d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

MIM4U: nginx install/deploy/backup scripts, rate limit, CSP, docs; submodule pointer; txpool retry script
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details

Browse Source 
Made-with: Cursor
This commit is contained in:
defiQUG
2026-02-26 22:35:24 -08:00
parent 39359e0441
commit 4f97e27f69
13 changed files with 656 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
config/ip-addresses.conf
View File

@@ -4,6 +4,9 @@
# See: docs/11-references/NETWORK_CONFIGURATION_MASTER.md # See: docs/11-references/NETWORK_CONFIGURATION_MASTER.md
# Optional: source PROJECT_ROOT/.env first to override (scripts should: source .env 2>/dev/null; source this file) # Optional: source PROJECT_ROOT/.env first to override (scripts should: source .env 2>/dev/null; source this file)
# Proxmox SSH user for shell access (use root). .env may set PROXMOX_USER=root@pam for API; that is not valid for SSH.
PROXMOX_SSH_USER="${PROXMOX_SSH_USER:-root}"
# Proxmox Hosts (overridable via .env PROXMOX_ML110, PROXMOX_R630_01, PROXMOX_R630_02) # Proxmox Hosts (overridable via .env PROXMOX_ML110, PROXMOX_R630_01, PROXMOX_R630_02)
PROXMOX_HOST_ML110="${PROXMOX_ML110:-${PROXMOX_HOST_ML110:-192.168.11.10}}" PROXMOX_HOST_ML110="${PROXMOX_ML110:-${PROXMOX_HOST_ML110:-192.168.11.10}}"
PROXMOX_HOST_R630_01="${PROXMOX_R630_01:-${PROXMOX_HOST_R630_01:-192.168.11.11}}" PROXMOX_HOST_R630_01="${PROXMOX_R630_01:-${PROXMOX_HOST_R630_01:-192.168.11.11}}"
@@ -81,6 +84,8 @@ DBIS_REDIS_IP="192.168.11.120"
# source "$(dirname "$0")/../config/ip-addresses.conf" # source "$(dirname "$0")/../config/ip-addresses.conf"
IP_OMADA="192.168.11.20" IP_OMADA="192.168.11.20"
IP_MIM_WEB="192.168.11.37" IP_MIM_WEB="192.168.11.37"
# MIM4U API backend (VMID 7811) — used by nginx on 7810 for /api/ proxy
MIM_API_IP="192.168.11.36"
DB_HOST="192.168.11.53" DB_HOST="192.168.11.53"
IP_NPMPLUS_ETH0="192.168.11.166" IP_NPMPLUS_ETH0="192.168.11.166"
# NPMplus Alltra/HYBX (VMID 10235) - see docs/04-configuration/NPMPLUS_ALLTRA_HYBX_MASTER_PLAN.md # NPMplus Alltra/HYBX (VMID 10235) - see docs/04-configuration/NPMPLUS_ALLTRA_HYBX_MASTER_PLAN.md

18
docs/04-configuration/ALL_VMIDS_ENDPOINTS.md
View File

@@ -219,12 +219,12 @@ The following VMIDs have been permanently removed:
| 7811 | 192.168.11.36 | mim-api-1 | ✅ Running | Web: 80, 443, API: Various | MIM4U service (web + API) | | 7811 | 192.168.11.36 | mim-api-1 | ✅ Running | Web: 80, 443, API: Various | MIM4U service (web + API) |
**Public Domains** (NPMplus config): **Public Domains** (NPMplus config):
- `mim4u.org` → Routes to `http://192.168.11.36:80` (VMID 7811) - `mim4u.org` → Routes to `http://192.168.11.37:80` (VMID 7810 mim-web-1)
- `www.mim4u.org` → Redirects to `mim4u.org` (via NPMplus redirect) - `www.mim4u.org` → Routes to `http://192.168.11.37:80` (VMID 7810; optional NPMplus redirect www → apex)
- `secure.mim4u.org` → Routes to `http://192.168.11.36:80` (VMID 7811) - `secure.mim4u.org` → Routes to `http://192.168.11.37:80` (VMID 7810)
- `training.mim4u.org` → Routes to `http://192.168.11.36:80` (VMID 7811) - `training.mim4u.org` → Routes to `http://192.168.11.37:80` (VMID 7810)
**Note**: All MIM4U domains route to VMID 7811 at 192.168.11.36. `www.mim4u.org` redirects to `mim4u.org` to save on proxy host configurations. **Note**: All MIM4U domains route to VMID 7810 (mim-web-1) at 192.168.11.37. nginx on 7810 proxies `/api/` to VMID 7811 (192.168.11.36:3001).
--- ---
@@ -467,10 +467,10 @@ This section lists all endpoints that should be configured in NPMplus, extracted
| `dbis-api-2.d-bis.org` | `192.168.11.156` | `http` | `3000` | ❌ No | DBIS API Secondary (VMID 10151) | | `dbis-api-2.d-bis.org` | `192.168.11.156` | `http` | `3000` | ❌ No | DBIS API Secondary (VMID 10151) |
| `secure.d-bis.org` | `192.168.11.130` | `http` | `80` | ❌ No | DBIS Secure Portal (VMID 10130) - Path-based routing | | `secure.d-bis.org` | `192.168.11.130` | `http` | `80` | ❌ No | DBIS Secure Portal (VMID 10130) - Path-based routing |
| **MIM4U Services** | | **MIM4U Services** |
| `mim4u.org` | `192.168.11.36` | `http` | `80` | ❌ No | MIM4U Main Site (VMID 7811) | | `mim4u.org` | `192.168.11.37` | `http` | `80` | ❌ No | MIM4U Main Site (VMID 7810 mim-web-1) |
| `www.mim4u.org` | `Redirect` | `-` | `-` | ❌ No | Redirects to `mim4u.org` (no separate proxy host) | | `www.mim4u.org` | `192.168.11.37` | `http` | `80` | ❌ No | MIM4U (VMID 7810; optional redirect www → apex) |
| `secure.mim4u.org` | `192.168.11.36` | `http` | `80` | ❌ No | MIM4U Secure Portal (VMID 7811) | | `secure.mim4u.org` | `192.168.11.37` | `http` | `80` | ❌ No | MIM4U Secure Portal (VMID 7810) |
| `training.mim4u.org` | `192.168.11.36` | `http` | `80` | ❌ No | MIM4U Training Portal (VMID 7811) | | `training.mim4u.org` | `192.168.11.37` | `http` | `80` | ❌ No | MIM4U Training Portal (VMID 7810) |
| **Sankofa Phoenix Services** | | **Sankofa Phoenix Services** |
| `sankofa.nexus` | `192.168.11.51` | `http` | `3000` | ❌ No | Sankofa Portal - Company Website (VMID 7801) ✅ **Deployed** | | `sankofa.nexus` | `192.168.11.51` | `http` | `3000` | ❌ No | Sankofa Portal - Company Website (VMID 7801) ✅ **Deployed** |
| `www.sankofa.nexus` | `192.168.11.51` | `http` | `3000` | ❌ No | Sankofa Portal (VMID 7801) ✅ **Deployed** | | `www.sankofa.nexus` | `192.168.11.51` | `http` | `3000` | ❌ No | Sankofa Portal (VMID 7801) ✅ **Deployed** |

