# Nginx Setup for Post-ERG

Complete setup guide for nginx with security features and password protection.

## Prerequisites

- Ubuntu/Debian server with root access
- Nginx installed
- PHP-FPM installed (PHP 8.4)
- Domain name pointed to your server

## Quick Setup (Recommended)

### 1. Deploy from your local machine

```bash
just deploy-nginx
```

### 2. Apply on the server

```bash
ssh xamxam
sudo bash /tmp/deploy-server.sh
```

### 3. Set admin password (first time only)

```bash
just manage-admin-users
ssh xamxam "sudo bash /tmp/manage-admin-users.sh"
```

## Manual Setup Steps

### 1. Install Required Packages

```bash
sudo apt update
sudo apt install nginx apache2-utils php8.4-fpm
```

### 2. Create Admin Password

```bash
just manage-admin-users
# Then on the server:
ssh xamxam "sudo bash /tmp/manage-admin-users.sh"
```

### 3. Copy Nginx Configuration

```bash
sudo cp nginx/xamxam.conf /etc/nginx/sites-available/xamxam
sudo ln -s /etc/nginx/sites-available/xamxam /etc/nginx/sites-enabled/
sudo rm -f /etc/nginx/sites-enabled/default
```

### 4. Test and Reload

```bash
sudo nginx -t
sudo systemctl reload nginx
sudo systemctl status nginx
```

## Testing

### Test Admin Authentication

```bash
# Should return 401
curl -I https://xamxam.erg.be/admin/

# With credentials
curl -u admin:password https://xamxam.erg.be/admin/
```

### Test File Protection

```bash
# Should return 403
curl -I https://xamxam.erg.be/storage/test.db
curl -I https://xamxam.erg.be/src/Database.php
```

### Test Security Headers

```bash
curl -I https://xamxam.erg.be/ | grep -E "X-|Strict-Transport"
```

## Troubleshooting

### 403 Forbidden on admin
```bash
sudo ls -l /etc/nginx/.htpasswd-xamxam
sudo chmod 644 /etc/nginx/.htpasswd-xamxam
```

### 502 Bad Gateway
```bash
sudo systemctl status php8.4-fpm
sudo systemctl restart php8.4-fpm
```

### Configuration errors
```bash
sudo nginx -t
```

## Maintenance

### Change Admin Password
```bash
sudo htpasswd /etc/nginx/.htpasswd-xamxam admin
```

### Reload Configuration
```bash
sudo nginx -t && sudo systemctl reload nginx
```

## See Also

- **[docs/PRODUCTION_DEPLOYMENT.md](docs/PRODUCTION_DEPLOYMENT.md)** - Detailed deployment
- **[docs/QUICK_REFERENCE.md](docs/QUICK_REFERENCE.md)** - Command reference
- **[docs/ADMIN_USERS.md](docs/ADMIN_USERS.md)** - User management