mirror of
https://codeberg.org/PostERG/xamxam.git
synced 2026-05-06 19:19:19 +02:00
a2b1ff5f41
Items resolved: - #3 (HIGH): Move file uploads outside webroot to STORAGE_ROOT (/var/www/posterg/storage). Uploads were previously stored in public/admin/actions/data/ which is web-accessible. - #4 (HIGH): Align file paths and add media.php controller. DB paths are now storage-relative (theses/YEAR/ID/file, covers/file). New public/media.php serves files with path-traversal jail, MIME allow-list, and proper caching headers. memoire.php and search.php updated to use /media.php?path=. Also fixed: cover images were never recorded in thesis_files (broken INSERT). - #5 (HIGH): RateLimit::getClientIdentifier() now uses REMOTE_ADDR only. HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP are attacker-controlled headers that allowed unlimited rate-limit bypass by rotating spoofed IPs. - #6 (HIGH): Port public/admin/.htaccess security rules to nginx/posterg.conf. Apache .htaccess directives are silently ignored by nginx; none were active. CSP added to /admin/ location block, .log file denial added globally, autoindex off made explicit. Documented in nginx/HTACCESS_TO_NGINX.md. Supporting changes: - config/bootstrap.php: add STORAGE_ROOT constant - nginx/SECURITY_HEADERS.md: updated to reflect admin CSP and pending public CSP - docs/TODO.SECURITY.md: items #3-6 moved to resolved; priority order updated
Nginx Configuration - Post-ERG
This directory contains nginx configuration and setup scripts for the Post-ERG thesis website.
📁 Files
posterg.conf- Complete nginx configuration filesetup-password.sh- Script to create admin passwordsSETUP.md- Detailed setup instructionsQUICK_REFERENCE.md- Command reference and troubleshooting
🚀 Quick Start
1. Deploy nginx configuration (automated)
# From your local machine
just deploy-nginx
# Then on the server:
ssh posterg
sudo bash /tmp/deploy-production.sh
The deployment script will:
- ✅ Fix file permissions (posterg group)
- ✅ Set up admin password (if needed)
- ✅ Install nginx configuration
- ✅ Test and reload nginx
- ✅ Verify PHP-FPM is running
2. SSL/TLS
SSL/TLS is handled by the upstream reverse proxy and is already working. No additional SSL setup is needed on this server.
🔒 Security Features
Admin Panel Protection
- Password required for
/formulaire/(admin panel) - HTTP Basic Authentication
- Rate limited: 10 requests/minute
File Access Protection
- Database files (
.db) - BLOCKED - Sensitive files (
.md,.sql,.env) - BLOCKED - Shared directory - BLOCKED
- Tests directory - BLOCKED
- Cache directory - BLOCKED
- Hidden files (
.git, etc.) - BLOCKED
Rate Limiting
- General requests: 30/minute
- Search endpoint: 30/minute
- Admin panel: 10/minute
Security Headers
- ✅ X-Frame-Options (clickjacking protection)
- ✅ X-Content-Type-Options (MIME sniffing protection)
- ✅ X-XSS-Protection (XSS filter)
- ✅ Strict-Transport-Security (force HTTPS)
- ✅ Referrer-Policy (referrer control)
- ✅ Permissions-Policy (disable browser features)
SSL/TLS
- TLS 1.2 and 1.3 only
- Strong cipher suites
- OCSP stapling
- HSTS enabled
📚 Documentation
-
SETUP.md - Complete setup guide
- Installation steps
- Configuration details
- Testing procedures
- Troubleshooting
- Performance tuning
- Security checklist
-
QUICK_REFERENCE.md - Command reference
- Common operations
- Password management
- Nginx control
- Log viewing
- Testing commands
- Troubleshooting
🧪 Testing
Test your configuration:
# Test admin authentication
curl -I https://posterg.erg.be/formulaire/
# Test file protection
curl -I https://posterg.erg.be/database/posterg.db
# Test security headers
curl -I https://posterg.erg.be/ | grep -E "X-|Strict-Transport"
🆘 Quick Help
Admin can't log in
# Reset password
sudo htpasswd /etc/nginx/.htpasswd-posterg admin
502 Bad Gateway
# Check PHP-FPM
sudo systemctl status php8.2-fpm
sudo systemctl restart php8.2-fpm
Configuration errors
# Test and show errors
sudo nginx -t
📊 Monitoring
# Watch access logs
sudo tail -f /var/log/nginx/posterg_access.log
# Watch error logs
sudo tail -f /var/log/nginx/posterg_error.log
# Check nginx status
sudo systemctl status nginx
🔄 Maintenance
Change admin password
sudo htpasswd /etc/nginx/.htpasswd-posterg admin
Reload after config changes
sudo nginx -t && sudo systemctl reload nginx
Renew SSL certificate
sudo certbot renew
📞 Support
For detailed instructions, see:
- SETUP.md - Complete setup guide
- QUICK_REFERENCE.md - Command reference
For issues:
- Check nginx error logs:
sudo tail /var/log/nginx/posterg_error.log - Test configuration:
sudo nginx -t - Check PHP-FPM:
sudo systemctl status php8.2-fpm