54
docs/04-configuration/MIM4U_502_ERROR_RESOLUTION.md
View File

@@ -47,6 +47,17 @@
The container needs nginx installed and running to serve the web application. The container needs nginx installed and running to serve the web application.
**Option A — run the fix script (recommended):** From a host that can SSH to the Proxmox node (r630-02):
```bash
./scripts/mim4u-install-nginx-and-fix-502.sh
# Or dry-run: ./scripts/mim4u-install-nginx-and-fix-502.sh --dry-run
```
The script installs nginx, writes the security-enabled config (including rate limits in `/etc/nginx/conf.d/mim4u-rate-limit.conf` and the default site), ensures `/var/www/html` exists, and reloads nginx.
**Option B — manual steps:**
```bash ```bash
# SSH to Proxmox host # SSH to Proxmox host
ssh root@192.168.11.12 ssh root@192.168.11.12
@@ -68,16 +79,17 @@ Check what IP NPMplus is routing to:
1. **Access NPMplus Web UI**: 1. **Access NPMplus Web UI**:
- URL: `https://192.168.0.166:81` or `https://192.168.11.166:81` - URL: `https://192.168.0.166:81` or `https://192.168.11.166:81`
- Navigate to: Proxy Hosts → `mim4u.org` - Navigate to: Proxy Hosts → `mim4u.org` (and `www.mim4u.org`)
2. **Verify Configuration**: 2. **Verify Configuration**:
- Forward Hostname/IP: Should be `192.168.11.37` - Forward Hostname/IP: Should be `192.168.11.37`
- Forward Port: Should be `80` - Forward Port: Should be `80`
- Forward Scheme: Should be `http` - Forward Scheme: Should be `http`
- **www.mim4u.org**: Same backend so both apex and www work. Optional: create a Redirect host for `www.mim4u.org``https://mim4u.org` in NPMplus to canonicalize to apex.
3. **If incorrect, update to**: 3. **Security (HSTS / SSL)**:
- Forward Hostname/IP: `192.168.11.37` - Enable **SSL** and **Force SSL** for mim4u.org (and www, secure, training) so HTTPS is used.
- Forward Port: `80` - Enable **HSTS** in the proxy hosts SSL tab so browsers get `Strict-Transport-Security`. NPMplus adds the header when terminating SSL.
### Step 3: Deploy MIM4U Web Application (When Ready) ### Step 3: Deploy MIM4U Web Application (When Ready)
@@ -97,22 +109,31 @@ If you need the site working immediately, you can:
2. **Configure basic nginx** to serve a default page: 2. **Configure basic nginx** to serve a default page:
```bash ```bash
# Basic nginx config (temporary) # Basic nginx config (temporary) — server_name includes www so www.mim4u.org works; security headers (HSTS when on HTTPS via NPMplus, CSP)
pct exec 7810 -- bash -c 'cat > /etc/nginx/sites-available/default << EOF pct exec 7810 -- bash -c 'cat > /etc/nginx/sites-available/default << EOF
server { server {
listen 80; listen 80;
server_name _; server_name mim4u.org www.mim4u.org secure.mim4u.org training.mim4u.org _;
root /var/www/html; root /var/www/html;
index index.html; index index.html;
# Security headers (HSTS added by NPMplus when terminating SSL; CSP reduces XSS)
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src '\''self'\''; script-src '\''self'\'' '\''unsafe-inline'\'' '\''unsafe-eval'\''; style-src '\''self'\'' '\''unsafe-inline'\'' https://fonts.googleapis.com; font-src '\''self'\'' https://fonts.gstatic.com; img-src '\''self'\'' data: https:; connect-src '\''self'\'' https://mim4u.org; frame-ancestors '\''self'\'';" always;
location / { location / {
try_files \$uri \$uri/ =404; try_files \$uri \$uri/ /index.html =404;
} }
location /api/ { location /api/ {
proxy_pass http://192.168.11.36:3001; proxy_pass http://192.168.11.36:3001;
proxy_set_header Host \$host; proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
} }
} }
EOF' EOF'
@@ -148,5 +169,24 @@ curl -I https://mim4u.org/
--- ---
## Optional: Rate limiting for /api/
To rate-limit `/api/` at nginx, the `limit_req_zone` directive must live in the **http** block (e.g. in `/etc/nginx/nginx.conf`), not in the server block. Example:
```nginx
# In http { ... } in nginx.conf
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=30r/m;
```
Then in your server block (or in the snippet above), inside `location /api/` add:
```nginx
limit_req zone=api_limit burst=5 nodelay;
```
Alternatively, use Cloudflare WAF rate limiting in front of mim4u.org (see [CLOUDFLARE_SETUP](../../miracles_in_motion/docs/deployment/CLOUDFLARE_SETUP.md)).
---
**Last Updated**: 2026-01-18 **Last Updated**: 2026-01-18
**Status**: ⚠️ nginx installation needed on VMID 7810 **Status**: ⚠️ nginx installation needed on VMID 7810

