Fix jwt-token

scripts/fix-management-nginx.sh

@@ -0,0 +1,95 @@
+#!/bin/bash
+
+# Update nginx configuration to properly route management portal API calls
+
+DOMAIN="${DOMAIN:-dev.uggla.uamils.com}"
+NGINX_CONFIG="/etc/nginx/sites-enabled/dev.uggla.uamils.com"
+
+log() {
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"
+}
+
+# Check if management server block exists
+if ! grep -q "server_name management.$DOMAIN" "$NGINX_CONFIG" 2>/dev/null; then
+    log "Adding management subdomain configuration to nginx..."
+    
+    # Backup current config
+    cp "$NGINX_CONFIG" "${NGINX_CONFIG}.backup"
+    
+    # Add management server block before the wildcard block
+    # Find the line with wildcard subdomain and insert before it
+    sed -i '/# Wildcard subdomains/i\
+# Management Portal (specific subdomain - MUST come before wildcard)\
+server {\
+    listen 443 ssl http2;\
+    server_name management.'$DOMAIN';\
+\
+    ssl_certificate /etc/letsencrypt/live/'$DOMAIN'/fullchain.pem;\
+    ssl_certificate_key /etc/letsencrypt/live/'$DOMAIN'/privkey.pem;\
+\
+    ssl_protocols TLSv1.2 TLSv1.3;\
+    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;\
+    ssl_prefer_server_ciphers off;\
+    ssl_session_cache shared:SSL:10m;\
+    ssl_session_timeout 10m;\
+    ssl_stapling on;\
+    ssl_stapling_verify on;\
+\
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;\
+    add_header X-Frame-Options DENY always;\
+    add_header X-Content-Type-Options nosniff always;\
+    add_header X-XSS-Protection "1; mode=block" always;\
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;\
+\
+    # Management frontend - port 3003\
+    location / {\
+        proxy_pass http://127.0.0.1:3003;\
+        proxy_http_version 1.1;\
+        proxy_set_header Upgrade $http_upgrade;\
+        proxy_set_header Connection '\''upgrade'\'';\
+        proxy_set_header Host $host;\
+        proxy_set_header X-Real-IP $remote_addr;\
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\
+        proxy_set_header X-Forwarded-Proto $scheme;\
+        proxy_cache_bypass $http_upgrade;\
+        proxy_connect_timeout 30s;\
+        proxy_send_timeout 30s;\
+        proxy_read_timeout 30s;\
+    }\
+\
+    # Management API - port 3002 with management header\
+    location /api/ {\
+        proxy_pass http://127.0.0.1:3002;\
+        proxy_http_version 1.1;\
+        proxy_set_header Upgrade $http_upgrade;\
+        proxy_set_header Connection '\''upgrade'\'';\
+        proxy_set_header Host $host;\
+        proxy_set_header X-Real-IP $remote_addr;\
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\
+        proxy_set_header X-Forwarded-Proto $scheme;\
+        proxy_set_header X-Management-Portal "true";\
+        proxy_cache_bypass $http_upgrade;\
+        proxy_connect_timeout 30s;\
+        proxy_send_timeout 30s;\
+        proxy_read_timeout 30s;\
+    }\
+}\
+\
+' "$NGINX_CONFIG"
+
+    log "Management subdomain configuration added"
+else
+    log "Management subdomain configuration already exists"
+fi
+
+# Test and reload nginx
+if nginx -t; then
+    log "✅ Nginx configuration is valid"
+    systemctl reload nginx
+    log "✅ Nginx reloaded"
+    log "🌐 Management portal API should now work at: https://management.$DOMAIN/api/"
+else
+    log "❌ Nginx configuration error - restoring backup"
+    cp "${NGINX_CONFIG}.backup" "$NGINX_CONFIG"
+    exit 1
+fi