# ROA2WEB Production Deployment Issue - Diagnostic Report **Date**: 2025-12-30 **Environment**: Windows Production (roa2web.romfast.ro) **Issue**: 404 errors on API calls after deployment --- ## Summary Frontend loads successfully but all API calls return **404 Not Found** errors: - `POST /roa2web/api/auth/login` → 404 - `GET /roa2web/api/companies` → 404 Browser console shows: ``` POST https://roa2web.romfast.ro/roa2web/api/auth/login 404 (Not Found) ``` --- ## Architecture Overview **2-Tier IIS Deployment**: ``` Internet → Public IIS (10.0.20.122 - roa2web.romfast.ro) ↓ HTTPS reverse proxy Internal IIS (10.0.20.36 - application server) ↓ API proxy to localhost Backend Service (localhost:8000 on 10.0.20.36) ↓ Oracle Database ``` ### Verified Components ✅ **Public IIS** (10.0.20.122 - roa2web.romfast.ro): - ✅ web.config correctly proxies all requests to `https://10.0.20.36/{R:1}` - ✅ Forwards headers: `X-Forwarded-Proto`, `X-Forwarded-Host`, `X-Real-IP` - ✅ Configuration verified - THIS SERVER IS CORRECT ✅ **Frontend** (10.0.20.36): - Built with `base: '/roa2web/'` (correct for IIS sub-application) - API calls use `baseURL: '/roa2web/api'` (correct) - Static files load successfully ❌ **Internal IIS** (10.0.20.36) - **PROBLEMA ESTE AICI**: - **CRITICAL**: web.config lipsește SAU nu este configurat corect - **MUST**: Trebuie să facă proxy de la `/roa2web/api/*` către `http://localhost:8000/api/*` - **Location**: `C:\inetpub\wwwroot\roa2web\web.config` (pe serverul 10.0.20.36) ❓ **Backend Service** (pe 10.0.20.36): - **UNKNOWN**: Need to verify service is running - Should be accessible at `http://localhost:8000/health` (de pe 10.0.20.36) --- ## Root Cause Analysis Based on Playwright testing, the issue is most likely: ### Primary Suspect: Internal Server web.config The internal server's web.config **MUST** handle the `/roa2web/` prefix correctly. **WRONG Configuration** (causes 404): ```xml ❌ Missing roa2web prefix! ``` **CORRECT Configuration**: ```xml ✅ Includes roa2web prefix ``` **Why**: Requests arrive at internal server as `/roa2web/api/auth/login` (NOT `/api/auth/login`), because the public server preserves the full path when proxying. ### Secondary Suspects 1. **Backend service not running** - Check: `Get-Service ROA2WEB-Backend` 2. **IIS ARR not enabled** - Check: `Get-WebConfigurationProperty -PSPath "MACHINE/WEBROOT/APPHOST" -Filter "system.webServer/proxy" -Name "enabled"` 3. **IIS sub-application misconfigured** - Frontend should be deployed at IIS path `/roa2web`, not root --- ## Diagnostic Steps ### Step 1: Check Backend Service (on 10.0.20.36) ```powershell # Check service status Get-Service ROA2WEB-Backend # If stopped, start it Start-Service ROA2WEB-Backend # Test backend directly Invoke-WebRequest http://localhost:8000/health ``` **Expected Output**: ```json {"status": "healthy", "version": "..."} ``` ### Step 2: Check Internal IIS web.config (on 10.0.20.36) ```powershell # View current web.config Get-Content C:\inetpub\wwwroot\roa2web\web.config # OR if frontend is in subdirectory: Get-Content C:\inetpub\wwwroot\roa2web\frontend\web.config ``` **Verify these rules**: - `` (NOT `^api/(.*)`) - `` (NOT `^uploads/(.*)`) - `` for SPA fallback ### Step 3: Check IIS ARR (on 10.0.20.36) ```powershell # Check if ARR is installed Get-WindowsFeature -Name Web-ARR # Check if proxy is enabled Get-WebConfigurationProperty -PSPath "MACHINE/WEBROOT/APPHOST" ` -Filter "system.webServer/proxy" ` -Name "enabled" ``` **Expected**: `enabled` should be `True` ### Step 4: Test Internal IIS Proxy (on 10.0.20.36) ```powershell # Test API endpoint through IIS Invoke-WebRequest https://localhost/roa2web/api/health # Should proxy to backend and return response ``` ### Step 5: Check IIS Application Structure (on 10.0.20.36) ```powershell # List IIS applications Get-WebApplication -Site "Default Web Site" | Format-Table Path, PhysicalPath # Should show: # /roa2web -> C:\inetpub\wwwroot\roa2web\ ``` --- ## Fix Recommendations ### Fix #1: Update Internal Server web.config **Server**: 10.0.20.36 (internal application server) **Location**: `C:\inetpub\wwwroot\roa2web\web.config` **IMPORTANT**: Acest web.config este pe serverul 10.0.20.36, NU pe 10.0.20.122! **Required Configuration**: ```xml ``` **Deployment**: ```powershell # ⚠️ IMPORTANT: Rulează aceste comenzi pe serverul 10.0.20.36, NU pe 10.0.20.122! # Conectează-te la 10.0.20.36 (internal application server) # Backup current config Copy-Item C:\inetpub\wwwroot\roa2web\web.config ` C:\inetpub\wwwroot\roa2web\web.config.backup.