# Nginx Quick Reference - Post-ERG ## Setup Commands ```bash # Copy nginx config sudo cp nginx/xamxam.conf /etc/nginx/sites-available/xamxam sudo ln -s /etc/nginx/sites-available/xamxam /etc/nginx/sites-enabled/ sudo rm -f /etc/nginx/sites-enabled/default # Test and reload sudo nginx -t sudo systemctl reload nginx ``` ## Common Operations ### Password Management ```bash # Interactive menu (recommended) sudo bash /tmp/manage-admin-users.sh # Or manual commands: # Add new user sudo htpasswd /etc/nginx/.htpasswd-xamxam username # Change password for existing user sudo htpasswd /etc/nginx/.htpasswd-xamxam username # Remove user sudo htpasswd -D /etc/nginx/.htpasswd-xamxam username # List all users sudo cut -d: -f1 /etc/nginx/.htpasswd-xamxam ``` ### Nginx Control ```bash # Test configuration sudo nginx -t # Reload configuration (no downtime) sudo systemctl reload nginx # Restart nginx (brief downtime) sudo systemctl restart nginx # Stop nginx sudo systemctl stop nginx # Start nginx sudo systemctl start nginx # Check status sudo systemctl status nginx ``` ### View Logs ```bash # Public site access log sudo tail -f /var/log/nginx/xamxam_access.log # Public site errors sudo tail -f /var/log/nginx/xamxam_error.log # SSL access log sudo tail -f /var/log/nginx/xamxam_ssl_access.log # Search for specific pattern sudo grep "404" /var/log/nginx/xamxam_access.log # Count requests by IP sudo awk '{print $1}' /var/log/nginx/xamxam_access.log | sort | uniq -c | sort -nr | head ``` ### SSL/HTTPS ```bash # Get SSL certificate (Let's Encrypt) sudo certbot --nginx -d xamxam.erg.be -d www.xamxam.erg.be # Renew certificates sudo certbot renew # Check certificate expiry sudo certbot certificates # Test auto-renewal sudo certbot renew --dry-run ``` ## Testing ### Test Admin Authentication ```bash # Should require password (returns 401) curl -I https://xamxam.erg.be/admin/ # With authentication curl -u admin:password https://xamxam.erg.be/admin/ ``` ### Test Rate Limiting ```bash # Should show increasing 429 responses after limit for i in {1..50}; do curl -s -o /dev/null -w "%{http_code}\n" https://xamxam.erg.be/ done ``` ### Test File Protection ```bash # Should return 403 curl -I https://xamxam.erg.be/storage/xamxam.db curl -I https://xamxam.erg.be/shared/Database.php curl -I https://xamxam.erg.be/.env ``` ### Test Security Headers ```bash # Check all security headers curl -I https://xamxam.erg.be/ 2>&1 | grep -E "X-|Strict-Transport|Referrer|Permissions" ``` ## Troubleshooting ### Common Issues **403 Forbidden on admin** ```bash # Check htpasswd file exists sudo ls -l /etc/nginx/.htpasswd-xamxam # Check permissions sudo chmod 644 /etc/nginx/.htpasswd-xamxam ``` **502 Bad Gateway** ```bash # Check PHP-FPM status sudo systemctl status php8.2-fpm # Restart PHP-FPM sudo systemctl restart php8.2-fpm # Check PHP-FPM logs sudo tail /var/log/php8.2-fpm.log ``` **Configuration errors** ```bash # Test config and show errors sudo nginx -t # Check nginx error log sudo tail -50 /var/log/nginx/error.log ``` ### Emergency Recovery ```bash # Disable password protection temporarily sudo nano /etc/nginx/sites-available/xamxam # Comment out these lines in /admin/ location: # auth_basic "Admin Access - Post-ERG"; # auth_basic_user_file /etc/nginx/.htpasswd-xamxam; # Reload nginx sudo nginx -t && sudo systemctl reload nginx ``` ## Performance Monitoring ```bash # Check active connections sudo ss -tulpn | grep nginx # Monitor nginx processes watch -n 1 'ps aux | grep nginx' # Check request rate sudo tail -f /var/log/nginx/xamxam_access.log | pv -l -r > /dev/null # Disk usage of logs sudo du -sh /var/log/nginx/* ``` ## Maintenance ```bash # Rotate logs manually sudo nginx -s reopen # Clear old logs (keep last 7 days) sudo find /var/log/nginx -name "*.log" -mtime +7 -delete # Backup configuration sudo cp /etc/nginx/sites-available/xamxam /etc/nginx/sites-available/xamxam.backup.$(date +%Y%m%d) # Backup password file sudo cp /etc/nginx/.htpasswd-xamxam /etc/nginx/.htpasswd-xamxam.backup.$(date +%Y%m%d) ``` ## Security Checklist - [ ] Admin password set: `sudo ls -l /etc/nginx/.htpasswd-xamxam` - [ ] SSL enabled: `curl -I https://xamxam.erg.be/` - [ ] Database blocked: `curl -I https://xamxam.erg.be/storage/xamxam.db` - [ ] Shared directory blocked: `curl -I https://xamxam.erg.be/shared/Database.php` - [ ] Rate limiting working: Test with curl loop - [ ] Security headers present: `curl -I https://xamxam.erg.be/ | grep X-` - [ ] Logs accessible: `sudo tail /var/log/nginx/xamxam_access.log` ## Configuration Paths - **Nginx config**: `/etc/nginx/sites-available/xamxam` - **Password file**: `/etc/nginx/.htpasswd-xamxam` - **SSL certificates**: `/etc/letsencrypt/live/xamxam.erg.be/` - **Access logs**: `/var/log/nginx/xamxam_access.log` - **Error logs**: `/var/log/nginx/xamxam_error.log` - **PHP-FPM config**: `/etc/php/8.2/fpm/pool.d/www.conf` - **PHP-FPM socket**: `/var/run/php/php8.2-fpm.sock` ## Rate Limits (Current Settings) - **General requests**: 30 requests/minute - **Search endpoint**: 30 requests/minute (burst: 10) - **Admin panel**: 10 requests/minute (burst: 5) To adjust, edit these lines in nginx config: ```nginx limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m; limit_req_zone $binary_remote_addr zone=search:10m rate=30r/m; limit_req_zone $binary_remote_addr zone=admin:10m rate=10r/m; ```