Consolidate nginx docs and scripts, update paths

2026-05-06 11:09:18 +02:00 · 2026-04-15 10:58:49 +02:00
parent 3cd96ed28a
commit 507f3eb704
23 changed files with 645 additions and 2256 deletions
--- a/nginx/README.md
+++ b/nginx/README.md
@@ -1,17 +1,26 @@
 # Nginx Configuration - Post-ERG

-This directory contains nginx configuration and setup scripts for the Post-ERG thesis website.
+This directory contains nginx configuration and documentation for the Post-ERG thesis website.

 ## 📁 Files

 - **`posterg.conf`** - Complete nginx configuration file
- **`setup-password.sh`** - Script to create admin passwords
- **`SETUP.md`** - Detailed setup instructions
- **`QUICK_REFERENCE.md`** - Command reference and troubleshooting
+- **`scripts/`** - Server setup scripts
+  - `setup-password.sh` - Create admin passwords
+  - `install-php-sqlite.sh` - Install PHP SQLite extension
+  - `fix-paths.sh` - Fix PHP include paths
+- **`docs/`** - Documentation
+  - `PRODUCTION_DEPLOYMENT.md` - Deployment guide
+  - `QUICK_REFERENCE.md` - Command reference
+  - `ADMIN_USERS.md` - User management
+  - `SECURITY_HEADERS.md` - Security headers reference
+  - `PHP_AUTH_LAYER.md` - Authentication layer documentation
+  - `HTACCESS_TO_ NGINX.md` - Apache to nginx migration notes
+  - `TEST_DATABASE_SETUP.md` - Test database deployment

 ## 🚀 Quick Start

-### 1. Deploy nginx configuration (automated)
+### Deploy nginx configuration

 ```bash
 # From your local machine
@@ -19,38 +28,37 @@ just deploy-nginx

 # Then on the server:
 ssh posterg
-sudo bash /tmp/deploy-production.sh
+sudo bash /tmp/deploy-server.sh
+sudo systemctl reload nginx
 ```

 The deployment script will:
- ✅ Fix file permissions (posterg group)
- ✅ Set up admin password (if needed)
+- ✅ Fix file permissions (www-data:posterg)
 - ✅ Install nginx configuration
 - ✅ Test and reload nginx
 - ✅ Verify PHP-FPM is running

-### 2. SSL/TLS
+### Manage admin users

-SSL/TLS is handled by the upstream reverse proxy and is already working.
-No additional SSL setup is needed on this server.
+```bash
+just manage-admin-users
+ssh posterg "sudo bash /tmp/manage-admin-users.sh"
+```

 ## 🔒 Security Features

 ### Admin Panel Protection
- **Password required** for `/formulaire/` (admin panel)
+- **Password required** for `/admin/`
 - HTTP Basic Authentication
 - Rate limited: 10 requests/minute

 ### File Access Protection
 - Database files (`.db`) - **BLOCKED**
 - Sensitive files (`.md`, `.sql`, `.env`) - **BLOCKED**
- `/src` directory (PHP source) - **BLOCKED**
- `/templates` directory (PHP templates) - **BLOCKED**
- `/config` directory (configuration) - **BLOCKED**
- `/storage` directory (databases) - **BLOCKED**
- `/tests` directory - **BLOCKED**
- `/scripts` directory - **BLOCKED**
- `/docs` directory - **BLOCKED**
+- `/src` directory - **BLOCKED**
+- `/templates` directory - **BLOCKED**
+- `/config` directory - **BLOCKED**
+- `/storage` directory - **BLOCKED**
 - Hidden files (`.git`, etc.) - **BLOCKED**

 ### Rate Limiting
@@ -61,45 +69,25 @@ No additional SSL setup is needed on this server.
 ### Security Headers
 - ✅ X-Frame-Options (clickjacking protection)
 - ✅ X-Content-Type-Options (MIME sniffing protection)
- ✅ X-XSS-Protection (XSS filter)
 - ✅ Strict-Transport-Security (force HTTPS)
 - ✅ Referrer-Policy (referrer control)
 - ✅ Permissions-Policy (disable browser features)

-### SSL/TLS
- TLS 1.2 and 1.3 only
- Strong cipher suites
- OCSP stapling
- HSTS enabled
-
 ## 📚 Documentation

- **[SETUP.md](SETUP.md)** - Complete setup guide
-  - Installation steps
-  - Configuration details
-  - Testing procedures
-  - Troubleshooting
-  - Performance tuning
-  - Security checklist
-
- **[QUICK_REFERENCE.md](QUICK_REFERENCE.md)** - Command reference
-  - Common operations
-  - Password management
-  - Nginx control
-  - Log viewing
-  - Testing commands
-  - Troubleshooting
+- **[docs/PRODUCTION_DEPLOYMENT.md](docs/PRODUCTION_DEPLOYMENT.md)** - Complete deployment guide
+- **[docs/QUICK_REFERENCE.md](docs/QUICK_REFERENCE.md)** - Command reference and troubleshooting
+- **[docs/ADMIN_USERS.md](docs/ADMIN_USERS.md)** - Admin user management
+- **[docs/SECURITY_HEADERS.md](docs/SECURITY_HEADERS.md)** - Security headers reference

 ## 🧪 Testing

-Test your configuration:
-
 ```bash
 # Test admin authentication
-curl -I https://posterg.erg.be/formulaire/
+curl -I https://posterg.erg.be/admin/

 # Test file protection
-curl -I https://posterg.erg.be/storage/posterg.db
+curl -I https://posterg.erg.be/storage/test.db

 # Test security headers
 curl -I https://posterg.erg.be/ | grep -E "X-|Strict-Transport"
@@ -109,60 +97,27 @@ curl -I https://posterg.erg.be/ | grep -E "X-|Strict-Transport"

 ### Admin can't log in
 ```bash
-# Reset password
 sudo htpasswd /etc/nginx/.htpasswd-posterg admin
 ```

 ### 502 Bad Gateway
 ```bash
-# Check PHP-FPM
-sudo systemctl status php8.2-fpm
-sudo systemctl restart php8.2-fpm
+sudo systemctl status php8.4-fpm
+sudo systemctl restart php8.4-fpm
 ```

 ### Configuration errors
 ```bash
-# Test and show errors
 sudo nginx -t
 ```

 ## 📊 Monitoring

 ```bash
-# Watch access logs
+# Watch logs
 sudo tail -f /var/log/nginx/posterg_access.log
-
-# Watch error logs
 sudo tail -f /var/log/nginx/posterg_error.log

 # Check nginx status
 sudo systemctl status nginx
 ```
-
-## 🔄 Maintenance
-
-### Change admin password
-```bash
-sudo htpasswd /etc/nginx/.htpasswd-posterg admin
-```
-
-### Reload after config changes
-```bash
-sudo nginx -t && sudo systemctl reload nginx
-```
-
-### Renew SSL certificate
-```bash
-sudo certbot renew
-```
-
-## 📞 Support
-
-For detailed instructions, see:
- **SETUP.md** - Complete setup guide
- **QUICK_REFERENCE.md** - Command reference
-
-For issues:
-1. Check nginx error logs: `sudo tail /var/log/nginx/posterg_error.log`
-2. Test configuration: `sudo nginx -t`
-3. Check PHP-FPM: `sudo systemctl status php8.2-fpm`