Consolidate nginx docs and scripts, update paths

nginx/docs/QUICK_REFERENCE.md

@@ -0,0 +1,242 @@
+# Nginx Quick Reference - Post-ERG
+
+## Setup Commands
+
+```bash
+# Copy nginx config
+sudo cp nginx/posterg.conf /etc/nginx/sites-available/posterg
+sudo ln -s /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/
+sudo rm -f /etc/nginx/sites-enabled/default
+
+# Test and reload
+sudo nginx -t
+sudo systemctl reload nginx
+```
+
+## Common Operations
+
+### Password Management
+
+```bash
+# Interactive menu (recommended)
+sudo bash /tmp/manage-admin-users.sh
+
+# Or manual commands:
+# Add new user
+sudo htpasswd /etc/nginx/.htpasswd-posterg username
+
+# Change password for existing user
+sudo htpasswd /etc/nginx/.htpasswd-posterg username
+
+# Remove user
+sudo htpasswd -D /etc/nginx/.htpasswd-posterg username
+
+# List all users
+sudo cut -d: -f1 /etc/nginx/.htpasswd-posterg
+```
+
+### Nginx Control
+
+```bash
+# Test configuration
+sudo nginx -t
+
+# Reload configuration (no downtime)
+sudo systemctl reload nginx
+
+# Restart nginx (brief downtime)
+sudo systemctl restart nginx
+
+# Stop nginx
+sudo systemctl stop nginx
+
+# Start nginx
+sudo systemctl start nginx
+
+# Check status
+sudo systemctl status nginx
+```
+
+### View Logs
+
+```bash
+# Public site access log
+sudo tail -f /var/log/nginx/posterg_access.log
+
+# Public site errors
+sudo tail -f /var/log/nginx/posterg_error.log
+
+# SSL access log
+sudo tail -f /var/log/nginx/posterg_ssl_access.log
+
+# Search for specific pattern
+sudo grep "404" /var/log/nginx/posterg_access.log
+
+# Count requests by IP
+sudo awk '{print $1}' /var/log/nginx/posterg_access.log | sort | uniq -c | sort -nr | head
+```
+
+### SSL/HTTPS
+
+```bash
+# Get SSL certificate (Let's Encrypt)
+sudo certbot --nginx -d posterg.erg.be -d www.posterg.erg.be
+
+# Renew certificates
+sudo certbot renew
+
+# Check certificate expiry
+sudo certbot certificates
+
+# Test auto-renewal
+sudo certbot renew --dry-run
+```
+
+## Testing
+
+### Test Admin Authentication
+
+```bash
+# Should require password (returns 401)
+curl -I https://posterg.erg.be/admin/
+
+# With authentication
+curl -u admin:password https://posterg.erg.be/admin/
+```
+
+### Test Rate Limiting
+
+```bash
+# Should show increasing 429 responses after limit
+for i in {1..50}; do
+    curl -s -o /dev/null -w "%{http_code}\n" https://posterg.erg.be/
+done
+```
+
+### Test File Protection
+
+```bash
+# Should return 403
+curl -I https://posterg.erg.be/storage/posterg.db
+curl -I https://posterg.erg.be/shared/Database.php
+curl -I https://posterg.erg.be/.env
+```
+
+### Test Security Headers
+
+```bash
+# Check all security headers
+curl -I https://posterg.erg.be/ 2>&1 | grep -E "X-|Strict-Transport|Referrer|Permissions"
+```
+
+## Troubleshooting
+
+### Common Issues
+
+**403 Forbidden on admin**
+```bash
+# Check htpasswd file exists
+sudo ls -l /etc/nginx/.htpasswd-posterg
+
+# Check permissions
+sudo chmod 644 /etc/nginx/.htpasswd-posterg
+```
+
+**502 Bad Gateway**
+```bash
+# Check PHP-FPM status
+sudo systemctl status php8.2-fpm
+
+# Restart PHP-FPM
+sudo systemctl restart php8.2-fpm
+
+# Check PHP-FPM logs
+sudo tail /var/log/php8.2-fpm.log
+```
+
+**Configuration errors**
+```bash
+# Test config and show errors
+sudo nginx -t
+
+# Check nginx error log
+sudo tail -50 /var/log/nginx/error.log
+```
+
+### Emergency Recovery
+
+```bash
+# Disable password protection temporarily
+sudo nano /etc/nginx/sites-available/posterg
+# Comment out these lines in /admin/ location:
+# auth_basic "Admin Access - Post-ERG";
+# auth_basic_user_file /etc/nginx/.htpasswd-posterg;
+
+# Reload nginx
+sudo nginx -t && sudo systemctl reload nginx
+```
+
+## Performance Monitoring
+
+```bash
+# Check active connections
+sudo ss -tulpn | grep nginx
+
+# Monitor nginx processes
+watch -n 1 'ps aux | grep nginx'
+
+# Check request rate
+sudo tail -f /var/log/nginx/posterg_access.log | pv -l -r > /dev/null
+
+# Disk usage of logs
+sudo du -sh /var/log/nginx/*
+```
+
+## Maintenance
+
+```bash
+# Rotate logs manually
+sudo nginx -s reopen
+
+# Clear old logs (keep last 7 days)
+sudo find /var/log/nginx -name "*.log" -mtime +7 -delete
+
+# Backup configuration
+sudo cp /etc/nginx/sites-available/posterg /etc/nginx/sites-available/posterg.backup.$(date +%Y%m%d)
+
+# Backup password file
+sudo cp /etc/nginx/.htpasswd-posterg /etc/nginx/.htpasswd-posterg.backup.$(date +%Y%m%d)
+```
+
+## Security Checklist
+
+- [ ] Admin password set: `sudo ls -l /etc/nginx/.htpasswd-posterg`
+- [ ] SSL enabled: `curl -I https://posterg.erg.be/`
+- [ ] Database blocked: `curl -I https://posterg.erg.be/storage/posterg.db`
+- [ ] Shared directory blocked: `curl -I https://posterg.erg.be/shared/Database.php`
+- [ ] Rate limiting working: Test with curl loop
+- [ ] Security headers present: `curl -I https://posterg.erg.be/ | grep X-`
+- [ ] Logs accessible: `sudo tail /var/log/nginx/posterg_access.log`
+
+## Configuration Paths
+
+- **Nginx config**: `/etc/nginx/sites-available/posterg`
+- **Password file**: `/etc/nginx/.htpasswd-posterg`
+- **SSL certificates**: `/etc/letsencrypt/live/posterg.erg.be/`
+- **Access logs**: `/var/log/nginx/posterg_access.log`
+- **Error logs**: `/var/log/nginx/posterg_error.log`
+- **PHP-FPM config**: `/etc/php/8.2/fpm/pool.d/www.conf`
+- **PHP-FPM socket**: `/var/run/php/php8.2-fpm.sock`
+
+## Rate Limits (Current Settings)
+
+- **General requests**: 30 requests/minute
+- **Search endpoint**: 30 requests/minute (burst: 10)
+- **Admin panel**: 10 requests/minute (burst: 5)
+
+To adjust, edit these lines in nginx config:
+```nginx
+limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m;
+limit_req_zone $binary_remote_addr zone=search:10m rate=30r/m;
+limit_req_zone $binary_remote_addr zone=admin:10m rate=10r/m;
+```