49
docs/04-configuration/MIM4U_FIRST_PARTY_ANALYTICS.md Normal file
View File

@@ -0,0 +1,49 @@
# MIM4U First-Party Analytics Endpoint
**Purpose:** Allow key events (page views, CTA clicks, form submissions) to be measured even when ad blockers block Google Analytics. The frontend sends a copy of each event to a first-party endpoint.
## Frontend behavior
When cookie consent is **accept**, the app sends events to:
- **Google Analytics** (when `gtag` is available)
- **First-party fallback:** `POST /api/events` (fire-and-forget, `keepalive: true`)
Request body is a JSON object:
```json
{
"event": "page_view",
"properties": {
"page": "/",
"title": "Miracles In Motion | ...",
"timestamp": "2026-02-26T12:00:00.000Z",
"url": "https://mim4u.org/"
},
"userId": null
}
```
Example event names: `page_view`, `cta_clicked`, `donation_completed`, `form_submission`, `volunteer_signup`.
## Backend (API on VMID 7811)
The API behind `/api/` (proxied from 7810 to 7811) should implement:
**`POST /api/events`**
- **Auth:** Optional; if you require auth, use a short-lived token or same-origin only (no CORS for other origins).
- **Body:** JSON as above.
- **Response:** `204 No Content` or `200 OK` (no body required).
- **Side effects:** Log to disk, forward to a server-side analytics pipeline (e.g. GA4 Measurement Protocol, Plausible, or internal DB). Do not expose PII in logs unless compliant with privacy policy.
If the endpoint is not implemented, the frontend `fetch` will 404; the app ignores failures and continues.
## Rate limiting
Nginx on 7810 applies `limit_req zone=api burst=5 nodelay` to `/api/`. Ensure `/api/events` is included in that path so abuse is limited.
## See also
- [MIM4U_502_ERROR_RESOLUTION.md](./MIM4U_502_ERROR_RESOLUTION.md) — nginx and proxy
- [MIM4U_UX_UI_TECHNICAL_REVIEW.md](./MIM4U_UX_UI_TECHNICAL_REVIEW.md) — analytics recommendations

30
docs/04-configuration/MIM4U_SESSION_COOKIES.md Normal file
View File

@@ -0,0 +1,30 @@
# MIM4U Portals — Session Cookie Configuration
**Purpose:** Ensure Portals (and any auth) use secure session cookies: `HttpOnly`, `Secure`, `SameSite`.
## Where to configure
- **Azure Static Web Apps / Entra (Azure AD):** If MIM4U uses Azure for auth, session cookies are typically set by the platform. In Azure Portal → App registrations → your app → Authentication, ensure:
- Redirect URIs use `https://mim4u.org` (and `https://secure.mim4u.org` if used).
- Implicit grant and legacy options are off unless required.
- **Custom API (VMID 7811):** If the API issues its own session cookies (e.g. JWT in cookie or session id), set when setting the cookie:
- `HttpOnly=true`
- `Secure=true` (only over HTTPS)
- `SameSite=Lax` or `Strict`
- `Path=/` or the minimal path needed
## Example (Node/Express-style)
```javascript
res.cookie('session', token, {
httpOnly: true,
secure: true,
sameSite: 'lax',
path: '/',
maxAge: 24 * 60 * 60 * 1000
})
```
## NPMplus / nginx
NPMplus terminates SSL; it does not set application session cookies. Cookie flags are set by the application (Azure or API on 7811).

