PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-06 11:09:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

rename posterg → xamxam throughout: nginx conf, scripts, PHP source, docs

Browse Source
This commit is contained in:
Pontoporeia
2026-04-30 10:50:23 +02:00
parent 3e35bbc40f
commit c949cf9481
31 changed files with 283 additions and 267 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
nginx/README.md
View File

@@ -4,7 +4,7 @@ This directory contains nginx configuration and documentation for the Post-ERG t
## 📁 Files
- **`posterg.conf`** - Complete nginx configuration file
- **`xamxam.conf`** - Complete nginx configuration file
- **`docs/`** - Documentation
- `PRODUCTION_DEPLOYMENT.md` - Deployment guide
- `QUICK_REFERENCE.md` - Command reference
@@ -23,13 +23,13 @@ This directory contains nginx configuration and documentation for the Post-ERG t
just deploy-nginx
# Then on the server:
ssh posterg
ssh xamxam
sudo bash /tmp/deploy-server.sh
sudo systemctl reload nginx
```
The deployment script will:
- ✅ Fix file permissions (www-data:posterg)
- ✅ Fix file permissions (www-data:xamxam)
- ✅ Install nginx configuration
- ✅ Test and reload nginx
- ✅ Verify PHP-FPM is running
@@ -38,7 +38,7 @@ The deployment script will:
```bash
just manage-admin-users
ssh posterg "sudo bash /tmp/manage-admin-users.sh"
ssh xamxam "sudo bash /tmp/manage-admin-users.sh"
```
## 🔒 Security Features
@@ -80,20 +80,20 @@ ssh posterg "sudo bash /tmp/manage-admin-users.sh"
```bash
# Test admin authentication
curl -I https://posterg.erg.be/admin/
curl -I https://xamxam.erg.be/admin/
# Test file protection
curl -I https://posterg.erg.be/storage/test.db
curl -I https://xamxam.erg.be/storage/test.db
# Test security headers
curl -I https://posterg.erg.be/ | grep -E "X-|Strict-Transport"
curl -I https://xamxam.erg.be/ | grep -E "X-|Strict-Transport"
```
## 🆘 Quick Help
### Admin can't log in
```bash
sudo htpasswd /etc/nginx/.htpasswd-posterg admin
sudo htpasswd /etc/nginx/.htpasswd-xamxam admin
```
### 502 Bad Gateway
@@ -111,8 +111,8 @@ sudo nginx -t
```bash
# Watch logs
sudo tail -f /var/log/nginx/posterg_access.log
sudo tail -f /var/log/nginx/posterg_error.log
sudo tail -f /var/log/nginx/xamxam_access.log
sudo tail -f /var/log/nginx/xamxam_error.log
# Check nginx status
sudo systemctl status nginx

26
nginx/SETUP.md
View File

@@ -20,7 +20,7 @@ just deploy-nginx
### 2. Apply on the server
```bash
ssh posterg
ssh xamxam
sudo bash /tmp/deploy-server.sh
sudo systemctl reload nginx
```
@@ -29,7 +29,7 @@ sudo systemctl reload nginx
```bash
just manage-admin-users
ssh posterg "sudo bash /tmp/manage-admin-users.sh"
ssh xamxam "sudo bash /tmp/manage-admin-users.sh"
```
## Manual Setup Steps
@@ -46,14 +46,14 @@ sudo apt install nginx apache2-utils php8.4-fpm
```bash
just manage-admin-users
# Then on the server:
ssh posterg "sudo bash /tmp/manage-admin-users.sh"
ssh xamxam "sudo bash /tmp/manage-admin-users.sh"
```
### 3. Copy Nginx Configuration
```bash
sudo cp nginx/posterg.conf /etc/nginx/sites-available/posterg
sudo ln -s /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/
sudo cp nginx/xamxam.conf /etc/nginx/sites-available/xamxam
sudo ln -s /etc/nginx/sites-available/xamxam /etc/nginx/sites-enabled/
sudo rm -f /etc/nginx/sites-enabled/default
```
@@ -71,32 +71,32 @@ sudo systemctl status nginx
```bash
# Should return 401
curl -I https://posterg.erg.be/admin/
curl -I https://xamxam.erg.be/admin/
# With credentials
curl -u admin:password https://posterg.erg.be/admin/
curl -u admin:password https://xamxam.erg.be/admin/
```
### Test File Protection
```bash
# Should return 403
curl -I https://posterg.erg.be/storage/test.db
curl -I https://posterg.erg.be/src/Database.php
curl -I https://xamxam.erg.be/storage/test.db
curl -I https://xamxam.erg.be/src/Database.php
```
### Test Security Headers
```bash
curl -I https://posterg.erg.be/ | grep -E "X-|Strict-Transport"
curl -I https://xamxam.erg.be/ | grep -E "X-|Strict-Transport"
```
## Troubleshooting
### 403 Forbidden on admin
```bash
sudo ls -l /etc/nginx/.htpasswd-posterg
sudo chmod 644 /etc/nginx/.htpasswd-posterg
sudo ls -l /etc/nginx/.htpasswd-xamxam
sudo chmod 644 /etc/nginx/.htpasswd-xamxam
```
### 502 Bad Gateway
@@ -114,7 +114,7 @@ sudo nginx -t
### Change Admin Password
```bash
sudo htpasswd /etc/nginx/.htpasswd-posterg admin
sudo htpasswd /etc/nginx/.htpasswd-xamxam admin
```
### Reload Configuration

94
nginx/docs/ADMIN_USERS.md
View File

@@ -13,7 +13,7 @@ Quick guide to manage admin users for the Post-ERG admin panel.
