# ๐Ÿš€ Deploy Production Nginx Configuration Quick guide to fix the current 403 Forbidden errors and deploy production-ready nginx setup. ## Current Issue The site returns **403 Forbidden** because: - Files are owned by `theophile:theophile` - Nginx runs as `www-data` (member of `posterg` group) - Files have `640` permissions but wrong group - Nginx can't read the files ## Solution Deploy the production configuration which will: 1. โœ… Fix file permissions (change group to `posterg`) 2. โœ… Add security hardening (rate limiting, file blocking) 3. โœ… Set up admin password protection 4. โœ… Configure proper PHP handling --- ## ๐ŸŽฏ Quick Deploy (2 steps) ### Step 1: Upload to Server From your local machine: ```bash just deploy-nginx-production ``` ### Step 2: Run on Server ```bash ssh posterg sudo bash /tmp/deploy-production.sh ``` That's it! The site should work after this. --- ## ๐Ÿ“ What the Script Does The deployment script will: 1. **Fix Permissions** - Change ownership: `theophile:posterg` (so www-data can read) - Directories: `755` (readable by all) - Files: `640` (readable by owner and group) - Upload dirs: `775` (writable by group) 2. **Setup Admin Password** - Creates `/etc/nginx/.htpasswd-posterg` if missing - Prompts for username and password 3. **Install Nginx Config** - Backs up existing config - Installs production config - Creates symlink in sites-enabled - Removes default site 4. **Test & Reload** - Tests nginx configuration - Reloads nginx if valid - Verifies PHP-FPM is running --- ## ๐Ÿ”’ Security Features Added The new configuration adds: โœ… **Rate Limiting** - General: 30 requests/minute - Search: 30 requests/minute - Admin: 10 requests/minute โœ… **File Protection** - Database files (`.db`) โ†’ 403 Forbidden - Sensitive files (`.md`, `.sql`, `.txt`) โ†’ 403 Forbidden - `/database/` directory โ†’ 403 Forbidden - `/shared/` directory โ†’ 403 Forbidden - `/data/` directory โ†’ 403 Forbidden - Hidden files (`.git`, `.env`) โ†’ 403 Forbidden โœ… **Admin Panel Protection** - `/formulaire/` requires HTTP Basic Authentication - Rate limited to 10 requests/minute - Hidden from search engines โœ… **Security Headers** - X-Frame-Options (clickjacking protection) - X-Content-Type-Options (MIME sniffing protection) - X-XSS-Protection - Referrer-Policy - Permissions-Policy โœ… **File Upload** - Max size: 100MB - Timeouts: 120 seconds - Upload directories writable by www-data --- ## ๐Ÿงช Testing After Deployment On the server: ```bash # Should return 200 OK now curl -I http://localhost/ # Should return HTML content curl http://localhost/index.php | head -n 20 # Admin should ask for password (401) curl -I http://localhost/formulaire/ # Database should be blocked (403) curl -I http://localhost/database/posterg.db # Sensitive files should be blocked (403) curl -I http://localhost/README.md curl -I http://localhost/shared/Database.php ``` From your browser: - Visit https://posterg.erg.be/ โ†’ Should work! - Visit https://posterg.erg.be/formulaire/ โ†’ Should ask for password --- ## ๐Ÿ”ง Manual Steps (If Script Fails) If the automated script fails, here's the manual process: ### Fix Permissions ```bash ssh posterg sudo chown -R theophile:posterg /var/www/html/ sudo find /var/www/html -type d -exec chmod 755 {} \; sudo find /var/www/html -type f -exec chmod 640 {} \; sudo chmod 775 /var/www/html/formulaire/data/theses sudo chmod 775 /var/www/html/formulaire/data/covers ``` ### Install Config ```bash # On server sudo cp /tmp/posterg.conf /etc/nginx/sites-available/posterg sudo ln -sf /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/posterg sudo rm -f /etc/nginx/sites-enabled/default sudo nginx -t sudo systemctl reload nginx ``` ### Setup Admin Password ```bash sudo htpasswd -c /etc/nginx/.htpasswd-posterg admin # Enter password when prompted ``` --- ## ๐Ÿ†˜ Troubleshooting ### Still Getting 403 Forbidden **Check file ownership:** ```bash ls -la /var/www/html/index.php # Should show: -rw-r----- theophile posterg ``` **Check nginx user is in posterg group:** ```bash groups www-data # Should show: www-data : www-data posterg ``` ### Can't Access Admin Panel **Verify password file:** ```bash ls -la /etc/nginx/.htpasswd-posterg # Should exist and be readable ``` **Test with credentials:** ```bash curl -u admin:your_password http://localhost/formulaire/ ``` ### PHP Not Working (500 Error) **Check PHP-FPM:** ```bash sudo systemctl status php8.4-fpm sudo systemctl restart php8.4-fpm ``` **Check socket:** ```bash ls -la /var/run/php/php8.4-fpm.sock # Should exist ``` ### View Error Logs ```bash # Nginx errors sudo tail -f /var/log/nginx/posterg_error.log # PHP errors sudo tail -f /var/www/html/error.log ``` --- ## ๐Ÿ“Š Current vs Production Config | Feature | Current (Default) | Production | |---------|------------------|------------| | PHP Version | โœ… 8.4 | โœ… 8.4 | | File Protection | โŒ None | โœ… Comprehensive | | Rate Limiting | โŒ None | โœ… Yes | | Admin Password | โŒ None | โœ… Yes | | Security Headers | โŒ None | โœ… Yes | | Upload Size | โš ๏ธ Default (2MB) | โœ… 100MB | | Logging | โš ๏ธ Generic | โœ… Separate logs | --- ## โœ… Success Checklist After deployment, verify: - [ ] Public site loads: https://posterg.erg.be/ - [ ] Admin requires password: https://posterg.erg.be/formulaire/ - [ ] Search works - [ ] Individual thesis pages work - [ ] Database is protected (403) - [ ] Sensitive files blocked (403) - [ ] No errors in logs - [ ] File uploads work (in admin) --- ## ๐Ÿ“ž Need Help? 1. **Check logs first:** ```bash sudo tail -50 /var/log/nginx/posterg_error.log ``` 2. **Test nginx config:** ```bash sudo nginx -t ``` 3. **Restart services:** ```bash sudo systemctl restart php8.4-fpm sudo systemctl reload nginx ``` 4. **Check service status:** ```bash sudo systemctl status nginx sudo systemctl status php8.4-fpm ```