From d65f5ea279c3aaa6ce06cbb0014c39cdbe5b6434 Mon Sep 17 00:00:00 2001
From: justin <justin@liquidator.optimal-reality.com>
Date: Tue, 16 Jun 2026 00:05:54 -0500
Subject: [PATCH] nginx: stop blocking /admin (bot-scan rule matched our own
 dashboard)

The shared security snippet blocked any path matching /(admin|administrator|
login.action|struts) with 'return 444', which drops the connection. That bare
'admin' token also matched our own operations dashboard at /admin and the new
/admin/compliance-orders, so the browser showed 'This site can't be reached'.
Dropped the bare 'admin' token; administrator/login.action/struts stay blocked.
Applied live on prod (sudo edit + nginx reload); this updates the source of
truth so the ansible nginx role won't reintroduce it.
---
 infra/ansible/roles/nginx/templates/pw-security.conf.j2 | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/infra/ansible/roles/nginx/templates/pw-security.conf.j2 b/infra/ansible/roles/nginx/templates/pw-security.conf.j2
index aad67e7..0842754 100644
--- a/infra/ansible/roles/nginx/templates/pw-security.conf.j2
+++ b/infra/ansible/roles/nginx/templates/pw-security.conf.j2
@@ -36,7 +36,11 @@ location ~* /(phpmyadmin|pma|myadmin|mysql|adminer) {
     return 444;
 }
 
-location ~* /(admin|administrator|login\.action|struts) {
+# Block common attack-scanner paths. NOTE: do NOT include a bare "admin" here —
+# our own operations dashboard lives at /admin and /admin/compliance-orders.
+# "administrator" (Joomla), "login.action"/"struts" remain blocked and do not
+# match our /admin path.
+location ~* /(administrator|login\.action|struts) {
     return 444;
 }