$(Get-Date -Format 'yyyyMMdd-HHmmss') # Update web.config with corrected version # (copy from repository: public/web.config after updating it) # Restart IIS iisreset # Test Invoke-WebRequest https://localhost/roa2web/api/health ``` ### Fix #2: Ensure Backend Service is Running ```powershell # On internal server (10.0.20.36) # Check service Get-Service ROA2WEB-Backend # If stopped Start-Service ROA2WEB-Backend # View startup logs Get-Content C:\inetpub\wwwroot\roa2web\logs\backend-stdout.log -Tail 50 # Check for errors Get-Content C:\inetpub\wwwroot\roa2web\logs\backend-stderr.log -Tail 50 ``` ### Fix #3: Enable IIS ARR (if not enabled) ```powershell # On internal server (10.0.20.36) # Enable proxy Set-WebConfigurationProperty -PSPath "MACHINE/WEBROOT/APPHOST" ` -Filter "system.webServer/proxy" ` -Name "enabled" ` -Value "True" # Restart IIS iisreset ``` --- ## Verification Steps (After Fix) ### 1. Backend Health Check (Direct) ```powershell # On 10.0.20.36 Invoke-WebRequest http://localhost:8000/health ``` **Expected**: `200 OK` with JSON response ### 2. Internal IIS Proxy Test ```powershell # On 10.0.20.36 Invoke-WebRequest https://localhost/roa2web/api/health ``` **Expected**: `200 OK` (proxied from backend) ### 3. Public Access Test ```powershell # From any client Invoke-WebRequest https://roa2web.romfast.ro/roa2web/ ``` **Expected**: Frontend loads (HTML page) ### 4. Login Flow Test (Playwright) Use Playwright to test complete login flow: ```bash # On development machine cd /mnt/e/proiecte/roa2web npx playwright test --headed --project=chromium tests/login.spec.js ``` **Expected**: Login succeeds without 404 errors --- ## Prevention To prevent this issue in future deployments: 1. **Use Correct web.config Template** - Repository should have separate web.config templates: - `public/web.config` - for internal server (with `/roa2web/` prefix) - `deployment/windows/config/web.config` - same as above 2. **Automated Deployment Script** - PowerShell script should validate web.config before deployment - Check for required URL patterns: `^roa2web/api/`, `^roa2web/uploads/` 3. **Deployment Checklist** - Add to `deployment/windows/docs/DEPLOYMENT-CHECKLIST.md`: - [ ] Verify web.config includes `/roa2web/` prefix in match rules - [ ] Test backend: `Invoke-WebRequest http://localhost:8000/health` - [ ] Test IIS proxy: `Invoke-WebRequest https://localhost/roa2web/api/health` - [ ] Test public access: `Invoke-WebRequest https://roa2web.romfast.ro/roa2web/` 4. **Monitoring** - Add health check endpoint monitoring - Alert if backend service stops - Monitor IIS logs for 404/502 errors --- ## Next Steps 1. ✅ **Immediate**: Check internal server web.config (on 10.0.20.36) 2. ✅ **Immediate**: Verify backend service is running 3. ✅ **Immediate**: Apply Fix #1 if web.config is incorrect 4. ⏭️ **After Fix**: Run verification steps 5. ⏭️ **After Fix**: Update repository web.config template 6. ⏭️ **Future**: Add automated deployment validation --- ## Documentation Created - ✅ `deployment/windows/docs/TWO-TIER-IIS-DEPLOYMENT.md` - Complete 2-tier architecture guide - ✅ Updated `CLAUDE.md` with deployment documentation reference - ✅ This diagnostic report: `DIAGNOSIS-2025-12-30.md` --- ## Contact Information **Issue Reported By**: User via Playwright testing **Diagnosed By**: Claude Code **Date**: 2025-12-30 **Severity**: HIGH (blocking production login) **Priority**: IMMEDIATE --- *For detailed architecture documentation, see: `deployment/windows/docs/TWO-TIER-IIS-DEPLOYMENT.md`*