xamxam/nginx/DEPLOY_NOW.md

# 🚀 Deploy Production Nginx Configuration

Quick guide to fix the current 403 Forbidden errors and deploy production-ready nginx setup.

## Current Issue

The site returns **403 Forbidden** because:
- Files are owned by `theophile:theophile` 
- Nginx runs as `www-data` (member of `posterg` group)
- Files have `640` permissions but wrong group
- Nginx can't read the files

## Solution

Deploy the production configuration which will:
1. ✅ Fix file permissions (change group to `posterg`)
2. ✅ Add security hardening (rate limiting, file blocking)
3. ✅ Set up admin password protection
4. ✅ Configure proper PHP handling

---

## 🎯 Quick Deploy (2 steps)

### Step 1: Upload to Server

From your local machine:

```bash
just deploy-nginx-production
```

### Step 2: Run on Server

```bash
ssh posterg
sudo bash /tmp/deploy-production.sh
```

That's it! The site should work after this.

---

## 📝 What the Script Does

The deployment script will:

1. **Fix Permissions**
   - Change ownership: `theophile:posterg` (so www-data can read)
   - Directories: `755` (readable by all)
   - Files: `640` (readable by owner and group)
   - Upload dirs: `775` (writable by group)

2. **Setup Admin Password**
   - Creates `/etc/nginx/.htpasswd-posterg` if missing
   - Prompts for username and password

3. **Install Nginx Config**
   - Backs up existing config
   - Installs production config
   - Creates symlink in sites-enabled
   - Removes default site

4. **Test & Reload**
   - Tests nginx configuration
   - Reloads nginx if valid
   - Verifies PHP-FPM is running

---

## 🔒 Security Features Added

The new configuration adds:

✅ **Rate Limiting**
- General: 30 requests/minute
- Search: 30 requests/minute  
- Admin: 10 requests/minute

✅ **File Protection**
- Database files (`.db`) → 403 Forbidden
- Sensitive files (`.md`, `.sql`, `.txt`) → 403 Forbidden
- `/storage/` directory → 403 Forbidden
- `/shared/` directory → 403 Forbidden
- `/data/` directory → 403 Forbidden
- Hidden files (`.git`, `.env`) → 403 Forbidden

✅ **Admin Panel Protection**
- `/formulaire/` requires HTTP Basic Authentication
- Rate limited to 10 requests/minute
- Hidden from search engines

✅ **Security Headers**
- X-Frame-Options (clickjacking protection)
- X-Content-Type-Options (MIME sniffing protection)
- X-XSS-Protection
- Referrer-Policy
- Permissions-Policy

✅ **File Upload**
- Max size: 100MB
- Timeouts: 120 seconds
- Upload directories writable by www-data

---

## 🧪 Testing After Deployment

On the server:

```bash
# Should return 200 OK now
curl -I http://localhost/

# Should return HTML content
curl http://localhost/index.php | head -n 20

# Admin should ask for password (401)
curl -I http://localhost/formulaire/

# Database should be blocked (403)
curl -I http://localhost/storage/posterg.db

# Sensitive files should be blocked (403)
curl -I http://localhost/README.md
curl -I http://localhost/shared/Database.php
```

From your browser:
- Visit https://posterg.erg.be/ → Should work!
- Visit https://posterg.erg.be/formulaire/ → Should ask for password

---

## 🔧 Manual Steps (If Script Fails)

If the automated script fails, here's the manual process:

### Fix Permissions

```bash
ssh posterg
sudo chown -R theophile:posterg /var/www/html/
sudo find /var/www/html -type d -exec chmod 755 {} \;
sudo find /var/www/html -type f -exec chmod 640 {} \;
sudo chmod 775 /var/www/html/formulaire/data/theses
sudo chmod 775 /var/www/html/formulaire/data/covers
```

### Install Config

```bash
# On server
sudo cp /tmp/posterg.conf /etc/nginx/sites-available/posterg
sudo ln -sf /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/posterg
sudo rm -f /etc/nginx/sites-enabled/default
sudo nginx -t
sudo systemctl reload nginx
```

### Setup Admin Password

```bash
sudo htpasswd -c /etc/nginx/.htpasswd-posterg admin
# Enter password when prompted
```

---

## 🆘 Troubleshooting

### Still Getting 403 Forbidden

**Check file ownership:**
```bash
ls -la /var/www/html/index.php
# Should show: -rw-r----- theophile posterg
```

**Check nginx user is in posterg group:**
```bash
groups www-data
# Should show: www-data : www-data posterg
```

### Can't Access Admin Panel

**Verify password file:**
```bash
ls -la /etc/nginx/.htpasswd-posterg
# Should exist and be readable
```

**Test with credentials:**
```bash
curl -u admin:your_password http://localhost/formulaire/
```

### PHP Not Working (500 Error)

**Check PHP-FPM:**
```bash
sudo systemctl status php8.4-fpm
sudo systemctl restart php8.4-fpm
```

**Check socket:**
```bash
ls -la /var/run/php/php8.4-fpm.sock
# Should exist
```

### View Error Logs

```bash
# Nginx errors
sudo tail -f /var/log/nginx/posterg_error.log

# PHP errors  
sudo tail -f /var/www/html/error.log
```

---

## 📊 Current vs Production Config

| Feature | Current (Default) | Production |
|---------|------------------|------------|
| PHP Version | ✅ 8.4 | ✅ 8.4 |
| File Protection | ❌ None | ✅ Comprehensive |
| Rate Limiting | ❌ None | ✅ Yes |
| Admin Password | ❌ None | ✅ Yes |
| Security Headers | ❌ None | ✅ Yes |
| Upload Size | ⚠️ Default (2MB) | ✅ 100MB |
| Logging | ⚠️ Generic | ✅ Separate logs |

---

## ✅ Success Checklist

After deployment, verify:

- [ ] Public site loads: https://posterg.erg.be/
- [ ] Admin requires password: https://posterg.erg.be/formulaire/
- [ ] Search works
- [ ] Individual thesis pages work
- [ ] Database is protected (403)
- [ ] Sensitive files blocked (403)
- [ ] No errors in logs
- [ ] File uploads work (in admin)

---

## 📞 Need Help?

1. **Check logs first:**
   ```bash
   sudo tail -50 /var/log/nginx/posterg_error.log
   ```

2. **Test nginx config:**
   ```bash
   sudo nginx -t
   ```

3. **Restart services:**
   ```bash
   sudo systemctl restart php8.4-fpm
   sudo systemctl reload nginx
   ```

4. **Check service status:**
   ```bash
   sudo systemctl status nginx
   sudo systemctl status php8.4-fpm
   ```