diff --git a/scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh b/scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh index 372a9071..299d66f1 100755 --- a/scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh +++ b/scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh @@ -157,6 +157,7 @@ validate_canonical_https_redirect() { # Function to add proxy host (POST) when domain does not exist # Optional 6th arg: canonical HTTPS apex for www-style hosts (sets advanced_config 301 → apex$request_uri) +# Optional 7th arg: forward_scheme for upstream (default http; use https for TLS backends e.g. DealFlow nginx :443) add_proxy_host() { local domain=$1 local forward_host=$2 @@ -164,6 +165,7 @@ add_proxy_host() { local websocket=$4 local block_exploits=${5:-false} local canonical_https="${6:-}" + local forward_scheme="${7:-http}" local adv_line="" if [ -n "$canonical_https" ] && ! validate_canonical_https_redirect "$canonical_https" "add_proxy_host($domain)"; then return 1 @@ -177,11 +179,12 @@ add_proxy_host() { --arg host "$forward_host" \ --argjson port "$forward_port" \ --argjson ws "$websocket" \ + --arg fwd "$forward_scheme" \ --argjson block_exploits "$([ "$block_exploits" = "true" ] && echo true || echo false)" \ --arg adv "$adv_line" \ '{ domain_names: [$domain], - forward_scheme: "http", + forward_scheme: $fwd, forward_host: $host, forward_port: $port, allow_websocket_upgrade: $ws, @@ -202,9 +205,9 @@ add_proxy_host() { id=$(echo "$resp" | jq -r '.id // empty' 2>/dev/null) if [ -n "$id" ] && [ "$id" != "null" ]; then if [ -n "$canonical_https" ]; then - echo " ✅ Added: $domain -> http://${forward_host}:${forward_port} (WebSocket: $websocket) + 301 → ${canonical_https}\$request_uri" + echo " ✅ Added: $domain -> ${forward_scheme}://${forward_host}:${forward_port} (WebSocket: $websocket) + 301 → ${canonical_https}\$request_uri" else - echo " ✅ Added: $domain -> http://${forward_host}:${forward_port} (WebSocket: $websocket)" + echo " ✅ Added: $domain -> ${forward_scheme}://${forward_host}:${forward_port} (WebSocket: $websocket)" fi return 0 else @@ -421,6 +424,9 @@ update_proxy_host "www.the-order.sankofa.nexus" "http://${THE_ORDER_UPSTREAM_IP} # Sankofa Studio (FusionAI) — VMID 7805; UI at /studio/ on same origin (port 8000). Prefer IP_SANKOFA_STUDIO from ip-addresses.conf / .env IP_SANKOFA_STUDIO="${IP_SANKOFA_STUDIO:-192.168.11.72}" SANKOFA_STUDIO_PORT="${SANKOFA_STUDIO_PORT:-8000}" +# Order of Malta DealFlow — CT 10381; nginx TLS on host :443 (Docker Compose). NPM must use forward_scheme https. +IP_OM_TREASURY_DEALFLOW="${IP_OM_TREASURY_DEALFLOW:-192.168.11.94}" +update_proxy_host "dealflow.d-bis.org" "https://${IP_OM_TREASURY_DEALFLOW}:443" false false && updated_count=$((updated_count + 1)) || { add_proxy_host "dealflow.d-bis.org" "${IP_OM_TREASURY_DEALFLOW}" 443 false false "" "https" && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1)) # block_exploits false — studio UI/API may POST; align with portal policy (avoid spurious 405 from NPM WAF) update_proxy_host "studio.sankofa.nexus" "http://${IP_SANKOFA_STUDIO}:${SANKOFA_STUDIO_PORT}" false false && updated_count=$((updated_count + 1)) || { add_proxy_host "studio.sankofa.nexus" "${IP_SANKOFA_STUDIO}" "${SANKOFA_STUDIO_PORT}" false false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1)) diff --git a/scripts/update-all-dns-to-public-ip.sh b/scripts/update-all-dns-to-public-ip.sh index a784bc4b..fd9e5258 100755 --- a/scripts/update-all-dns-to-public-ip.sh +++ b/scripts/update-all-dns-to-public-ip.sh @@ -359,6 +359,7 @@ main() { "dbis-api-2" # dbis-api-2.d-bis.org "secure" # secure.d-bis.org "mail" # mail.d-bis.org (A → PUBLIC_IP; use with mail MX/SPF script) + "dealflow" # dealflow.d-bis.org (Order of Malta DealFlow CT 10381 via NPM) ) if ! process_zone "$ZONE_D_BIS_ORG" "d-bis.org" "${DBIS_RECORDS[@]}"; then ((total_failures++))