xamxam/nginx/docs/PRODUCTION_DEPLOYMENT.md

Production Deployment Guide - Post-ERG

This guide covers deploying the production nginx configuration with proper security and permissions.

🎯 Overview

• Server: xamxam.erg.be (internal IP: 192.168.6.125)
• PHP Version: 8.4
• SSL/TLS: Handled by upstream reverse proxy
• Document Root: /var/www/xamxam/public/

🚀 Quick Deployment

From your local machine:

# Deploy nginx config and upload deployment script
just deploy-nginx

# Then on the server:
ssh xamxam
sudo bash /tmp/deploy-server.sh
sudo systemctl reload nginx

This uploads:

• nginx/xamxam.conf → /tmp/xamxam.conf
• scripts/deploy-server.sh → /tmp/deploy-server.sh

📋 Step-by-Step Deployment

1. Set Up Admin Password (First Time Only)

ssh xamxam
sudo htpasswd -c /etc/nginx/.htpasswd-xamxam admin
# Enter a strong password when prompted

💡 Tip: Generate a strong password:

openssl rand -base64 32

2. Deploy Configuration

# From your local machine
just deploy-nginx

# On the server
sudo bash /tmp/deploy-server.sh
sudo systemctl reload nginx

The script will:

• ✅ Fix file permissions (set to www-data:xamxam)
• ✅ Install nginx configuration
• ✅ Test nginx configuration
• ✅ Check PHP-FPM status

🔧 Manual Deployment (Alternative)

Step 1: Fix Permissions

ssh xamxam

# Set correct ownership
sudo chown -R www-data:xamxam /var/www/xamxam/

# Set directory permissions
sudo find /var/www/posterg -type d -exec chmod 755 {} \;

# Set file permissions
sudo find /var/www/posterg -type f -exec chmod 644 {} \;

# Make storage writable
sudo chmod 775 /var/www/xamxam/storage

# Protect database
sudo chmod 660 /var/www/xamxam/storage/test.db
sudo chown www-data:xamxam /var/www/xamxam/storage/test.db

Step 2: Deploy Nginx Config

# Copy config
sudo cp /tmp/xamxam.conf /etc/nginx/sites-available/xamxam

# Enable site and disable default
sudo ln -sf /etc/nginx/sites-available/xamxam /etc/nginx/sites-enabled/xamxam
sudo rm -f /etc/nginx/sites-enabled/default

# Test and reload
sudo nginx -t
sudo systemctl reload nginx

🧪 Testing

Test Public Site

# Should return 200 OK
curl -I https://xamxam.erg.be/

Test Admin Protection

# Should return 401 Unauthorized
curl -I https://xamxam.erg.be/admin/

# With credentials
curl -u admin:your_password https://xamxam.erg.be/admin/

Test File Protection

# Should return 403 Forbidden
curl -I https://xamxam.erg.be/storage/test.db
curl -I https://xamxam.erg.be/src/Database.php
curl -I https://xamxam.erg.be/config/bootstrap.php

Test Security Headers

curl -I https://xamxam.erg.be/ | grep -E "X-Frame|X-Content|Strict-Transport"

🔍 Troubleshooting

Still Getting 403 Forbidden

Check file permissions:

ls -la /var/www/xamxam/public/index.php
groups www-data  # Should include xamxam

502 Bad Gateway

Check PHP-FPM:

sudo systemctl status php8.4-fpm
sudo systemctl restart php8.4-fpm

Admin Password Not Working

sudo htpasswd /etc/nginx/.htpasswd-xamxam admin

📊 Monitoring

# Watch logs
sudo tail -f /var/log/nginx/xamxam_access.log
sudo tail -f /var/log/nginx/xamxam_error.log

# Check status
sudo systemctl status nginx

🔒 Security Checklist

After deployment, verify:

• Public site accessible at https://xamxam.erg.be/
• Admin panel requires password
• Database files return 403 Forbidden
• Source files return 403 Forbidden
• Security headers present
• PHP-FPM running

🔄 Updating the Site

# Deploy code changes
just deploy

# Reload nginx if config changed
ssh xamxam "sudo systemctl reload nginx"

🆘 Emergency Recovery

# Restore default nginx config
ssh xamxam
sudo rm /etc/nginx/sites-enabled/xamxam
sudo systemctl reload nginx

# Reset permissions
sudo chown -R www-data:xamxam /var/www/xamxam/
sudo find /var/www/posterg -type d -exec chmod 755 {} \;
sudo find /var/www/posterg -type f -exec chmod 644 {} \;

---

See also:

• QUICK_REFERENCE.md - Command reference
• ADMIN_USERS.md - User management
• SECURITY_HEADERS.md - Security headers