219
docs/04-configuration/MIM4U_UX_UI_TECHNICAL_REVIEW.md Normal file
View File

@@ -0,0 +1,219 @@
# MIM4U (mim4u.org) — Technical UX/UI Review & Punch List
**Last Updated:** 2026-02-26
**Document Version:** 1.0
**Status:** Active — Dev handoff
**Context:** Hosted LXC content — VMID 7810 (mim-web-1), VMID 7811 (mim-api-1), NPMplus proxy
---
## Scope
This document captures a technical UX/UI review of **mim4u.org** (Miracles in Motion) based on publicly indexable content. The site is largely JS-rendered (client-rendered), so the review focuses on patterns that commonly affect UX on modern marketing/nonprofit builds. It is intended as a **prioritized punch list** for the dev team working on the **miracles_in_motion** codebase and the LXC-hosted deployment.
**Hosting (this repo):**
| Asset | Detail |
|-------|--------|
| **Web frontend** | VMID 7810 (mim-web-1) — Nginx + static/SPA |
| **API backend** | VMID 7811 (mim-api-1) — Azure Functions (port 3001) |
| **Domains** | mim4u.org, www.mim4u.org, secure.mim4u.org, training.mim4u.org |
| **Proxy** | NPMplus → `http://192.168.11.37:80` (see [NPMPLUS_SERVICE_MAPPING_COMPLETE.md](./NPMPLUS_SERVICE_MAPPING_COMPLETE.md)) |
| **App source** | Submodule: [miracles_in_motion](https://github.com/Order-of-Hospitallers/miracles_in_motion) |
**Related docs:**
- [MIM4U_502_ERROR_RESOLUTION.md](./MIM4U_502_ERROR_RESOLUTION.md) — 502 resolution (nginx/service on 7810)
- [MIM4U_FIRST_PARTY_ANALYTICS.md](./MIM4U_FIRST_PARTY_ANALYTICS.md) — First-party `/api/events` endpoint for ad-blocker-resistant analytics
- [NPMPLUS_SERVICE_MAPPING_COMPLETE.md](./NPMPLUS_SERVICE_MAPPING_COMPLETE.md) — Domain → VMID mapping
---
## Whats Working (UX Thats Technically Sound)
- **Clear information architecture + task-first nav**: Top-level items (Stories, Volunteers, Corporate, Get Help, Portals, Donate) map cleanly to user intents.
- **Strong primary CTAs above the fold**: Donate now, Volunteer, Read stories — reduce decision friction and support conversion.
- **Trust + transparency blocks**: “Where your donation goes (85/10/5)”, “Average grant: $48 / $72”, partners list, impact-report mention — good for credibility and SEO when implemented as real text (not only images).
- **Process clarity**: “Designed with counselors… verified same-day… approved within 24 hours… no uploads required” — step-by-step flow that can reduce form abandonment.
---
## Technical UX Risks (Common on Client-Rendered Builds)
### 1) Performance (Core Web Vitals)
- **LCP risk**: Hero sections often use large background images/video + web fonts; unoptimized they cause “blank screen” lag on mobile/slow networks.
- **CLS risk**: Late-loading fonts, cookie banners, or impact counters can shift layout (conversion-negative).
- **INP risk**: Heavy script bundles (analytics, donation widgets, sliders) can delay taps/scroll.
**Actions:**
- Hero image: responsive (`srcset`), compressed, and preloaded if its the LCP element.
- Defer non-critical JS (chat, A/B, extra trackers).
- Use `font-display: swap` and consider self-hosting fonts.
### 2) Accessibility (WCAG/ADA)
From the visible structure (multiple CTAs, sections, cookie banner):
- Keyboard: full tab flow through Donate / Get Help / Portals without traps.
- Visible focus states on links/buttons (especially CTAs).
- One H1, logical H2/H3.
- Color contrast on hero text/buttons.
- Cookie banner: fully operable by keyboard + screen reader; no blocking without focus management.
**Actions:**
- Add “Skip to content” link.
- Ensure CTAs have accessible names (avoid repeated “Learn more” without context).
- ARIA labels on nav/menu toggles (mobile).
### 3) Forms / “Get Help” Workflow
Copy promises speed and dignity (“one-page referral, no uploads required”). Technically this depends on:
- Inline, specific validation (not generic red banners).
- Auto-save / resilience on mobile.
- Spam protection that doesnt punish legitimate users (avoid hostile CAPTCHAs).
- Confirmation loop (“we confirm support reached the student”) — ensure privacy disclosures reflect data handling.
### 4) Security & Privacy (Especially “Portals”)
Portals imply authenticated access:
- HTTPS everywhere + HSTS.
- Strong session cookie flags: `HttpOnly`, `Secure`, `SameSite`.
- Content Security Policy (CSP) to reduce XSS (e.g. from embedded donation tools).
- No PII in URLs/query strings (referrals, student needs).
- Cookie choices must persist; dont load marketing tags before consent.
### 5) SEO + Discoverability
Key content is client-rendered; indexing can be inconsistent. Homepage text is indexable — maintain and improve:
- Prefer SSR or static generation for public pages where feasible.
- Clean metadata (title/description per page/section).
- Structured data: Organization + DonateAction.
- “Impact report” as a crawlable page (not only a modal).
---
## High-Impact Quick Wins
1. **Run Lighthouse on mobile** and fix:
- LCP image optimization + preload
- Reduce unused JS
- Eliminate layout shift (banner/fonts)
2. **Accessibility pass**: keyboard flow, focus visibility, heading hierarchy.
3. **CTA instrumentation**: track Donate / Get Help / Volunteer separately; verify events fire with ad blockers in mind.
4. **Portals hardening**: CSP, secure cookie configuration, rate limiting on auth endpoints.
---
## Concrete Technical Checklist (Dev Handoff)
| Area | Target / Requirement |
|------|----------------------|
| **Core Web Vitals** | LCP &lt; 2.5s, CLS &lt; 0.1, INP &lt; 200ms (mobile) |
| **Images** | Responsive, compressed, lazy-load below fold |
| **Fonts** | `font-display: swap`, limit variants, preconnect if external |
| **JS** | Defer non-critical, minimize third-party scripts |
| **A11y** | Skip link, focus states, ARIA labels, contrast, form error messaging |
| **Security** | HSTS, CSP, secure cookies, no PII in URLs, audit third-party embeds |
| **SEO** | SSR/SSG for public pages where possible, metadata, sitemap/robots, schema.org Organization |
---
## Implemented (2026-02-26)
- **A11y**: Skip-to-content link (focus-only, targets `#content`), focus-visible on hero CTAs and mobile nav links, ARIA labels on Donate/Get Help.
- **SEO**: Canonical/OG URLs and schema.org base URL set to `https://mim4u.org`; DonateAction JSON-LD added alongside Organization.
- **Performance**: Font preload for Inter (critical weights) in `index.html`; preconnect already present; `display=swap` in font URL.
- **Deploy (proxmox)**: `scripts/deployment/deploy-transaction-mirror-and-pmm-pool-after-txpool-clear.sh` retries pool deploy on “Replacement transaction underpriced” with gas bump (up to 4 attempts) and short wait after first tx.
- **www.mim4u.org**: Added to `update-npmplus-proxy-hosts-api.sh` (same backend as mim4u.org). Nginx server block includes `server_name mim4u.org www.mim4u.org ...` so both hosts are served. Optional: NPMplus Redirect for www → apex.
- **HSTS/CSP**: Nginx snippet in MIM4U_502_ERROR_RESOLUTION.md adds X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Content-Security-Policy. HSTS enabled via NPMplus SSL tab when terminating HTTPS.
- **Cookie consent**: Banner persists choice in `localStorage` (`mim_cookie_consent`); analytics/tracking only run when consent is `accept` (see `src/utils/analytics.ts`). Cookie banner is keyboard-accessible and links to legal/cookie policy.
- **Get Help form**: Inline, field-level validation with specific error messages; draft auto-saved to `localStorage` (debounced); draft cleared on successful submit; `aria-invalid` and `aria-describedby` for errors.
- **CTA instrumentation**: Hero Donate and Get Help fire `cta_clicked` with `button` and `location`; analytics only run when cookie consent is “accept”.
- **SEO**: `robots.txt` and `sitemap.xml` use canonical `https://mim4u.org`; sitemap lists main routes (/, #/donate, #/request-assistance, #/volunteers, #/stories, #/legal).
- **502 fix script**: `scripts/mim4u-install-nginx-and-fix-502.sh` installs nginx on VMID 7810, applies security headers + SPA + /api proxy; run from host that can SSH to Proxmox.
---
## Tech stack (documented)
- **Frontend**: Vite + React + TypeScript; hash-based routing (`#/donate`, `#/request-assistance`, etc.); Tailwind CSS; Framer Motion.
- **Backend**: Azure Functions (API on VMID 7811, port 3001).
- **Hosting**: Static build served by nginx on VMID 7810 (LXC); NPMplus reverse proxy; optional Cloudflare Tunnel.
## Next Steps for Dev
1. **Lighthouse**: Run Lighthouse (mobile) and attach report JSON or screenshots to turn this into a **prioritized punch list with exact fixes** (what to change, where, how to validate).
2. **Infra**: Run `./scripts/mim4u-install-nginx-and-fix-502.sh` from a host that can SSH to Proxmox (r630-02) to install nginx on VMID 7810 and apply config — see [MIM4U_502_ERROR_RESOLUTION.md](./MIM4U_502_ERROR_RESOLUTION.md).
---
## Further recommendations and suggestions
### Performance & Core Web Vitals
- **Lighthouse (mobile)**
Run regularly; fix LCP (hero image `srcset`/preload), CLS (reserve space for cookie banner/fonts), INP (reduce main-thread work). See [Concrete Technical Checklist](#concrete-technical-checklist-dev-handoff) for targets.
- **Self-host fonts**
Consider serving Inter (or critical subset) from your origin to avoid Google Fonts latency and improve LCP; keep `font-display: swap`.
- **Defer non-critical JS**
Lazy-load or defer chat widgets, A/B scripts, and non-essential trackers so they dont block INP.
- **Images**
Use `LazyImage` (or equivalent) with `sizes`/`srcset` for any hero or above-the-fold images; compress and prefer modern formats (e.g. WebP with fallback).
### SEO & discoverability
- **Impact report as a real page**
Add a crawlable route (e.g. `#/impact` or `#/impact-report`) and link “See the impact report” to it; add to sitemap. Avoid impact content only in a modal or PDF link so crawlers and users get a proper page.
- **SSR/SSG (longer-term)**
For key public pages (home, donate, get help, impact), consider SSR or static generation to improve indexing and first-paint; Vite SSR or a static export for critical routes is one option.
- **Structured data**
Organization and DonateAction are in place; add `WebPage` or `FAQPage` where it fits (e.g. Get Help or Legal).
### Forms & Get Help workflow
- **Spam protection**
Add a lightweight mechanism (e.g. honeypot field, or time-based check) so the form isnt trivial to bot; avoid hostile CAPTCHA for school/counselor users.
- **Confirmation & privacy**
Ensure legal/cookie policy and Get Help copy clearly state how “we confirm support reached the student” works and where data is stored/processed; keep PII out of URLs and query params.
- **Offline / resilience**
Consider a simple “Save draft” affordance in addition to auto-save, and a clear message if submit fails (retry, contact number).
### Security & Portals
- **Session cookies**
For Portals (and any auth), use `HttpOnly`, `Secure`, and `SameSite=Lax` (or `Strict`) on session cookies; set at the API/auth layer (Azure Functions / Entra config or backend).
- **Rate limiting**
Apply rate limits on `/api/*` and auth endpoints (e.g. login, token). With **Cloudflare** in front: use WAF/custom rules (e.g. rate limit /api/ and auth paths). With **LXC/nginx only**: add `limit_req_zone` / `limit_req` in nginx for `/api/` and proxy to API.
- **CSP**
Nginx and staticwebapp.config already send security headers; keep CSP tight and avoid broad `unsafe-inline`/`unsafe-eval` where possible (may require build-time nonce or hashes for scripts).
### Analytics & instrumentation
- **Volunteer CTA**
Add `cta_clicked` (or equivalent) for “Volunteer” / “Volunteers” in nav and hero so Donate, Get Help, and Volunteer are tracked consistently; keep respecting cookie consent.
- **Events with ad blockers**
Document or test that key events (donation, form submit, CTA clicks) still fire when analytics is blocked (e.g. fallback to server-side or minimal first-party logging) so funnels are measurable.
### Operations & hosting
- **Deploy real app to 7810**
After nginx is in place, build the MIM4U frontend and deploy to `/var/www/html` (or the path nginx uses) so the live site replaces the placeholder.
- **Backup**
Back up nginx config and `/var/www/html` (or app deploy path) on 7810; include in any host/container backup runbook.
- **Health check**
Add a simple health URL (e.g. `/health` or `/.well-known/health`) that returns 200 for monitoring or load balancers; optional JSON with version or build id.
- **Cloudflare (optional)**
If mim4u.org is behind Cloudflare: use Full (strict) SSL, WAF rate limits for `/api/`, cache static assets; see `miracles_in_motion/docs/deployment/CLOUDFLARE_SETUP.md` for patterns.
### General best practices
- **Repo-wide**
Security, backups, monitoring, and script patterns in [OPTIONAL_RECOMMENDATIONS_INDEX.md](../OPTIONAL_RECOMMENDATIONS_INDEX.md) and [RECOMMENDATIONS_AND_SUGGESTIONS.md](../10-best-practices/RECOMMENDATIONS_AND_SUGGESTIONS.md) apply to MIM4U hosting (credentials, backups, monitoring, testing). Run `./scripts/mim4u-backup-7810.sh` periodically to back up nginx + app on 7810.
- **Cloudflare checklist (optional)**
When using Cloudflare in front of mim4u.org: Full (strict) SSL; WAF rate limit for `/api/` (e.g. 100 req/min); cache static assets; see `miracles_in_motion/docs/deployment/CLOUDFLARE_SETUP.md`.
- **Lighthouse**
Run performance audits where Chrome is available: `npm run lighthouse` (headless) or `npm run lighthouse:local` (interactive). In environments without Chrome (e.g. WSL without Chrome), run from a host with Chrome or use CI; fix any LCP/CLS/INP issues reported.
---
**Source:** External technical UX/UI review of mim4u.org (publicly indexable content).
**Hosting context:** Proxmox LXC — VMID 7810 (mim-web-1), VMID 7811 (mim-api-1); NPMplus; miracles_in_motion submodule.