just manage-admin-users
# Then on the server
ssh posterg
ssh xamxam
sudo bash /tmp/manage-admin-users.sh
```
@@ -31,15 +31,15 @@ This gives you an interactive menu to:
### List Current Users
```bash
ssh posterg
sudo cut -d: -f1 /etc/nginx/.htpasswd-posterg
ssh xamxam
sudo cut -d: -f1 /etc/nginx/.htpasswd-xamxam
```
### Change Password for Existing User
```bash
ssh posterg
sudo htpasswd /etc/nginx/.htpasswd-posterg username_here
ssh xamxam
sudo htpasswd /etc/nginx/.htpasswd-xamxam username_here
```
You'll be prompted to enter the new password twice.
@@ -47,22 +47,22 @@ You'll be prompted to enter the new password twice.
### Add New User
```bash
ssh posterg
sudo htpasswd /etc/nginx/.htpasswd-posterg new_username
ssh xamxam
sudo htpasswd /etc/nginx/.htpasswd-xamxam new_username
```
### Delete User
```bash
ssh posterg
sudo htpasswd -D /etc/nginx/.htpasswd-posterg username_to_delete
ssh xamxam
sudo htpasswd -D /etc/nginx/.htpasswd-xamxam username_to_delete
```
### Reset Everything (Start Fresh)
```bash
ssh posterg
sudo htpasswd -c /etc/nginx/.htpasswd-posterg new_username
ssh xamxam
sudo htpasswd -c /etc/nginx/.htpasswd-xamxam new_username
```
⚠️ **Warning:** The `-c` flag creates a new file, deleting all existing users!
@@ -78,7 +78,7 @@ To upload the interactive management script to the server:
just manage-admin-users
# Or manually:
rsync -v scripts/manage-admin-users.sh posterg:/tmp/manage-admin-users.sh
rsync -v scripts/manage-admin-users.sh xamxam:/tmp/manage-admin-users.sh
```
---
@@ -86,7 +86,7 @@ rsync -v scripts/manage-admin-users.sh posterg:/tmp/manage-admin-users.sh
## 🔑 Current Setup
After deployment, your admin panel has:
- **URL:** https://posterg.erg.be/admin/
- **URL:** https://xamxam.erg.be/admin/
- **Current user:** `test_posterg_22@`
- **Password:** Set during initial deployment
@@ -97,8 +97,8 @@ After deployment, your admin panel has:
### Scenario 1: Change Current Password
```bash
ssh posterg
sudo htpasswd /etc/nginx/.htpasswd-posterg test_posterg_22@
ssh xamxam
sudo htpasswd /etc/nginx/.htpasswd-xamxam test_posterg_22@
# Enter new password when prompted
```
@@ -107,28 +107,28 @@ sudo htpasswd /etc/nginx/.htpasswd-posterg test_posterg_22@
Since you can't rename users, you need to:
```bash
ssh posterg
ssh xamxam
# Add new user
sudo htpasswd /etc/nginx/.htpasswd-posterg new_username
sudo htpasswd /etc/nginx/.htpasswd-xamxam new_username
# Delete old user
sudo htpasswd -D /etc/nginx/.htpasswd-posterg test_posterg_22@
sudo htpasswd -D /etc/nginx/.htpasswd-xamxam test_posterg_22@
```
### Scenario 3: Forgot Username
```bash
ssh posterg
sudo cut -d: -f1 /etc/nginx/.htpasswd-posterg
ssh xamxam
sudo cut -d: -f1 /etc/nginx/.htpasswd-xamxam
```
### Scenario 4: Multiple Admins
```bash
ssh posterg
ssh xamxam
# Add second admin
sudo htpasswd /etc/nginx/.htpasswd-posterg admin2
sudo htpasswd /etc/nginx/.htpasswd-xamxam admin2
# Add third admin
sudo htpasswd /etc/nginx/.htpasswd-posterg admin3
sudo htpasswd /etc/nginx/.htpasswd-xamxam admin3
```
All users can log into `/admin/` with their own credentials.
@@ -136,9 +136,9 @@ All users can log into `/admin/` with their own credentials.
