mirror of
https://github.com/blackboxprogramming/BlackRoad-Operating-System.git
synced 2026-03-17 06:57:17 -05:00
b51092bcbc
## Problem
The blackroad.systems domain was returning HTTP 403 Forbidden with a
fallback page ("Status: Nginx API") instead of serving the BlackRoad OS
application. This was caused by:
1. Domain configured in "forward" mode instead of DNS mode
2. Missing or misconfigured Nginx server blocks
3. Requests falling through to default server block
## Solution
### 1. Updated Domain Configuration (ops/domains.yaml)
- Changed blackroad.systems from "forward" to "dns" mode
- Domain now points directly to application server via CNAME
- Established blackroad.systems as canonical apex domain
- www.blackroad.systems redirects to apex domain (301)
- Aligns with DOMAIN_SPEC.md positioning as flagship corporate site
### 2. Created Nginx Configuration (ops/nginx/blackroad.systems.conf)
- Proper server_name directives for blackroad.systems
- HTTP to HTTPS redirects (301)
- www to apex domain redirects (301)
- Modern SSL/TLS configuration
- Security headers (HSTS, X-Frame-Options, etc.)
- SPA fallback routing with try_files
- Static asset caching with versioning
- Health check endpoint at /healthz
- Separate server blocks for apex and www subdomains
### 3. Deployment Guide (ops/DOMAIN_FIX_GUIDE.md)
- Step-by-step deployment instructions
- DNS configuration and verification
- SSL certificate setup
- Nginx deployment and testing
- Troubleshooting guide
- Post-deployment validation checklist
## Testing Required
After deployment:
1. Apply DNS changes: python3 ops/scripts/apply_domains.py
2. Deploy Nginx config to server
3. Obtain SSL certificates
4. Verify all redirects and endpoints
5. Purge CDN caches if applicable
## References
- blackroad-universe/domains/blackroad-systems/DOMAIN_SPEC.md
- ops/scripts/apply_domains.py
167 lines
4.8 KiB
Plaintext
167 lines
4.8 KiB
Plaintext
# Nginx server block configuration for blackroad.systems
|
|
# This configuration ensures the domain serves the BlackRoad OS application
|
|
# instead of falling back to a default server block
|
|
|
|
# Redirect HTTP to HTTPS for apex domain
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name blackroad.systems;
|
|
|
|
# Redirect all HTTP requests to HTTPS
|
|
return 301 https://blackroad.systems$request_uri;
|
|
}
|
|
|
|
# Redirect HTTP to HTTPS for www subdomain
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name www.blackroad.systems;
|
|
|
|
# Redirect www to apex domain over HTTPS
|
|
return 301 https://blackroad.systems$request_uri;
|
|
}
|
|
|
|
# Redirect HTTPS www to apex domain
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
server_name www.blackroad.systems;
|
|
|
|
# SSL certificate configuration
|
|
ssl_certificate /etc/ssl/certs/blackroad_systems.fullchain.pem;
|
|
ssl_certificate_key /etc/ssl/private/blackroad_systems.key;
|
|
|
|
# Modern SSL configuration
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
# Redirect www to apex domain
|
|
return 301 https://blackroad.systems$request_uri;
|
|
}
|
|
|
|
# Main HTTPS server block for blackroad.systems
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
server_name blackroad.systems;
|
|
|
|
# SSL certificate configuration
|
|
ssl_certificate /etc/ssl/certs/blackroad_systems.fullchain.pem;
|
|
ssl_certificate_key /etc/ssl/private/blackroad_systems.key;
|
|
|
|
# Modern SSL configuration
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 10m;
|
|
|
|
# Security headers
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
|
|
# Document root - point to your BlackRoad OS build
|
|
# Adjust this path to match your actual deployment location
|
|
root /var/www/blackroad/current;
|
|
index index.html index.htm;
|
|
|
|
# Health check endpoint (separate from main route)
|
|
location = /healthz {
|
|
access_log off;
|
|
return 200 "ok\n";
|
|
add_header Content-Type text/plain;
|
|
}
|
|
|
|
# API proxy (if you have a backend API)
|
|
# Uncomment and adjust if needed
|
|
# location /api/ {
|
|
# proxy_pass http://localhost:3000/;
|
|
# proxy_http_version 1.1;
|
|
# proxy_set_header Upgrade $http_upgrade;
|
|
# proxy_set_header Connection 'upgrade';
|
|
# proxy_set_header Host $host;
|
|
# proxy_set_header X-Real-IP $remote_addr;
|
|
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
# proxy_set_header X-Forwarded-Proto $scheme;
|
|
# proxy_cache_bypass $http_upgrade;
|
|
# }
|
|
|
|
# Static assets with long cache
|
|
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
|
|
expires 1y;
|
|
add_header Cache-Control "public, immutable";
|
|
access_log off;
|
|
}
|
|
|
|
# SPA fallback - serve index.html for all routes
|
|
# This ensures client-side routing works correctly
|
|
location / {
|
|
try_files $uri $uri/ /index.html;
|
|
|
|
# Cache control for HTML
|
|
add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
|
|
}
|
|
|
|
# Deny access to hidden files
|
|
location ~ /\. {
|
|
deny all;
|
|
access_log off;
|
|
log_not_found off;
|
|
}
|
|
|
|
# Custom error pages
|
|
error_page 404 /404.html;
|
|
error_page 500 502 503 504 /50x.html;
|
|
location = /50x.html {
|
|
root /var/www/blackroad/current;
|
|
}
|
|
}
|
|
|
|
# Optional: Server block for os.blackroad.systems
|
|
# If you want os.blackroad.systems to also serve the application
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
server_name os.blackroad.systems;
|
|
|
|
# SSL certificate configuration
|
|
ssl_certificate /etc/ssl/certs/blackroad_systems.fullchain.pem;
|
|
ssl_certificate_key /etc/ssl/private/blackroad_systems.key;
|
|
|
|
# Modern SSL configuration
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
# Same configuration as main domain
|
|
root /var/www/blackroad/current;
|
|
index index.html index.htm;
|
|
|
|
location = /healthz {
|
|
access_log off;
|
|
return 200 "ok\n";
|
|
add_header Content-Type text/plain;
|
|
}
|
|
|
|
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
|
|
expires 1y;
|
|
add_header Cache-Control "public, immutable";
|
|
access_log off;
|
|
}
|
|
|
|
location / {
|
|
try_files $uri $uri/ /index.html;
|
|
add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
|
|
}
|
|
|
|
location ~ /\. {
|
|
deny all;
|
|
access_log off;
|
|
log_not_found off;
|
|
}
|
|
}
|