3
docs/04-configuration/NPMPLUS_SERVICE_MAPPING_COMPLETE.md
View File

@@ -68,10 +68,11 @@ All these services can be accessed by NPMplus over the internal network, regardl
| Domain | Target | VMID | Host | Port | Notes | | Domain | Target | VMID | Host | Port | Notes |
|--------|--------|------|------|------|-------| |--------|--------|------|------|------|-------|
| `mim4u.org` | 192.168.11.37:80 | 7810 | r630-02 | 80 | mim-web-1 (frontend) | | `mim4u.org` | 192.168.11.37:80 | 7810 | r630-02 | 80 | mim-web-1 (frontend) |
| `www.mim4u.org` | 192.168.11.37:80 | 7810 | r630-02 | 80 | mim-web-1 (same backend) |
| `secure.mim4u.org` | 192.168.11.37:80 | 7810 | r630-02 | 80 | mim-web-1 | | `secure.mim4u.org` | 192.168.11.37:80 | 7810 | r630-02 | 80 | mim-web-1 |
| `training.mim4u.org` | 192.168.11.37:80 | 7810 | r630-02 | 80 | mim-web-1 | | `training.mim4u.org` | 192.168.11.37:80 | 7810 | r630-02 | 80 | mim-web-1 |
**Updated**: MIM4U routes to VMID 7810 (mim-web-1) at 192.168.11.37, not 7811. **Updated**: MIM4U routes to VMID 7810 (mim-web-1) at 192.168.11.37, not 7811. nginx on 7810 proxies `/api/` to 7811 (192.168.11.36:3001).
--- ---