### Scenario 5: Start Over with New Username
```bash
ssh posterg
ssh xamxam
# This will DELETE ALL existing users and create a new one
sudo htpasswd -c /etc/nginx/.htpasswd-posterg new_admin
sudo htpasswd -c /etc/nginx/.htpasswd-xamxam new_admin
```
---
@@ -149,11 +149,11 @@ After changing users/passwords:
```bash
# Test that password is required
curl -I https://posterg.erg.be/admin/
curl -I https://xamxam.erg.be/admin/
# Should return: 401 Unauthorized
# Test with credentials
curl -u username:password https://posterg.erg.be/admin/
curl -u username:password https://xamxam.erg.be/admin/
# Should return: 200 OK
```
@@ -163,7 +163,7 @@ No nginx reload needed - changes take effect immediately!
## 📊 Password File Details
**Location:** `/etc/nginx/.htpasswd-posterg`
**Location:** `/etc/nginx/.htpasswd-xamxam`
**Format:** Standard Apache htpasswd format
```
@@ -172,7 +172,7 @@ username:$apr1$encrypted_password_hash
**Permissions:**
```bash
-rw-r--r-- root root /etc/nginx/.htpasswd-posterg
-rw-r--r-- root root /etc/nginx/.htpasswd-xamxam
```
---
@@ -187,7 +187,7 @@ username:$apr1$encrypted_password_hash
2. **Avoid Common Usernames**
- ❌ Bad: `admin`, `administrator`, `root`
- ✅ Good: `posterg_admin`, `erg_webmaster`
- ✅ Good: `xamxam_admin`, `erg_webmaster`
3. **Regular Password Changes**
- Change passwords every 3-6 months
@@ -196,14 +196,14 @@ username:$apr1$encrypted_password_hash
4. **Monitor Access**
```bash
# Check who's accessing the admin panel
ssh posterg
sudo grep "admin" /var/log/nginx/posterg_access.log
ssh xamxam
sudo grep "admin" /var/log/nginx/xamxam_access.log
```
5. **Backup Password File**
```bash
ssh posterg
sudo cp /etc/nginx/.htpasswd-posterg /etc/nginx/.htpasswd-posterg.backup
ssh xamxam
sudo cp /etc/nginx/.htpasswd-xamxam /etc/nginx/.htpasswd-xamxam.backup
```
---
@@ -214,25 +214,25 @@ username:$apr1$encrypted_password_hash
**Check file exists:**
```bash
ssh posterg
ls -la /etc/nginx/.htpasswd-posterg
ssh xamxam
ls -la /etc/nginx/.htpasswd-xamxam
```
**Verify user exists:**
```bash
sudo cat /etc/nginx/.htpasswd-posterg
sudo cat /etc/nginx/.htpasswd-xamxam
```
**Check nginx config:**
```bash
sudo grep -A 5 "auth_basic" /etc/nginx/sites-available/posterg
sudo grep -A 5 "auth_basic" /etc/nginx/sites-available/xamxam
```
### Can't change password - "command not found"
**Install apache2-utils:**
```bash
ssh posterg
ssh xamxam
sudo apt update
sudo apt install apache2-utils
```
@@ -241,8 +241,8 @@ sudo apt install apache2-utils
**Recreate it:**
```bash
ssh posterg
sudo htpasswd -c /etc/nginx/.htpasswd-posterg new_admin
ssh xamxam
sudo htpasswd -c /etc/nginx/.htpasswd-xamxam new_admin
```
---
@@ -252,11 +252,11 @@ sudo htpasswd -c /etc/nginx/.htpasswd-posterg new_admin
| Task | Command |
|------|---------|
| **Interactive menu** | `sudo bash /tmp/manage-admin-users.sh` |
| **List users** | `sudo cut -d: -f1 /etc/nginx/.htpasswd-posterg` |
| **Change password** | `sudo htpasswd /etc/nginx/.htpasswd-posterg username` |
| **Add user** | `sudo htpasswd /etc/nginx/.htpasswd-posterg newuser` |
| **Delete user** | `sudo htpasswd -D /etc/nginx/.htpasswd-posterg username` |
| **Reset all** | `sudo htpasswd -c /etc/nginx/.htpasswd-posterg newuser` |
| **List users** | `sudo cut -d: -f1 /etc/nginx/.htpasswd-xamxam` |
| **Change password** | `sudo htpasswd /etc/nginx/.htpasswd-xamxam username` |
| **Add user** | `sudo htpasswd /etc/nginx/.htpasswd-xamxam newuser` |
| **Delete user** | `sudo htpasswd -D /etc/nginx/.htpasswd-xamxam username` |
| **Reset all** | `sudo htpasswd -c /etc/nginx/.htpasswd-xamxam newuser` |
| **Generate password** | `openssl rand -base64 32` |
---
@@ -267,7 +267,7 @@ No action needed! Changes to the password file take effect immediately.
You can verify with:
```bash
curl -u username:password https://posterg.erg.be/admin/
curl -u username:password https://xamxam.erg.be/admin/
```
---

4
nginx/docs/HTACCESS_TO_NGINX.md
View File

@@ -4,11 +4,11 @@
> directives that nginx **silently ignores**. None of the rules were active
> in production.
