mirror of
https://codeberg.org/PostERG/xamxam.git
synced 2026-05-06 19:19:19 +02:00
211 lines
4.2 KiB
Markdown
211 lines
4.2 KiB
Markdown
# Production Deployment Guide - Post-ERG
|
|
|
|
This guide covers deploying the production nginx configuration with proper security and permissions.
|
|
|
|
## 🎯 Overview
|
|
|
|
- **Server**: xamxam.erg.be (internal IP: 192.168.6.125)
|
|
- **PHP Version**: 8.4
|
|
- **SSL/TLS**: Handled by upstream reverse proxy
|
|
- **Document Root**: `/var/www/xamxam/public/`
|
|
|
|
## 🚀 Quick Deployment
|
|
|
|
From your local machine:
|
|
|
|
```bash
|
|
# Deploy nginx config and upload deployment script
|
|
just deploy-nginx
|
|
|
|
# Then on the server:
|
|
ssh xamxam
|
|
sudo bash /tmp/deploy-server.sh
|
|
sudo systemctl reload nginx
|
|
```
|
|
|
|
This uploads:
|
|
- `nginx/xamxam.conf` → `/tmp/xamxam.conf`
|
|
- `scripts/deploy-server.sh` → `/tmp/deploy-server.sh`
|
|
|
|
## 📋 Step-by-Step Deployment
|
|
|
|
### 1. Set Up Admin Password (First Time Only)
|
|
|
|
```bash
|
|
ssh xamxam
|
|
sudo htpasswd -c /etc/nginx/.htpasswd-xamxam admin
|
|
# Enter a strong password when prompted
|
|
```
|
|
|
|
**💡 Tip**: Generate a strong password:
|
|
```bash
|
|
openssl rand -base64 32
|
|
```
|
|
|
|
### 2. Deploy Configuration
|
|
|
|
```bash
|
|
# From your local machine
|
|
just deploy-nginx
|
|
|
|
# On the server
|
|
sudo bash /tmp/deploy-server.sh
|
|
sudo systemctl reload nginx
|
|
```
|
|
|
|
The script will:
|
|
- ✅ Fix file permissions (set to www-data:xamxam)
|
|
- ✅ Install nginx configuration
|
|
- ✅ Test nginx configuration
|
|
- ✅ Check PHP-FPM status
|
|
|
|
## 🔧 Manual Deployment (Alternative)
|
|
|
|
### Step 1: Fix Permissions
|
|
|
|
```bash
|
|
ssh xamxam
|
|
|
|
# Set correct ownership
|
|
sudo chown -R www-data:xamxam /var/www/xamxam/
|
|
|
|
# Set directory permissions
|
|
sudo find /var/www/posterg -type d -exec chmod 755 {} \;
|
|
|
|
# Set file permissions
|
|
sudo find /var/www/posterg -type f -exec chmod 644 {} \;
|
|
|
|
# Make storage writable
|
|
sudo chmod 775 /var/www/xamxam/storage
|
|
|
|
# Protect database
|
|
sudo chmod 660 /var/www/xamxam/storage/test.db
|
|
sudo chown www-data:xamxam /var/www/xamxam/storage/test.db
|
|
```
|
|
|
|
### Step 2: Deploy Nginx Config
|
|
|
|
```bash
|
|
# Copy config
|
|
sudo cp /tmp/xamxam.conf /etc/nginx/sites-available/xamxam
|
|
|
|
# Enable site and disable default
|
|
sudo ln -sf /etc/nginx/sites-available/xamxam /etc/nginx/sites-enabled/xamxam
|
|
sudo rm -f /etc/nginx/sites-enabled/default
|
|
|
|
# Test and reload
|
|
sudo nginx -t
|
|
sudo systemctl reload nginx
|
|
```
|
|
|
|
## 🧪 Testing
|
|
|
|
### Test Public Site
|
|
|
|
```bash
|
|
# Should return 200 OK
|
|
curl -I https://xamxam.erg.be/
|
|
```
|
|
|
|
### Test Admin Protection
|
|
|
|
```bash
|
|
# Should return 401 Unauthorized
|
|
curl -I https://xamxam.erg.be/admin/
|
|
|
|
# With credentials
|
|
curl -u admin:your_password https://xamxam.erg.be/admin/
|
|
```
|
|
|
|
### Test File Protection
|
|
|
|
```bash
|
|
# Should return 403 Forbidden
|
|
curl -I https://xamxam.erg.be/storage/test.db
|
|
curl -I https://xamxam.erg.be/src/Database.php
|
|
curl -I https://xamxam.erg.be/config/bootstrap.php
|
|
```
|
|
|
|
### Test Security Headers
|
|
|
|
```bash
|
|
curl -I https://xamxam.erg.be/ | grep -E "X-Frame|X-Content|Strict-Transport"
|
|
```
|
|
|
|
## 🔍 Troubleshooting
|
|
|
|
### Still Getting 403 Forbidden
|
|
|
|
**Check file permissions:**
|
|
```bash
|
|
ls -la /var/www/xamxam/public/index.php
|
|
groups www-data # Should include xamxam
|
|
```
|
|
|
|
### 502 Bad Gateway
|
|
|
|
**Check PHP-FPM:**
|
|
```bash
|
|
sudo systemctl status php8.4-fpm
|
|
sudo systemctl restart php8.4-fpm
|
|
```
|
|
|
|
### Admin Password Not Working
|
|
|
|
```bash
|
|
sudo htpasswd /etc/nginx/.htpasswd-xamxam admin
|
|
```
|
|
|
|
## 📊 Monitoring
|
|
|
|
```bash
|
|
# Watch logs
|
|
sudo tail -f /var/log/nginx/xamxam_access.log
|
|
sudo tail -f /var/log/nginx/xamxam_error.log
|
|
|
|
# Check status
|
|
sudo systemctl status nginx
|
|
```
|
|
|
|
## 🔒 Security Checklist
|
|
|
|
After deployment, verify:
|
|
|
|
- [ ] Public site accessible at https://xamxam.erg.be/
|
|
- [ ] Admin panel requires password
|
|
- [ ] Database files return 403 Forbidden
|
|
- [ ] Source files return 403 Forbidden
|
|
- [ ] Security headers present
|
|
- [ ] PHP-FPM running
|
|
|
|
## 🔄 Updating the Site
|
|
|
|
```bash
|
|
# Deploy code changes
|
|
just deploy
|
|
|
|
# Reload nginx if config changed
|
|
ssh xamxam "sudo systemctl reload nginx"
|
|
```
|
|
|
|
## 🆘 Emergency Recovery
|
|
|
|
```bash
|
|
# Restore default nginx config
|
|
ssh xamxam
|
|
sudo rm /etc/nginx/sites-enabled/xamxam
|
|
sudo systemctl reload nginx
|
|
|
|
# Reset permissions
|
|
sudo chown -R www-data:xamxam /var/www/xamxam/
|
|
sudo find /var/www/posterg -type d -exec chmod 755 {} \;
|
|
sudo find /var/www/posterg -type f -exec chmod 644 {} \;
|
|
```
|
|
|
|
---
|
|
|
|
**See also:**
|
|
- [QUICK_REFERENCE.md](QUICK_REFERENCE.md) - Command reference
|
|
- [ADMIN_USERS.md](ADMIN_USERS.md) - User management
|
|
- [SECURITY_HEADERS.md](SECURITY_HEADERS.md) - Security headers
|