2
miracles_in_motion

Submodule miracles_in_motion updated: f5eb036ee9...16b9b02d70

147
scripts/deployment/deploy-transaction-mirror-and-pmm-pool-after-txpool-clear.sh Executable file
View File

@@ -0,0 +1,147 @@
#!/usr/bin/env bash
# Deploy TransactionMirror and create DODO cUSDT/cUSDC PMM pool on Chain 138.
# Run after clearing RPC tx pool (./scripts/clear-all-transaction-pools.sh) so deployer nonce is not stuck.
#
# Uses: smom-dbis-138/.env (PRIVATE_KEY, RPC_URL_138, RPC_URL_138_PUBLIC, DODO_PMM_INTEGRATION, GAS_PRICE)
# and config/ip-addresses.conf for RPC fallbacks. Always checks nonce, RPC active, and gas.
#
# Usage: ./scripts/deployment/deploy-transaction-mirror-and-pmm-pool-after-txpool-clear.sh [--dry-run] [--force]
# --dry-run Check env, RPC, nonce only; no deploy.
# --force Skip RPC reachability check (not recommended).
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
SMOM="${PROJECT_ROOT}/smom-dbis-138"
DRY_RUN=""
FORCE=""
for a in "$@"; do
[[ "$a" == "--dry-run" ]] && DRY_RUN=1
[[ "$a" == "--force" ]] && FORCE=1
done
# 1) Load dotenv: project config (RPCs) then smom-dbis-138/.env (PRIVATE_KEY, overrides)
[[ -f "${PROJECT_ROOT}/config/ip-addresses.conf" ]] && source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
if [[ ! -f "$SMOM/.env" ]]; then
echo "Missing $SMOM/.env. Abort." >&2
exit 1
fi
set -a
source "$SMOM/.env"
set +a
# 2) RPC: prefer .env, fallback to config
RPC="${RPC_URL_138:-http://192.168.11.211:8545}"
PUBLIC_RPC="${RPC_URL_138_PUBLIC:-http://192.168.11.221:8545}"
[[ -z "${PRIVATE_KEY:-}" ]] && echo "PRIVATE_KEY not set in $SMOM/.env. Abort." >&2 && exit 1
# Chain 138 gas: min 1 gwei; use GAS_PRICE from .env or default
GAS_PRICE="${GAS_PRICE_138:-${GAS_PRICE:-1000000000}}"
echo "=== TransactionMirror + PMM pool (Chain 138) ==="
echo "RPC: $RPC"
echo "Gas price: $GAS_PRICE wei"
echo ""
# 3) Ensure RPC is active (chainId 138)
rpc_ok=""
if [[ -z "$FORCE" ]]; then
chain_id_hex=$(curl -s -m 10 -X POST "$RPC" -H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}' 2>/dev/null | sed -n 's/.*"result":"\([^"]*\)".*/\1/p') || true
if [[ "$chain_id_hex" == "0x8a" ]]; then
rpc_ok=1
else
if [[ -n "$chain_id_hex" ]]; then
echo "RPC returned chainId $chain_id_hex (expected 0x8a for Chain 138)." >&2
else
echo "RPC unreachable or invalid response: $RPC" >&2
fi
if [[ "$RPC" == *"192.168.11.211"* ]] && [[ "$PUBLIC_RPC" != *"192.168.11.211"* ]]; then
pub_hex=$(curl -s -m 5 -X POST "$PUBLIC_RPC" -H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}' 2>/dev/null | sed -n 's/.*"result":"\([^"]*\)".*/\1/p') || true
if [[ "$pub_hex" == "0x8a" ]]; then
echo "Using Public RPC: $PUBLIC_RPC" >&2
RPC="$PUBLIC_RPC"
rpc_ok=1
fi
fi
if [[ -z "$rpc_ok" ]]; then
echo "Set RPC_URL_138 (and optionally RPC_URL_138_PUBLIC) in $SMOM/.env to a reachable Chain 138 RPC." >&2
exit 1
fi
fi
else
echo "(--force: skipping RPC check)" >&2
fi
# 4) Always check deployer nonce (pending) and set NEXT_NONCE for scripts
DEPLOYER=$(cast wallet address --private-key "$PRIVATE_KEY" 2>/dev/null) || { echo "cast wallet address failed. Check PRIVATE_KEY in .env." >&2; exit 1; }
NONCE_PENDING=$(cast nonce "$DEPLOYER" --rpc-url "$RPC" --block pending 2>/dev/null) || true
NONCE_LATEST=$(cast nonce "$DEPLOYER" --rpc-url "$RPC" --block latest 2>/dev/null) || true
# Normalize: empty or non-numeric -> use latest, then 0; ensure decimal for export
[[ -z "${NONCE_PENDING//[0-9a-fA-Fx]/}" && -n "$NONCE_PENDING" ]] || NONCE_PENDING="$NONCE_LATEST"
[[ -z "${NONCE_PENDING//[0-9a-fA-Fx]/}" && -n "$NONCE_PENDING" ]] || NONCE_PENDING="0"
NONCE_PENDING=$((NONCE_PENDING))
NONCE_LATEST=$((NONCE_LATEST))
# Use pending nonce so we don't resend at same nonce (avoids "Known transaction" / "Replacement underpriced")
export NEXT_NONCE=$NONCE_PENDING
echo "Deployer: $DEPLOYER"
echo "Nonce (pending): $NONCE_PENDING (latest: $NONCE_LATEST) — using NEXT_NONCE=$NEXT_NONCE"
echo ""
if [[ -n "$DRY_RUN" ]]; then
echo "[dry-run] Would run:"
echo " 1. NEXT_NONCE=$NEXT_NONCE forge script script/DeployTransactionMirror.s.sol:DeployTransactionMirror --rpc-url \"\$RPC\" --broadcast --private-key \"\$PRIVATE_KEY\" --with-gas-price $GAS_PRICE"
echo " 2. NEXT_NONCE=\$(next after 1) forge script script/dex/CreateCUSDTCUSDCPool.s.sol:CreateCUSDTCUSDCPool --rpc-url \"\$RPC\" --broadcast --private-key \"\$PRIVATE_KEY\" --with-gas-price $GAS_PRICE"
echo " 3. $PROJECT_ROOT/scripts/verify/check-contracts-on-chain-138.sh \"$RPC\""
exit 0
fi
cd "$SMOM"
export RPC_URL_138="$RPC"
export DODO_PMM_INTEGRATION="${DODO_PMM_INTEGRATION_ADDRESS:-${DODO_PMM_INTEGRATION:-0x79cdbaFBaA0FdF9F55D26F360F54cddE5c743F7D}}"
echo "Deploying TransactionMirror (NEXT_NONCE=$NEXT_NONCE, gas $GAS_PRICE)..."
forge script script/DeployTransactionMirror.s.sol:DeployTransactionMirror \
--rpc-url "$RPC" --broadcast --private-key "$PRIVATE_KEY" --with-gas-price "$GAS_PRICE"
# Re-query pending nonce for pool deploy; wait briefly so first tx can be mined (reduces "Replacement transaction underpriced")
sleep 3
NONCE_USED_FIRST=$NEXT_NONCE
NEXT_NONCE=$(cast nonce "$DEPLOYER" --rpc-url "$RPC" --block pending 2>/dev/null) || true
[[ -z "${NEXT_NONCE//[0-9a-fA-Fx]/}" && -n "$NEXT_NONCE" ]] || NEXT_NONCE=$((NONCE_USED_FIRST + 1))
NEXT_NONCE=$((NEXT_NONCE))
export NEXT_NONCE
# Retry pool deploy with gas bump on "Replacement transaction underpriced"
POOL_GAS="$GAS_PRICE"
POOL_MAX_RETRIES=4
POOL_RETRY=0
while true; do
echo ""
echo "Creating DODO cUSDT/cUSDC pool (NEXT_NONCE=$NEXT_NONCE, gas $POOL_GAS)..."
POOL_OUTPUT=$(forge script script/dex/CreateCUSDTCUSDCPool.s.sol:CreateCUSDTCUSDCPool \
--rpc-url "$RPC" --broadcast --private-key "$PRIVATE_KEY" --with-gas-price "$POOL_GAS" 2>&1) || true
echo "$POOL_OUTPUT"
if echo "$POOL_OUTPUT" | grep -q "Replacement transaction underpriced"; then
POOL_RETRY=$((POOL_RETRY + 1))
if [[ $POOL_RETRY -ge $POOL_MAX_RETRIES ]]; then
echo "Error: Pool deploy failed after $POOL_MAX_RETRIES attempts (Replacement transaction underpriced). Clear tx pool or increase GAS_PRICE_138." >&2
exit 1
fi
POOL_GAS=$((POOL_GAS * 12 / 10))
echo "Replacement transaction underpriced — retrying at same nonce $NEXT_NONCE with gas price $POOL_GAS wei (attempt $((POOL_RETRY + 1))/$POOL_MAX_RETRIES)."
sleep 5
continue
fi
if echo "$POOL_OUTPUT" | grep -q "Script ran successfully"; then
break
fi
echo "Pool deploy failed. Check output above." >&2
exit 1
done
echo ""
echo "Running on-chain verification..."
"$PROJECT_ROOT/scripts/verify/check-contracts-on-chain-138.sh" "$RPC"