> **Status:** Migrated into `nginx/posterg.conf`
> **Status:** Migrated into `nginx/xamxam.conf`
---
## Rules migrated into `nginx/posterg.conf`
## Rules migrated into `nginx/xamxam.conf`
| Apache `.htaccess` rule | nginx equivalent | Location |
|---|---|---|

2
nginx/docs/PHP_AUTH_LAYER.md
View File

@@ -10,7 +10,7 @@ The admin panel uses **two independent authentication layers** with a single UX
| Layer | Mechanism | Configured by |
|-------|-----------|---------------|
| **1st** | nginx HTTP Basic Auth | `/etc/nginx/.htpasswd-posterg` (see `ADMIN_USERS.md`) |
| **1st** | nginx HTTP Basic Auth | `/etc/nginx/.htpasswd-xamxam` (see `ADMIN_USERS.md`) |
| **2nd** | PHP session guard (`src/AdminAuth.php`) | `config/admin_credentials.php` |
The user only sees **one prompt** (the browser Basic Auth dialog). PHP reads the

62
nginx/docs/PRODUCTION_DEPLOYMENT.md
View File

@@ -4,10 +4,10 @@ This guide covers deploying the production nginx configuration with proper secur
## 🎯 Overview
- **Server**: posterg.erg.be (internal IP: 192.168.6.125)
- **Server**: xamxam.erg.be (internal IP: 192.168.6.125)
- **PHP Version**: 8.4
- **SSL/TLS**: Handled by upstream reverse proxy
- **Document Root**: `/var/www/posterg/public/`
- **Document Root**: `/var/www/xamxam/public/`
## 🚀 Quick Deployment
@@ -18,13 +18,13 @@ From your local machine:
just deploy-nginx
# Then on the server:
ssh posterg
ssh xamxam
sudo bash /tmp/deploy-server.sh
sudo systemctl reload nginx
```
This uploads:
- `nginx/posterg.conf``/tmp/posterg.conf`
- `nginx/xamxam.conf``/tmp/xamxam.conf`
- `scripts/deploy-server.sh``/tmp/deploy-server.sh`
## 📋 Step-by-Step Deployment
@@ -32,8 +32,8 @@ This uploads:
### 1. Set Up Admin Password (First Time Only)
```bash
ssh posterg
sudo htpasswd -c /etc/nginx/.htpasswd-posterg admin
ssh xamxam
sudo htpasswd -c /etc/nginx/.htpasswd-xamxam admin
# Enter a strong password when prompted
```
@@ -54,7 +54,7 @@ sudo systemctl reload nginx
```
The script will:
- ✅ Fix file permissions (set to www-data:posterg)
- ✅ Fix file permissions (set to www-data:xamxam)
- ✅ Install nginx configuration
- ✅ Test nginx configuration
- ✅ Check PHP-FPM status
@@ -64,10 +64,10 @@ The script will:
### Step 1: Fix Permissions
```bash
ssh posterg
ssh xamxam
# Set correct ownership
sudo chown -R www-data:posterg /var/www/posterg/
sudo chown -R www-data:xamxam /var/www/xamxam/
# Set directory permissions
sudo find /var/www/posterg -type d -exec chmod 755 {} \;
@@ -76,21 +76,21 @@ sudo find /var/www/posterg -type d -exec chmod 755 {} \;
sudo find /var/www/posterg -type f -exec chmod 644 {} \;
# Make storage writable
sudo chmod 775 /var/www/posterg/storage
sudo chmod 775 /var/www/xamxam/storage
# Protect database
sudo chmod 660 /var/www/posterg/storage/test.db
sudo chown www-data:posterg /var/www/posterg/storage/test.db
sudo chmod 660 /var/www/xamxam/storage/test.db
sudo chown www-data:xamxam /var/www/xamxam/storage/test.db
```
### Step 2: Deploy Nginx Config
```bash
# Copy config
sudo cp /tmp/posterg.conf /etc/nginx/sites-available/posterg
sudo cp /tmp/xamxam.conf /etc/nginx/sites-available/xamxam
# Enable site and disable default
sudo ln -sf /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/posterg
sudo ln -sf /etc/nginx/sites-available/xamxam /etc/nginx/sites-enabled/xamxam
sudo rm -f /etc/nginx/sites-enabled/default
# Test and reload
@@ -104,32 +104,32 @@ sudo systemctl reload nginx
```bash
# Should return 200 OK
curl -I https://posterg.erg.be/
curl -I https://xamxam.erg.be/
```
### Test Admin Protection
```bash
# Should return 401 Unauthorized
curl -I https://posterg.erg.be/admin/
curl -I https://xamxam.erg.be/admin/
# With credentials
curl -u admin:your_password https://posterg.erg.be/admin/
curl -u admin:your_password https://xamxam.erg.be/admin/
```
### Test File Protection
```bash
# Should return 403 Forbidden
curl -I https://posterg.erg.be/storage/test.db
curl -I https://posterg.erg.be/src/Database.php
curl -I https://posterg.erg.be/config/bootstrap.php
curl -I https://xamxam.erg.be/storage/test.db
curl -I https://xamxam.erg.be/src/Database.php
curl -I https://xamxam.erg.be/config/bootstrap.php
```
### Test Security Headers
```bash
curl -I https://posterg.erg.be/ | grep -E "X-Frame|X-Content|Strict-Transport"
