Nginx config, working deploy, basic theme, repo cleanup

nginx/DEPLOY_NOW.md

@@ -0,0 +1,276 @@
+# 🚀 Deploy Production Nginx Configuration
+
+Quick guide to fix the current 403 Forbidden errors and deploy production-ready nginx setup.
+
+## Current Issue
+
+The site returns **403 Forbidden** because:
+- Files are owned by `theophile:theophile` 
+- Nginx runs as `www-data` (member of `posterg` group)
+- Files have `640` permissions but wrong group
+- Nginx can't read the files
+
+## Solution
+
+Deploy the production configuration which will:
+1. ✅ Fix file permissions (change group to `posterg`)
+2. ✅ Add security hardening (rate limiting, file blocking)
+3. ✅ Set up admin password protection
+4. ✅ Configure proper PHP handling
+
+---
+
+## 🎯 Quick Deploy (2 steps)
+
+### Step 1: Upload to Server
+
+From your local machine:
+
+```bash
+just deploy-nginx-production
+```
+
+### Step 2: Run on Server
+
+```bash
+ssh posterg
+sudo bash /tmp/deploy-production.sh
+```
+
+That's it! The site should work after this.
+
+---
+
+## 📝 What the Script Does
+
+The deployment script will:
+
+1. **Fix Permissions**
+   - Change ownership: `theophile:posterg` (so www-data can read)
+   - Directories: `755` (readable by all)
+   - Files: `640` (readable by owner and group)
+   - Upload dirs: `775` (writable by group)
+
+2. **Setup Admin Password**
+   - Creates `/etc/nginx/.htpasswd-posterg` if missing
+   - Prompts for username and password
+
+3. **Install Nginx Config**
+   - Backs up existing config
+   - Installs production config
+   - Creates symlink in sites-enabled
+   - Removes default site
+
+4. **Test & Reload**
+   - Tests nginx configuration
+   - Reloads nginx if valid
+   - Verifies PHP-FPM is running
+
+---
+
+## 🔒 Security Features Added
+
+The new configuration adds:
+
+✅ **Rate Limiting**
+- General: 30 requests/minute
+- Search: 30 requests/minute  
+- Admin: 10 requests/minute
+
+✅ **File Protection**
+- Database files (`.db`) → 403 Forbidden
+- Sensitive files (`.md`, `.sql`, `.txt`) → 403 Forbidden
+- `/database/` directory → 403 Forbidden
+- `/shared/` directory → 403 Forbidden
+- `/data/` directory → 403 Forbidden
+- Hidden files (`.git`, `.env`) → 403 Forbidden
+
+✅ **Admin Panel Protection**
+- `/formulaire/` requires HTTP Basic Authentication
+- Rate limited to 10 requests/minute
+- Hidden from search engines
+
+✅ **Security Headers**
+- X-Frame-Options (clickjacking protection)
+- X-Content-Type-Options (MIME sniffing protection)
+- X-XSS-Protection
+- Referrer-Policy
+- Permissions-Policy
+
+✅ **File Upload**
+- Max size: 100MB
+- Timeouts: 120 seconds
+- Upload directories writable by www-data
+
+---
+
+## 🧪 Testing After Deployment
+
+On the server:
+
+```bash
+# Should return 200 OK now
+curl -I http://localhost/
+
+# Should return HTML content
+curl http://localhost/index.php | head -n 20
+
+# Admin should ask for password (401)
+curl -I http://localhost/formulaire/
+
+# Database should be blocked (403)
+curl -I http://localhost/database/posterg.db
+
+# Sensitive files should be blocked (403)
+curl -I http://localhost/README.md
+curl -I http://localhost/shared/Database.php
+```
+
+From your browser:
+- Visit https://posterg.erg.be/ → Should work!
+- Visit https://posterg.erg.be/formulaire/ → Should ask for password
+
+---
+
+## 🔧 Manual Steps (If Script Fails)
+
+If the automated script fails, here's the manual process:
+
+### Fix Permissions
+
+```bash
+ssh posterg
+sudo chown -R theophile:posterg /var/www/html/
+sudo find /var/www/html -type d -exec chmod 755 {} \;
+sudo find /var/www/html -type f -exec chmod 640 {} \;
+sudo chmod 775 /var/www/html/formulaire/data/theses
+sudo chmod 775 /var/www/html/formulaire/data/covers
+```
+
+### Install Config
+
+```bash
+# On server
+sudo cp /tmp/posterg.conf /etc/nginx/sites-available/posterg
+sudo ln -sf /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/posterg
+sudo rm -f /etc/nginx/sites-enabled/default
+sudo nginx -t
+sudo systemctl reload nginx
+```
+
+### Setup Admin Password
+
+```bash
+sudo htpasswd -c /etc/nginx/.htpasswd-posterg admin
+# Enter password when prompted
+```
+
+---
+
+## 🆘 Troubleshooting
+
+### Still Getting 403 Forbidden
+
+**Check file ownership:**
+```bash
+ls -la /var/www/html/index.php
+# Should show: -rw-r----- theophile posterg
+```
+
+**Check nginx user is in posterg group:**
+```bash
+groups www-data
+# Should show: www-data : www-data posterg
+```
+
+### Can't Access Admin Panel
+
+**Verify password file:**
+```bash
+ls -la /etc/nginx/.htpasswd-posterg
+# Should exist and be readable
+```
+
+**Test with credentials:**
+```bash
+curl -u admin:your_password http://localhost/formulaire/
+```
+
+### PHP Not Working (500 Error)
+
+**Check PHP-FPM:**
+```bash
+sudo systemctl status php8.4-fpm
+sudo systemctl restart php8.4-fpm
+```
+
+**Check socket:**
+```bash
+ls -la /var/run/php/php8.4-fpm.sock
+# Should exist
+```
+
+### View Error Logs
+
+```bash
+# Nginx errors
+sudo tail -f /var/log/nginx/posterg_error.log
+
+# PHP errors  
+sudo tail -f /var/www/html/error.log
+```
+
+---
+
+## 📊 Current vs Production Config
+
+| Feature | Current (Default) | Production |
+|---------|------------------|------------|
+| PHP Version | ✅ 8.4 | ✅ 8.4 |
+| File Protection | ❌ None | ✅ Comprehensive |
+| Rate Limiting | ❌ None | ✅ Yes |
+| Admin Password | ❌ None | ✅ Yes |
+| Security Headers | ❌ None | ✅ Yes |
+| Upload Size | ⚠️ Default (2MB) | ✅ 100MB |
+| Logging | ⚠️ Generic | ✅ Separate logs |
+
+---
+
+## ✅ Success Checklist
+
+After deployment, verify:
+
+- [ ] Public site loads: https://posterg.erg.be/
+- [ ] Admin requires password: https://posterg.erg.be/formulaire/
+- [ ] Search works
+- [ ] Individual thesis pages work
+- [ ] Database is protected (403)
+- [ ] Sensitive files blocked (403)
+- [ ] No errors in logs
+- [ ] File uploads work (in admin)
+
+---
+
+## 📞 Need Help?
+
+1. **Check logs first:**
+   ```bash
+   sudo tail -50 /var/log/nginx/posterg_error.log
+   ```
+
+2. **Test nginx config:**
+   ```bash
+   sudo nginx -t
+   ```
+
+3. **Restart services:**
+   ```bash
+   sudo systemctl restart php8.4-fpm
+   sudo systemctl reload nginx
+   ```
+
+4. **Check service status:**
+   ```bash
+   sudo systemctl status nginx
+   sudo systemctl status php8.4-fpm
+   ```