xamxam/nginx/DEPLOY_NOW.md

🚀 Deploy Production Nginx Configuration

Quick guide to fix the current 403 Forbidden errors and deploy production-ready nginx setup.

Current Issue

The site returns 403 Forbidden because:

• Files are owned by theophile:theophile
• Nginx runs as www-data (member of posterg group)
• Files have 640 permissions but wrong group
• Nginx can't read the files

Solution

Deploy the production configuration which will:

1. ✅ Fix file permissions (change group to posterg)
2. ✅ Add security hardening (rate limiting, file blocking)
3. ✅ Set up admin password protection
4. ✅ Configure proper PHP handling

---

🎯 Quick Deploy (2 steps)

Step 1: Upload to Server

From your local machine:

just deploy-nginx-production

Step 2: Run on Server

ssh posterg
sudo bash /tmp/deploy-production.sh

That's it! The site should work after this.

---

📝 What the Script Does

The deployment script will:

1. Fix Permissions

   • Change ownership: theophile:posterg (so www-data can read)
   • Directories: 755 (readable by all)
   • Files: 640 (readable by owner and group)
   • Upload dirs: 775 (writable by group)

2. Setup Admin Password

   • Creates /etc/nginx/.htpasswd-posterg if missing
   • Prompts for username and password

3. Install Nginx Config

   • Backs up existing config
   • Installs production config
   • Creates symlink in sites-enabled
   • Removes default site

4. Test & Reload

   • Tests nginx configuration
   • Reloads nginx if valid
   • Verifies PHP-FPM is running

---

🔒 Security Features Added

The new configuration adds:

✅ Rate Limiting

• General: 30 requests/minute
• Search: 30 requests/minute
• Admin: 10 requests/minute

✅ File Protection

• Database files (.db) → 403 Forbidden
• Sensitive files (.md, .sql, .txt) → 403 Forbidden
• /storage/ directory → 403 Forbidden
• /shared/ directory → 403 Forbidden
• /data/ directory → 403 Forbidden
• Hidden files (.git, .env) → 403 Forbidden

✅ Admin Panel Protection

• /formulaire/ requires HTTP Basic Authentication
• Rate limited to 10 requests/minute
• Hidden from search engines

✅ Security Headers

• X-Frame-Options (clickjacking protection)
• X-Content-Type-Options (MIME sniffing protection)
• X-XSS-Protection
• Referrer-Policy
• Permissions-Policy

✅ File Upload

• Max size: 100MB
• Timeouts: 120 seconds
• Upload directories writable by www-data

---

🧪 Testing After Deployment

On the server:

# Should return 200 OK now
curl -I http://localhost/

# Should return HTML content
curl http://localhost/index.php | head -n 20

# Admin should ask for password (401)
curl -I http://localhost/formulaire/

# Database should be blocked (403)
curl -I http://localhost/storage/posterg.db

# Sensitive files should be blocked (403)
curl -I http://localhost/README.md
curl -I http://localhost/shared/Database.php

From your browser:

• Visit https://posterg.erg.be/ → Should work!
• Visit https://posterg.erg.be/formulaire/ → Should ask for password

---

🔧 Manual Steps (If Script Fails)

If the automated script fails, here's the manual process:

Fix Permissions

ssh posterg
sudo chown -R theophile:posterg /var/www/html/
sudo find /var/www/html -type d -exec chmod 755 {} \;
sudo find /var/www/html -type f -exec chmod 640 {} \;
sudo chmod 775 /var/www/html/formulaire/data/theses
sudo chmod 775 /var/www/html/formulaire/data/covers

Install Config

# On server
sudo cp /tmp/posterg.conf /etc/nginx/sites-available/posterg
sudo ln -sf /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/posterg
sudo rm -f /etc/nginx/sites-enabled/default
sudo nginx -t
sudo systemctl reload nginx

Setup Admin Password

sudo htpasswd -c /etc/nginx/.htpasswd-posterg admin
# Enter password when prompted

---

🆘 Troubleshooting

Still Getting 403 Forbidden

Check file ownership:

ls -la /var/www/html/index.php
# Should show: -rw-r----- theophile posterg

Check nginx user is in posterg group:

groups www-data
# Should show: www-data : www-data posterg

Can't Access Admin Panel

Verify password file:

ls -la /etc/nginx/.htpasswd-posterg
# Should exist and be readable

Test with credentials:

curl -u admin:your_password http://localhost/formulaire/

PHP Not Working (500 Error)

Check PHP-FPM:

sudo systemctl status php8.4-fpm
sudo systemctl restart php8.4-fpm

Check socket:

ls -la /var/run/php/php8.4-fpm.sock
# Should exist

View Error Logs

# Nginx errors
sudo tail -f /var/log/nginx/posterg_error.log

# PHP errors  
sudo tail -f /var/www/html/error.log

---

📊 Current vs Production Config

Feature	Current (Default)	Production
PHP Version	✅ 8.4	✅ 8.4
File Protection	❌ None	✅ Comprehensive
Rate Limiting	❌ None	✅ Yes
Admin Password	❌ None	✅ Yes
Security Headers	❌ None	✅ Yes
Upload Size	⚠️ Default (2MB)	✅ 100MB
Logging	⚠️ Generic	✅ Separate logs

---

✅ Success Checklist

After deployment, verify:

• Public site loads: https://posterg.erg.be/
• Admin requires password: https://posterg.erg.be/formulaire/
• Search works
• Individual thesis pages work
• Database is protected (403)
• Sensitive files blocked (403)
• No errors in logs
• File uploads work (in admin)

---

📞 Need Help?

1. Check logs first:

   sudo tail -50 /var/log/nginx/posterg_error.log
   

2. Test nginx config:

   sudo nginx -t
   

3. Restart services:

   sudo systemctl restart php8.4-fpm
   sudo systemctl reload nginx
   

4. Check service status:

   sudo systemctl status nginx
   sudo systemctl status php8.4-fpm