curl -I https://xamxam.erg.be/ | grep -E "X-Frame|X-Content|Strict-Transport"
```
## 🔍 Troubleshooting
@@ -138,8 +138,8 @@ curl -I https://posterg.erg.be/ | grep -E "X-Frame|X-Content|Strict-Transport"
**Check file permissions:**
```bash
ls -la /var/www/posterg/public/index.php
groups www-data # Should include posterg
ls -la /var/www/xamxam/public/index.php
groups www-data # Should include xamxam
```
### 502 Bad Gateway
@@ -153,15 +153,15 @@ sudo systemctl restart php8.4-fpm
### Admin Password Not Working
```bash
sudo htpasswd /etc/nginx/.htpasswd-posterg admin
sudo htpasswd /etc/nginx/.htpasswd-xamxam admin
```
## 📊 Monitoring
```bash
# Watch logs
sudo tail -f /var/log/nginx/posterg_access.log
sudo tail -f /var/log/nginx/posterg_error.log
sudo tail -f /var/log/nginx/xamxam_access.log
sudo tail -f /var/log/nginx/xamxam_error.log
# Check status
sudo systemctl status nginx
@@ -171,7 +171,7 @@ sudo systemctl status nginx
After deployment, verify:
- [ ] Public site accessible at https://posterg.erg.be/
- [ ] Public site accessible at https://xamxam.erg.be/
- [ ] Admin panel requires password
- [ ] Database files return 403 Forbidden
- [ ] Source files return 403 Forbidden
@@ -185,19 +185,19 @@ After deployment, verify:
just deploy
# Reload nginx if config changed
ssh posterg "sudo systemctl reload nginx"
ssh xamxam "sudo systemctl reload nginx"
```
## 🆘 Emergency Recovery
```bash
# Restore default nginx config
ssh posterg
sudo rm /etc/nginx/sites-enabled/posterg
ssh xamxam
sudo rm /etc/nginx/sites-enabled/xamxam
sudo systemctl reload nginx
# Reset permissions
sudo chown -R www-data:posterg /var/www/posterg/
sudo chown -R www-data:xamxam /var/www/xamxam/
sudo find /var/www/posterg -type d -exec chmod 755 {} \;
sudo find /var/www/posterg -type f -exec chmod 644 {} \;
```

74
nginx/docs/QUICK_REFERENCE.md
View File

@@ -4,8 +4,8 @@
```bash
# Copy nginx config
sudo cp nginx/posterg.conf /etc/nginx/sites-available/posterg
sudo ln -s /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/
sudo cp nginx/xamxam.conf /etc/nginx/sites-available/xamxam
sudo ln -s /etc/nginx/sites-available/xamxam /etc/nginx/sites-enabled/
sudo rm -f /etc/nginx/sites-enabled/default
# Test and reload
@@ -23,16 +23,16 @@ sudo bash /tmp/manage-admin-users.sh
# Or manual commands:
# Add new user
sudo htpasswd /etc/nginx/.htpasswd-posterg username
sudo htpasswd /etc/nginx/.htpasswd-xamxam username
# Change password for existing user
sudo htpasswd /etc/nginx/.htpasswd-posterg username
sudo htpasswd /etc/nginx/.htpasswd-xamxam username
# Remove user
sudo htpasswd -D /etc/nginx/.htpasswd-posterg username
sudo htpasswd -D /etc/nginx/.htpasswd-xamxam username
# List all users
sudo cut -d: -f1 /etc/nginx/.htpasswd-posterg
sudo cut -d: -f1 /etc/nginx/.htpasswd-xamxam
```
### Nginx Control
@@ -61,26 +61,26 @@ sudo systemctl status nginx
```bash
# Public site access log
sudo tail -f /var/log/nginx/posterg_access.log
sudo tail -f /var/log/nginx/xamxam_access.log
# Public site errors
sudo tail -f /var/log/nginx/posterg_error.log
sudo tail -f /var/log/nginx/xamxam_error.log
# SSL access log
sudo tail -f /var/log/nginx/posterg_ssl_access.log
sudo tail -f /var/log/nginx/xamxam_ssl_access.log
# Search for specific pattern
sudo grep "404" /var/log/nginx/posterg_access.log
sudo grep "404" /var/log/nginx/xamxam_access.log
# Count requests by IP
sudo awk '{print $1}' /var/log/nginx/posterg_access.log | sort | uniq -c | sort -nr | head
sudo awk '{print $1}' /var/log/nginx/xamxam_access.log | sort | uniq -c | sort -nr | head
```
### SSL/HTTPS
```bash
# Get SSL certificate (Let's Encrypt)
sudo certbot --nginx -d posterg.erg.be -d www.posterg.erg.be
sudo certbot --nginx -d xamxam.erg.be -d www.xamxam.erg.be
# Renew certificates
sudo certbot renew
@@ -98,10 +98,10 @@ sudo certbot renew --dry-run
```bash
# Should require password (returns 401)
curl -I https://posterg.erg.be/admin/
curl -I https://xamxam.erg.be/admin/
# With authentication
curl -u admin:password https://posterg.erg.be/admin/
curl -u admin:password https://xamxam.erg.be/admin/
```
### Test Rate Limiting
@@ -109,7 +109,7 @@ curl -u admin:password https://posterg.erg.be/admin/
```bash
# Should show increasing 429 responses after limit
for i in {1..50}; do
curl -s -o /dev/null -w "%{http_code}\n" https://posterg.erg.be/
