mirror of
https://codeberg.org/PostERG/xamxam.git
synced 2026-05-06 11:09:18 +02:00
f5d3281c43
Item 13 — Remove deprecated X-XSS-Protection header
- nginx/posterg.conf: header removed (was '1; mode=block')
- nginx/SECURITY_HEADERS.md: new file documenting header decisions
and explaining why X-XSS-Protection is counterproductive
Item 14 — Add rel="noreferrer" to external target="_blank" link
- public/admin/thanks.php: rel="noopener" → rel="noopener noreferrer"
Item 15 — Explicit (int) casts on all integer HTML outputs
- public/index.php: (int) on item id, page numbers
- public/search.php: (int) on totalItems, year options, item id, pagination
Item 16 — Remove unused DATABASE_PATH constant
- config/bootstrap.php: define('DATABASE_PATH', ...) removed
docs/TODO.SECURITY.md updated: items 13-16 marked resolved and
moved to the ✅ Resolved section.
Nginx Configuration - Post-ERG
This directory contains nginx configuration and setup scripts for the Post-ERG thesis website.
📁 Files
posterg.conf- Complete nginx configuration filesetup-password.sh- Script to create admin passwordsSETUP.md- Detailed setup instructionsQUICK_REFERENCE.md- Command reference and troubleshooting
🚀 Quick Start
1. Deploy nginx configuration (automated)
# From your local machine
just deploy-nginx
# Then on the server:
ssh posterg
sudo bash /tmp/deploy-production.sh
The deployment script will:
- ✅ Fix file permissions (posterg group)
- ✅ Set up admin password (if needed)
- ✅ Install nginx configuration
- ✅ Test and reload nginx
- ✅ Verify PHP-FPM is running
2. SSL/TLS
SSL/TLS is handled by the upstream reverse proxy and is already working. No additional SSL setup is needed on this server.
🔒 Security Features
Admin Panel Protection
- Password required for
/formulaire/(admin panel) - HTTP Basic Authentication
- Rate limited: 10 requests/minute
File Access Protection
- Database files (
.db) - BLOCKED - Sensitive files (
.md,.sql,.env) - BLOCKED - Shared directory - BLOCKED
- Tests directory - BLOCKED
- Cache directory - BLOCKED
- Hidden files (
.git, etc.) - BLOCKED
Rate Limiting
- General requests: 30/minute
- Search endpoint: 30/minute
- Admin panel: 10/minute
Security Headers
- ✅ X-Frame-Options (clickjacking protection)
- ✅ X-Content-Type-Options (MIME sniffing protection)
- ✅ X-XSS-Protection (XSS filter)
- ✅ Strict-Transport-Security (force HTTPS)
- ✅ Referrer-Policy (referrer control)
- ✅ Permissions-Policy (disable browser features)
SSL/TLS
- TLS 1.2 and 1.3 only
- Strong cipher suites
- OCSP stapling
- HSTS enabled
📚 Documentation
-
SETUP.md - Complete setup guide
- Installation steps
- Configuration details
- Testing procedures
- Troubleshooting
- Performance tuning
- Security checklist
-
QUICK_REFERENCE.md - Command reference
- Common operations
- Password management
- Nginx control
- Log viewing
- Testing commands
- Troubleshooting
🧪 Testing
Test your configuration:
# Test admin authentication
curl -I https://posterg.erg.be/formulaire/
# Test file protection
curl -I https://posterg.erg.be/database/posterg.db
# Test security headers
curl -I https://posterg.erg.be/ | grep -E "X-|Strict-Transport"
🆘 Quick Help
Admin can't log in
# Reset password
sudo htpasswd /etc/nginx/.htpasswd-posterg admin
502 Bad Gateway
# Check PHP-FPM
sudo systemctl status php8.2-fpm
sudo systemctl restart php8.2-fpm
Configuration errors
# Test and show errors
sudo nginx -t
📊 Monitoring
# Watch access logs
sudo tail -f /var/log/nginx/posterg_access.log
# Watch error logs
sudo tail -f /var/log/nginx/posterg_error.log
# Check nginx status
sudo systemctl status nginx
🔄 Maintenance
Change admin password
sudo htpasswd /etc/nginx/.htpasswd-posterg admin
Reload after config changes
sudo nginx -t && sudo systemctl reload nginx
Renew SSL certificate
sudo certbot renew
📞 Support
For detailed instructions, see:
- SETUP.md - Complete setup guide
- QUICK_REFERENCE.md - Command reference
For issues:
- Check nginx error logs:
sudo tail /var/log/nginx/posterg_error.log - Test configuration:
sudo nginx -t - Check PHP-FPM:
sudo systemctl status php8.2-fpm