Consolidate nginx docs and scripts, update paths

2026-05-07 03:29:19 +02:00 · 2026-04-15 10:58:49 +02:00
parent 3cd96ed28a
commit 507f3eb704
23 changed files with 645 additions and 2256 deletions
--- a/nginx/docs/PRODUCTION_DEPLOYMENT.md
+++ b/nginx/docs/PRODUCTION_DEPLOYMENT.md
@@ -0,0 +1,210 @@
+# Production Deployment Guide - Post-ERG
+
+This guide covers deploying the production nginx configuration with proper security and permissions.
+
+## 🎯 Overview
+
+- **Server**: posterg.erg.be (internal IP: 192.168.6.125)
+- **PHP Version**: 8.4
+- **SSL/TLS**: Handled by upstream reverse proxy
+- **Document Root**: `/var/www/posterg/public/`
+
+## 🚀 Quick Deployment
+
+From your local machine:
+
+```bash
+# Deploy nginx config and upload deployment script
+just deploy-nginx
+
+# Then on the server:
+ssh posterg
+sudo bash /tmp/deploy-server.sh
+sudo systemctl reload nginx
+```
+
+This uploads:
+- `nginx/posterg.conf` → `/tmp/posterg.conf`
+- `scripts/deploy-server.sh` → `/tmp/deploy-server.sh`
+
+## 📋 Step-by-Step Deployment
+
+### 1. Set Up Admin Password (First Time Only)
+
+```bash
+ssh posterg
+sudo htpasswd -c /etc/nginx/.htpasswd-posterg admin
+# Enter a strong password when prompted
+```
+
+**💡 Tip**: Generate a strong password:
+```bash
+openssl rand -base64 32
+```
+
+### 2. Deploy Configuration
+
+```bash
+# From your local machine
+just deploy-nginx
+
+# On the server
+sudo bash /tmp/deploy-server.sh
+sudo systemctl reload nginx
+```
+
+The script will:
+- ✅ Fix file permissions (set to www-data:posterg)
+- ✅ Install nginx configuration
+- ✅ Test nginx configuration
+- ✅ Check PHP-FPM status
+
+## 🔧 Manual Deployment (Alternative)
+
+### Step 1: Fix Permissions
+
+```bash
+ssh posterg
+
+# Set correct ownership
+sudo chown -R www-data:posterg /var/www/posterg/
+
+# Set directory permissions
+sudo find /var/www/posterg -type d -exec chmod 755 {} \;
+
+# Set file permissions
+sudo find /var/www/posterg -type f -exec chmod 644 {} \;
+
+# Make storage writable
+sudo chmod 775 /var/www/posterg/storage
+
+# Protect database
+sudo chmod 660 /var/www/posterg/storage/test.db
+sudo chown www-data:posterg /var/www/posterg/storage/test.db
+```
+
+### Step 2: Deploy Nginx Config
+
+```bash
+# Copy config
+sudo cp /tmp/posterg.conf /etc/nginx/sites-available/posterg
+
+# Enable site and disable default
+sudo ln -sf /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/posterg
+sudo rm -f /etc/nginx/sites-enabled/default
+
+# Test and reload
+sudo nginx -t
+sudo systemctl reload nginx
+```
+
+## 🧪 Testing
+
+### Test Public Site
+
+```bash
+# Should return 200 OK
+curl -I https://posterg.erg.be/
+```
+
+### Test Admin Protection
+
+```bash
+# Should return 401 Unauthorized
+curl -I https://posterg.erg.be/admin/
+
+# With credentials
+curl -u admin:your_password https://posterg.erg.be/admin/
+```
+
+### Test File Protection
+
+```bash
+# Should return 403 Forbidden
+curl -I https://posterg.erg.be/storage/test.db
+curl -I https://posterg.erg.be/src/Database.php
+curl -I https://posterg.erg.be/config/bootstrap.php
+```
+
+### Test Security Headers
+
+```bash
+curl -I https://posterg.erg.be/ | grep -E "X-Frame|X-Content|Strict-Transport"
+```
+
+## 🔍 Troubleshooting
+
+### Still Getting 403 Forbidden
+
+**Check file permissions:**
+```bash
+ls -la /var/www/posterg/public/index.php
+groups www-data  # Should include posterg
+```
+
+### 502 Bad Gateway
+
+**Check PHP-FPM:**
+```bash
+sudo systemctl status php8.4-fpm
+sudo systemctl restart php8.4-fpm
+```
+
+### Admin Password Not Working
+
+```bash
+sudo htpasswd /etc/nginx/.htpasswd-posterg admin
+```
+
+## 📊 Monitoring
+
+```bash
+# Watch logs
+sudo tail -f /var/log/nginx/posterg_access.log
+sudo tail -f /var/log/nginx/posterg_error.log
+
+# Check status
+sudo systemctl status nginx
+```
+
+## 🔒 Security Checklist
+
+After deployment, verify:
+
+- [ ] Public site accessible at https://posterg.erg.be/
+- [ ] Admin panel requires password
+- [ ] Database files return 403 Forbidden
+- [ ] Source files return 403 Forbidden
+- [ ] Security headers present
+- [ ] PHP-FPM running
+
+## 🔄 Updating the Site
+
+```bash
+# Deploy code changes
+just deploy
+
+# Reload nginx if config changed
+ssh posterg "sudo systemctl reload nginx"
+```
+
+## 🆘 Emergency Recovery
+
+```bash
+# Restore default nginx config
+ssh posterg
+sudo rm /etc/nginx/sites-enabled/posterg
+sudo systemctl reload nginx
+
+# Reset permissions
+sudo chown -R www-data:posterg /var/www/posterg/
+sudo find /var/www/posterg -type d -exec chmod 755 {} \;
+sudo find /var/www/posterg -type f -exec chmod 644 {} \;
+```
+
+---
+
+**See also:**
+- [QUICK_REFERENCE.md](QUICK_REFERENCE.md) - Command reference
+- [ADMIN_USERS.md](ADMIN_USERS.md) - User management
+- [SECURITY_HEADERS.md](SECURITY_HEADERS.md) - Security headers