curl -s -o /dev/null -w "%{http_code}\n" https://xamxam.erg.be/
done
```
@@ -117,16 +117,16 @@ done
```bash
# Should return 403
curl -I https://posterg.erg.be/storage/posterg.db
curl -I https://posterg.erg.be/shared/Database.php
curl -I https://posterg.erg.be/.env
curl -I https://xamxam.erg.be/storage/xamxam.db
curl -I https://xamxam.erg.be/shared/Database.php
curl -I https://xamxam.erg.be/.env
```
### Test Security Headers
```bash
# Check all security headers
curl -I https://posterg.erg.be/ 2>&1 | grep -E "X-|Strict-Transport|Referrer|Permissions"
curl -I https://xamxam.erg.be/ 2>&1 | grep -E "X-|Strict-Transport|Referrer|Permissions"
```
## Troubleshooting
@@ -136,10 +136,10 @@ curl -I https://posterg.erg.be/ 2>&1 | grep -E "X-|Strict-Transport|Referrer|Per
**403 Forbidden on admin**
```bash
# Check htpasswd file exists
sudo ls -l /etc/nginx/.htpasswd-posterg
sudo ls -l /etc/nginx/.htpasswd-xamxam
# Check permissions
sudo chmod 644 /etc/nginx/.htpasswd-posterg
sudo chmod 644 /etc/nginx/.htpasswd-xamxam
```
**502 Bad Gateway**
@@ -167,10 +167,10 @@ sudo tail -50 /var/log/nginx/error.log
```bash
# Disable password protection temporarily
sudo nano /etc/nginx/sites-available/posterg
sudo nano /etc/nginx/sites-available/xamxam
# Comment out these lines in /admin/ location:
# auth_basic "Admin Access - Post-ERG";
# auth_basic_user_file /etc/nginx/.htpasswd-posterg;
# auth_basic_user_file /etc/nginx/.htpasswd-xamxam;
# Reload nginx
sudo nginx -t && sudo systemctl reload nginx
@@ -186,7 +186,7 @@ sudo ss -tulpn | grep nginx
watch -n 1 'ps aux | grep nginx'
# Check request rate
sudo tail -f /var/log/nginx/posterg_access.log | pv -l -r > /dev/null
sudo tail -f /var/log/nginx/xamxam_access.log | pv -l -r > /dev/null
# Disk usage of logs
sudo du -sh /var/log/nginx/*
@@ -202,29 +202,29 @@ sudo nginx -s reopen
sudo find /var/log/nginx -name "*.log" -mtime +7 -delete
# Backup configuration
sudo cp /etc/nginx/sites-available/posterg /etc/nginx/sites-available/posterg.backup.$(date +%Y%m%d)
sudo cp /etc/nginx/sites-available/xamxam /etc/nginx/sites-available/xamxam.backup.$(date +%Y%m%d)
# Backup password file
sudo cp /etc/nginx/.htpasswd-posterg /etc/nginx/.htpasswd-posterg.backup.$(date +%Y%m%d)
sudo cp /etc/nginx/.htpasswd-xamxam /etc/nginx/.htpasswd-xamxam.backup.$(date +%Y%m%d)
```
## Security Checklist
- [ ] Admin password set: `sudo ls -l /etc/nginx/.htpasswd-posterg`
- [ ] SSL enabled: `curl -I https://posterg.erg.be/`
- [ ] Database blocked: `curl -I https://posterg.erg.be/storage/posterg.db`
- [ ] Shared directory blocked: `curl -I https://posterg.erg.be/shared/Database.php`
- [ ] Admin password set: `sudo ls -l /etc/nginx/.htpasswd-xamxam`
- [ ] SSL enabled: `curl -I https://xamxam.erg.be/`
- [ ] Database blocked: `curl -I https://xamxam.erg.be/storage/xamxam.db`
- [ ] Shared directory blocked: `curl -I https://xamxam.erg.be/shared/Database.php`
- [ ] Rate limiting working: Test with curl loop
- [ ] Security headers present: `curl -I https://posterg.erg.be/ | grep X-`
- [ ] Logs accessible: `sudo tail /var/log/nginx/posterg_access.log`
- [ ] Security headers present: `curl -I https://xamxam.erg.be/ | grep X-`
- [ ] Logs accessible: `sudo tail /var/log/nginx/xamxam_access.log`
## Configuration Paths
- **Nginx config**: `/etc/nginx/sites-available/posterg`
- **Password file**: `/etc/nginx/.htpasswd-posterg`
- **SSL certificates**: `/etc/letsencrypt/live/posterg.erg.be/`
- **Access logs**: `/var/log/nginx/posterg_access.log`
- **Error logs**: `/var/log/nginx/posterg_error.log`
- **Nginx config**: `/etc/nginx/sites-available/xamxam`
- **Password file**: `/etc/nginx/.htpasswd-xamxam`
- **SSL certificates**: `/etc/letsencrypt/live/xamxam.erg.be/`
- **Access logs**: `/var/log/nginx/xamxam_access.log`
- **Error logs**: `/var/log/nginx/xamxam_error.log`
- **PHP-FPM config**: `/etc/php/8.2/fpm/pool.d/www.conf`
- **PHP-FPM socket**: `/var/run/php/php8.2-fpm.sock`

4
nginx/docs/SECURITY_HEADERS.md
View File

@@ -1,4 +1,4 @@
# Security Headers — nginx/posterg.conf
# Security Headers — nginx/xamxam.conf
## Headers in use (main server block — all pages)
@@ -18,7 +18,7 @@
These were previously declared in `public/admin/.htaccess` as Apache
`mod_headers` directives, which nginx silently ignores. They are now
properly configured in `nginx/posterg.conf`.
