops/scripts/apply_domains.py`
- Verify DNS: `dig blackroad.systems`
- Test SSL: `openssl s_client -connect blackroad.systems:443`
---
**Status**: Ready for deployment
**Last Updated**: 2025-11-17
Reference in New Issue View Git Blame Copy Permalink