# Nginx Configuration - Post-ERG

This directory contains nginx configuration and documentation for the Post-ERG thesis website.

## 📁 Files

- **`posterg.conf`** - Complete nginx configuration file
- **`scripts/`** - Server setup scripts
  - `setup-password.sh` - Create admin passwords
  - `install-php-sqlite.sh` - Install PHP SQLite extension
  - `fix-paths.sh` - Fix PHP include paths
- **`docs/`** - Documentation
  - `PRODUCTION_DEPLOYMENT.md` - Deployment guide
  - `QUICK_REFERENCE.md` - Command reference
  - `ADMIN_USERS.md` - User management
  - `SECURITY_HEADERS.md` - Security headers reference
  - `PHP_AUTH_LAYER.md` - Authentication layer documentation
  - `HTACCESS_TO_ NGINX.md` - Apache to nginx migration notes
  - `TEST_DATABASE_SETUP.md` - Test database deployment

## 🚀 Quick Start

### Deploy nginx configuration

```bash
# From your local machine
just deploy-nginx

# Then on the server:
ssh posterg
sudo bash /tmp/deploy-server.sh
sudo systemctl reload nginx
```

The deployment script will:
- ✅ Fix file permissions (www-data:posterg)
- ✅ Install nginx configuration
- ✅ Test and reload nginx
- ✅ Verify PHP-FPM is running

### Manage admin users

```bash
just manage-admin-users
ssh posterg "sudo bash /tmp/manage-admin-users.sh"
```

## 🔒 Security Features

### Admin Panel Protection
- **Password required** for `/admin/`
- HTTP Basic Authentication
- Rate limited: 10 requests/minute

### File Access Protection
- Database files (`.db`) - **BLOCKED**
- Sensitive files (`.md`, `.sql`, `.env`) - **BLOCKED**
- `/src` directory - **BLOCKED**
- `/templates` directory - **BLOCKED**
- `/config` directory - **BLOCKED**
- `/storage` directory - **BLOCKED**
- Hidden files (`.git`, etc.) - **BLOCKED**

### Rate Limiting
- General requests: 30/minute
- Search endpoint: 30/minute
- Admin panel: 10/minute

### Security Headers
- ✅ X-Frame-Options (clickjacking protection)
- ✅ X-Content-Type-Options (MIME sniffing protection)
- ✅ Strict-Transport-Security (force HTTPS)
- ✅ Referrer-Policy (referrer control)
- ✅ Permissions-Policy (disable browser features)

## 📚 Documentation

- **[docs/PRODUCTION_DEPLOYMENT.md](docs/PRODUCTION_DEPLOYMENT.md)** - Complete deployment guide
- **[docs/QUICK_REFERENCE.md](docs/QUICK_REFERENCE.md)** - Command reference and troubleshooting
- **[docs/ADMIN_USERS.md](docs/ADMIN_USERS.md)** - Admin user management
- **[docs/SECURITY_HEADERS.md](docs/SECURITY_HEADERS.md)** - Security headers reference

## 🧪 Testing

```bash
# Test admin authentication
curl -I https://posterg.erg.be/admin/

# Test file protection
curl -I https://posterg.erg.be/storage/test.db

# Test security headers
curl -I https://posterg.erg.be/ | grep -E "X-|Strict-Transport"
```

## 🆘 Quick Help

### Admin can't log in
```bash
sudo htpasswd /etc/nginx/.htpasswd-posterg admin
```

### 502 Bad Gateway
```bash
sudo systemctl status php8.4-fpm
sudo systemctl restart php8.4-fpm
```

### Configuration errors
```bash
sudo nginx -t
```

## 📊 Monitoring

```bash
# Watch logs
sudo tail -f /var/log/nginx/posterg_access.log
sudo tail -f /var/log/nginx/posterg_error.log

# Check nginx status
sudo systemctl status nginx
```