properly configured in `nginx/xamxam.conf`.
enforced directly; see `HTACCESS_TO_NGINX.md` for the full migration log.
## Intentionally omitted headers

52
nginx/docs/TEST_DATABASE_SETUP.md
View File

@@ -13,7 +13,7 @@ just deploy-db
This automatically:
1. ✅ Checks remote DB doesn't exist (safety check)
2. ✅ Uploads `storage/test.db` to the server
3. ✅ Sets correct permissions (660, www-data:posterg)
3. ✅ Sets correct permissions (660, www-data:xamxam)
---
@@ -22,7 +22,7 @@ This automatically:
### 1. Install PHP SQLite Extension
```bash
ssh posterg
ssh xamxam
sudo apt update
sudo apt install php8.4-sqlite3
sudo systemctl restart php8.4-fpm
@@ -31,7 +31,7 @@ sudo systemctl restart php8.4-fpm
### 2. Verify Installation
```bash
ssh posterg
ssh xamxam
php -m | grep sqlite3
# Should output: pdo_sqlite, sqlite3
```
@@ -58,20 +58,20 @@ just deploy-db
### 3. Test the Site
Visit: https://posterg.erg.be/
Visit: https://xamxam.erg.be/
### 4. Check What Database is Being Used
```bash
ssh posterg
php -r "require_once '/var/www/posterg/src/Database.php'; echo 'Using: ' . Database::getInstance()->getDatabasePath() . PHP_EOL;"
ssh xamxam
php -r "require_once '/var/www/xamxam/src/Database.php'; echo 'Using: ' . Database::getInstance()->getDatabasePath() . PHP_EOL;"
```
### 5. Switch Back to Production
```bash
ssh posterg
rm /var/www/posterg/storage/test.db
ssh xamxam
rm /var/www/xamxam/storage/test.db
```
---
@@ -79,11 +79,11 @@ rm /var/www/posterg/storage/test.db
## 🔒 Permissions Explained
```
/var/www/posterg/storage/
drwxrwxr-x www-data posterg # 775 - group writable
/var/www/xamxam/storage/
drwxrwxr-x www-data xamxam # 775 - group writable
/var/www/posterg/storage/test.db
-rw-rw---- www-data posterg # 660 - owner/group read/write
/var/www/xamxam/storage/test.db
-rw-rw---- www-data xamxam # 660 - owner/group read/write
```
---
@@ -93,7 +93,7 @@ drwxrwxr-x www-data posterg # 775 - group writable
### "could not find driver"
```bash
ssh posterg
ssh xamxam
sudo apt install php8.4-sqlite3
sudo systemctl restart php8.4-fpm
```
@@ -101,18 +101,18 @@ sudo systemctl restart php8.4-fpm
### "unable to open database file"
```bash
ssh posterg
chown www-data:posterg /var/www/posterg/storage/test.db
chmod 660 /var/www/posterg/storage/test.db
chmod 775 /var/www/posterg/storage/
ssh xamxam
chown www-data:xamxam /var/www/xamxam/storage/test.db
chmod 660 /var/www/xamxam/storage/test.db
chmod 775 /var/www/xamxam/storage/
```
### "attempt to write a readonly database"
```bash
ssh posterg
chmod 775 /var/www/posterg/storage/
rm -f /var/www/posterg/storage/test.db-*
ssh xamxam
chmod 775 /var/www/xamxam/storage/
rm -f /var/www/xamxam/storage/test.db-*
```
---
@@ -126,8 +126,8 @@ rm -f /var/www/posterg/storage/test.db-*
### Backup Production Database
```bash
ssh posterg
cp /var/www/posterg/storage/posterg.db /var/www/posterg/storage/posterg.db.backup.$(date +%Y%m%d)
ssh xamxam
cp /var/www/xamxam/storage/posterg.db /var/www/xamxam/storage/posterg.db.backup.$(date +%Y%m%d)
```
---
@@ -146,7 +146,7 @@ cp /var/www/posterg/storage/posterg.db /var/www/posterg/storage/posterg.db.backu
After running `just deploy-db`, verify:
- [ ] Database file exists: `ssh posterg "ls -la /var/www/posterg/storage/test.db"`
- [ ] Correct permissions: `-rw-rw---- www-data posterg`
- [ ] Site loads: Visit https://posterg.erg.be/
- [ ] No errors in logs: `ssh posterg "tail /var/log/nginx/posterg_error.log"`
- [ ] Database file exists: `ssh xamxam "ls -la /var/www/xamxam/storage/test.db"`
- [ ] Correct permissions: `-rw-rw---- www-data xamxam`