21
scripts/mim4u-backup-7810.sh Executable file
View File

@@ -0,0 +1,21 @@
#!/usr/bin/env bash
# Backup nginx config and app files from MIM4U web container (VMID 7810).
# Run from a host that can SSH to the Proxmox node. Creates timestamped tarball in backups/mim4u/.
#
# Usage: ./scripts/mim4u-backup-7810.sh
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
[[ -f "$PROJECT_ROOT/config/ip-addresses.conf" ]] && source "$PROJECT_ROOT/config/ip-addresses.conf" 2>/dev/null || true
VMID_MIM_WEB="${VMID_MIM_WEB:-7810}"
PROXMOX_HOST="${PROXMOX_HOST_R630_02:-192.168.11.12}"
BACKUP_DIR="${PROJECT_ROOT}/backups/mim4u"
STAMP=$(date +%Y%m%d_%H%M%S)
ARCHIVE="${BACKUP_DIR}/mim4u-7810-${STAMP}.tar.gz"
mkdir -p "$BACKUP_DIR"
echo "Backing up VMID $VMID_MIM_WEB (nginx + /var/www/html) to $ARCHIVE ..."
ssh "root@$PROXMOX_HOST" "pct exec $VMID_MIM_WEB -- tar czf - -C / etc/nginx/sites-available/default var/www/html 2>/dev/null || true" > "$ARCHIVE"
echo "Done: $ARCHIVE"

23
scripts/mim4u-deploy-to-7810.sh Executable file
View File

@@ -0,0 +1,23 @@
#!/usr/bin/env bash
# Build MIM4U frontend and deploy to VMID 7810 /var/www/html.
# Run from project root. Requires: npm in miracles_in_motion, ssh to Proxmox node, rsync or scp.
#
# Usage: ./scripts/mim4u-deploy-to-7810.sh
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
MIM_ROOT="${PROJECT_ROOT}/miracles_in_motion"
[[ -f "$PROJECT_ROOT/config/ip-addresses.conf" ]] && source "$PROJECT_ROOT/config/ip-addresses.conf" 2>/dev/null || true
VMID_MIM_WEB="${VMID_MIM_WEB:-7810}"
PROXMOX_HOST="${PROXMOX_HOST_R630_02:-192.168.11.12}"
MIM_WEB_IP="${IP_MIM_WEB:-192.168.11.37}"
DEST="/var/www/html"
echo "Building MIM4U frontend..."
(cd "$MIM_ROOT" && npm run build)
echo "Deploying dist to root@$PROXMOX_HOST (pct exec $VMID_MIM_WEB) at $DEST ..."
# Copy into container: tar from host, extract in container
tar czf - -C "$MIM_ROOT/dist" . | ssh "root@$PROXMOX_HOST" "pct exec $VMID_MIM_WEB -- tar xzf - -C $DEST"
echo "Done. Verify: curl -I http://${MIM_WEB_IP}:80/"