- [ ] Site loads: Visit https://xamxam.erg.be/
- [ ] No errors in logs: `ssh xamxam "tail /var/log/nginx/xamxam_error.log"`

14
nginx/posterg.conf → nginx/xamxam.conf
View File

@@ -1,6 +1,6 @@
# Nginx configuration for Post-ERG thesis website (Production)
# Place this in /etc/nginx/sites-available/posterg
# Then symlink: ln -s /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/
# Nginx configuration for XAMXAM thesis website (Production)
# Place this in /etc/nginx/sites-available/xamxam
# Then symlink: ln -s /etc/nginx/sites-available/xamxam /etc/nginx/sites-enabled/
# Rate limiting zones
limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m;
@@ -15,7 +15,7 @@ server {
listen 80 default_server;
listen [::]:80 default_server;
server_name posterg.erg.be www.posterg.erg.be;
server_name xamxam.erg.be www.xamxam.erg.be;
# Document root points to /public (only web-accessible files)
# Deployed structure: /var/www/xamxam/
@@ -49,8 +49,8 @@ server {
client_body_timeout 120s;
# Logging
access_log /var/log/nginx/posterg_access.log;
error_log /var/log/nginx/posterg_error.log warn;
access_log /var/log/nginx/xamxam_access.log;
error_log /var/log/nginx/xamxam_error.log warn;
# Block access to hidden files (except .well-known for Let's Encrypt)
location ~ /\.(?!well-known).* {
@@ -115,7 +115,7 @@ server {
location ^~ /admin/ {
# HTTP Basic Authentication (first layer)
auth_basic "Admin Access - Post-ERG";
auth_basic_user_file /etc/nginx/.htpasswd-posterg;
auth_basic_user_file /etc/nginx/.htpasswd-xamxam;
# Rate limiting for admin
limit_req zone=admin burst=20 nodelay;

16
nginx/posterg.conf.reference → nginx/xamxam.conf.reference
View File

@@ -1,7 +1,7 @@
# Nginx configuration for Post-ERG thesis website (Production)
# Updated for new directory structure
# Place this in /etc/nginx/sites-available/posterg
# Then symlink: ln -s /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/
# Place this in /etc/nginx/sites-available/xamxam
# Then symlink: ln -s /etc/nginx/sites-available/xamxam /etc/nginx/sites-enabled/
# Rate limiting zones
limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m;
@@ -13,10 +13,10 @@ server {
listen 80 default_server;
listen [::]:80 default_server;
server_name posterg.erg.be www.posterg.erg.be;
server_name xamxam.erg.be www.xamxam.erg.be;
# Document root points to /public (only web-accessible files)
# Project structure: /var/www/posterg/
# Project structure: /var/www/xamxam/
# /config - Configuration (outside webroot)
# /docs - Documentation (outside webroot)
# /nginx - Server configs (outside webroot)
@@ -28,7 +28,7 @@ server {
# /storage - SQLite databases (outside webroot)
# /templates - PHP templates (outside webroot)
# /tests - Test suites (outside webroot)
root /var/www/posterg/public;
root /var/www/xamxam/public;
# Add index.php to the list
index index.php index.html index.htm;
@@ -49,8 +49,8 @@ server {
client_body_timeout 120s;
# Logging
access_log /var/log/nginx/posterg_access.log;
error_log /var/log/nginx/posterg_error.log warn;
access_log /var/log/nginx/xamxam_access.log;
error_log /var/log/nginx/xamxam_error.log warn;
# Block access to hidden files (except .well-known for Let's Encrypt)
location ~ /\.(?!well-known).* {
@@ -115,7 +115,7 @@ server {
location ^~ /admin/ {
# HTTP Basic Authentication (first layer)
auth_basic "Admin Access - Post-ERG";
auth_basic_user_file /etc/nginx/.htpasswd-posterg;
auth_basic_user_file /etc/nginx/.htpasswd-xamxam;
# Rate limiting for admin
limit_req zone=admin burst=5 nodelay;