101
scripts/mim4u-install-nginx-and-fix-502.sh Executable file
View File

@@ -0,0 +1,101 @@
#!/usr/bin/env bash
# Install nginx on MIM4U web container (VMID 7810) and apply security-enabled config to fix 502.
# Run from a host that can SSH to the Proxmox node (e.g. r630-02). Requires root on Proxmox.
#
# Usage: ./scripts/mim4u-install-nginx-and-fix-502.sh [--dry-run]
# Optional: set PROXMOX_HOST_R630_02 and MIM_API_IP in env or config/ip-addresses.conf
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
[[ -f "$PROJECT_ROOT/config/ip-addresses.conf" ]] && source "$PROJECT_ROOT/config/ip-addresses.conf" 2>/dev/null || true
VMID_MIM_WEB="${VMID_MIM_WEB:-7810}"
PROXMOX_HOST="${PROXMOX_HOST_R630_02:-192.168.11.12}"
# API backend (VMID 7811) for /api/ proxy
MIM_API_IP="${MIM_API_IP:-192.168.11.36}"
MIM_API_PORT="${MIM_API_PORT:-3001}"
DRY_RUN="${1:-}"
run_remote() {
if [[ "$DRY_RUN" == "--dry-run" ]]; then
echo "[dry-run] ssh root@$PROXMOX_HOST pct exec $VMID_MIM_WEB -- $*"
return 0
fi
ssh -o ConnectTimeout=10 -o StrictHostKeyChecking=accept-new "root@$PROXMOX_HOST" "pct exec $VMID_MIM_WEB -- $*"
}
echo "=== MIM4U 502 fix: install nginx on VMID $VMID_MIM_WEB (Proxmox $PROXMOX_HOST) ==="
echo "API backend: $MIM_API_IP:$MIM_API_PORT"
echo ""
# 1) Install nginx if missing
echo "[1/4] Installing nginx..."
run_remote bash -c 'export DEBIAN_FRONTEND=noninteractive && apt-get update -qq && apt-get install -y -qq nginx' 2>/dev/null || true
# 2a) Rate limit zones (http context via conf.d)
echo "[2/4] Writing nginx config (site + rate limit)..."
RATE_LIMIT_CONF='# MIM4U rate limits (included from main nginx.conf)
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=general:10m rate=30r/s;
'
if [[ "$DRY_RUN" != "--dry-run" ]]; then
echo "$RATE_LIMIT_CONF" | ssh "root@$PROXMOX_HOST" "pct exec $VMID_MIM_WEB -- bash -c 'cat > /etc/nginx/conf.d/mim4u-rate-limit.conf'"
fi
# 2b) Write nginx site config (security headers + SPA + /api proxy)
# CSP: font-src 'self' only (Inter is self-hosted via @fontsource)
NGINX_CONF="server {
listen 80;
server_name mim4u.org www.mim4u.org secure.mim4u.org training.mim4u.org _;
root /var/www/html;
index index.html;
add_header X-Content-Type-Options \"nosniff\" always;
add_header X-Frame-Options \"SAMEORIGIN\" always;
add_header X-XSS-Protection \"1; mode=block\" always;
add_header Referrer-Policy \"strict-origin-when-cross-origin\" always;
add_header Content-Security-Policy \"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data: https:; connect-src 'self' https://mim4u.org; frame-ancestors 'self';\" always;
location /health {
default_type text/plain;
return 200 'ok';
add_header Content-Type text/plain;
}
location / {
limit_req zone=general burst=20 nodelay;
try_files \$uri \$uri/ /index.html =404;
}
location /api/ {
limit_req zone=api burst=5 nodelay;
proxy_pass http://${MIM_API_IP}:${MIM_API_PORT};
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
}
}"
if [[ "$DRY_RUN" != "--dry-run" ]]; then
echo "$NGINX_CONF" | ssh "root@$PROXMOX_HOST" "pct exec $VMID_MIM_WEB -- bash -c 'cat > /etc/nginx/sites-available/default'"
fi
# 3) Ensure /var/www/html exists and has index (placeholder if no app deployed yet)
echo "[3/4] Ensuring web root..."
run_remote mkdir -p /var/www/html
run_remote bash -c 'test -f /var/www/html/index.html || cat >/var/www/html/index.html <<END
<!DOCTYPE html><html><head><title>MIM4U</title></head><body><p>Miracles in Motion - site coming soon.</p></body></html>
END'
# 4) Test and reload nginx
echo "[4/4] Testing and reloading nginx..."
run_remote nginx -t 2>/dev/null && run_remote systemctl enable nginx 2>/dev/null || true
run_remote systemctl reload nginx 2>/dev/null || run_remote systemctl start nginx 2>/dev/null || true
MIM_WEB_IP="${IP_MIM_WEB:-192.168.11.37}"
echo ""
echo "Done. Verify from LAN: curl -I http://${MIM_WEB_IP}:80/"
echo "Then ensure NPMplus proxy hosts point to ${MIM_WEB_IP} (see docs/04-configuration/MIM4U_502_ERROR_RESOLUTION.md)."

3
scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh
View File

@@ -1,4 +1,4 @@
#!/bin/bash #!/usr/bin/env bash
set -euo pipefail set -euo pipefail
# Load IP configuration # Load IP configuration
@@ -238,6 +238,7 @@ update_proxy_host "dbis-api-2.d-bis.org" "http://${IP_DBIS_API_2:-192.168.11.156
update_proxy_host "secure.d-bis.org" "http://${IP_DBIS_FRONTEND:-192.168.11.130}:80" false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1)) update_proxy_host "secure.d-bis.org" "http://${IP_DBIS_FRONTEND:-192.168.11.130}:80" false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
# MIM4U - VMID 7810 (mim-web-1) @ ${IP_MIM_WEB:-192.168.11.37} - Web Frontend serves main site and proxies /api/* to 7811 # MIM4U - VMID 7810 (mim-web-1) @ ${IP_MIM_WEB:-192.168.11.37} - Web Frontend serves main site and proxies /api/* to 7811
update_proxy_host "mim4u.org" "http://${IP_MIM_WEB:-192.168.11.37}:80" false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1)) update_proxy_host "mim4u.org" "http://${IP_MIM_WEB:-192.168.11.37}:80" false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
update_proxy_host "www.mim4u.org" "http://${IP_MIM_WEB:-192.168.11.37}:80" false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
update_proxy_host "secure.mim4u.org" "http://${IP_MIM_WEB:-192.168.11.37}:80" false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1)) update_proxy_host "secure.mim4u.org" "http://${IP_MIM_WEB:-192.168.11.37}:80" false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
update_proxy_host "training.mim4u.org" "http://${IP_MIM_WEB:-192.168.11.37}:80" false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1)) update_proxy_host "training.mim4u.org" "http://${IP_MIM_WEB:-192.168.11.37}:80" false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))