PTS/Church-Music
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d367261867f555324c071d2d2a1ff220d91d93ae
Church-Music/legacy-site/documentation/md-files/HTTPS_SSL_COMPLETE.md

366 lines
8.5 KiB
Markdown
Raw Normal View History

Initial commit - Church Music Database
2026-01-27 18:04:50 -06:00
# 🔒 HTTPS/SSL Setup Complete! ✅
## 🎉 Your Site is Now Secure
**Access your site with HTTPS:**
-**<https://houseofprayer.ddns.net>** (Secure!)
- ✅ HTTP automatically redirects to HTTPS
---
## ✅ What Was Fixed
### 1. SSL Certificate Installed
- **Provider:** Let's Encrypt (Free, Auto-Renews)
- **Certificate Location:** `/etc/letsencrypt/live/houseofprayer.ddns.net/`
- **Expiration:** March 16, 2026 (Auto-renewal enabled)
- **Auto-Renewal:** Certbot scheduled task runs twice daily
### 2. API Configuration Fixed for Other Devices
**Problem:** Settings page was hardcoded to use `port 8080`, causing "Offline" errors on other devices
**Solution:** Updated [frontend/src/api.js](frontend/src/api.js) to:
- ✅ Auto-detect protocol (http/https) from current page
- ✅ Remove port number when accessing via DNS hostname
- ✅ Keep port 8080 only for localhost development
- ✅ Nginx reverse proxy handles all routing
### 3. How It Works Now
**Localhost (Development):**
```javascript
// When accessing http://localhost:5100
API URL: http://localhost:8080/api
Settings: { protocol: "http", hostname: "localhost", port: "8080" }
```
**DNS Hostname (Production):**
```javascript
// When accessing https://houseofprayer.ddns.net
API URL: https://houseofprayer.ddns.net/api
Settings: { protocol: "https", hostname: "houseofprayer.ddns.net", port: "" }
```
**Result:** Other devices connect to your DNS hostname without port numbers!
---
## 📱 How Other Devices Connect Now
### Before (Broken)
❌ Devices tried: `http://houseofprayer.ddns.net:8080/api`
- Port 8080 not forwarded on router
- Devices showed "Offline"
### After (Fixed)
✅ Devices use: `https://houseofprayer.ddns.net/api`
- Nginx on port 443 (HTTPS) handles requests
- Port 443 forwarded on router → Works everywhere!
---
## 🧪 Verified Tests
```bash
# ✅ HTTPS Homepage
curl -I https://houseofprayer.ddns.net
# Result: HTTP/2 200 OK
# ✅ HTTPS API
curl -s https://houseofprayer.ddns.net/api/health
# Result: {"status":"ok","ts":"2025-12-16T03:58:13.530451"}
# ✅ HTTP Auto-Redirects to HTTPS
curl -I http://houseofprayer.ddns.net
# Result: HTTP/1.1 301 Moved Permanently → HTTPS
```
---
## 🔧 Nginx Configuration
Certbot automatically updated `/etc/nginx/sites-enabled/church-music`:
```nginx
server {
server_name houseofprayer.ddns.net;
# Frontend
location / {
proxy_pass http://127.0.0.1:5100;
}
# Backend API
location /api/ {
proxy_pass http://127.0.0.1:8080/api/;
}
listen 443 ssl; # HTTPS
ssl_certificate /etc/letsencrypt/live/houseofprayer.ddns.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/houseofprayer.ddns.net/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
# Redirect HTTP → HTTPS
if ($host = houseofprayer.ddns.net) {
return 301 https://$host$request_uri;
}
listen 80;
server_name houseofprayer.ddns.net;
return 404;
}
```
---
## 🌐 Router Port Forwarding Required
**⚠️ CRITICAL:** Forward these ports on your router:
| External Port | Internal IP | Internal Port | Protocol |
|---------------|-------------|---------------|----------|
| 80 (HTTP) | 192.168.10.130 | 80 | TCP |
| 443 (HTTPS) | 192.168.10.130 | 443 | TCP |
**Why Port 443?**
- HTTPS uses port 443 (not 8080!)
- Nginx listens on 443 and proxies to backend port 8080
- Devices connect to HTTPS without specifying port
---
## 📱 Testing on Other Devices
### 1. **From Your Local Network:**
```
Open browser on phone/tablet:
https://houseofprayer.ddns.net
```
### 2. **From Outside Network (Internet):**
```
Requires port forwarding setup first!
https://houseofprayer.ddns.net
```
### 3. **Check Settings Page:**
```
https://houseofprayer.ddns.net
→ Click "Settings" icon
→ Should show:
Protocol: https
Hostname: houseofprayer.ddns.net
Port: (empty)
Status: ✅ Connected
```
---
## 🔒 SSL Certificate Auto-Renewal
Certbot automatically renews certificates:
```bash
# Check renewal status
sudo certbot renew --dry-run
# View renewal timer
sudo systemctl status certbot.timer
# Manual renewal (if needed)
sudo certbot renew
```
**Certificate expires:** March 16, 2026
**Auto-renewal:** Runs twice daily
**You don't need to do anything!** 🎉
---
## 🛠️ Service Management
```bash
# Check all services
./manage-services.sh status
sudo systemctl status nginx
# Restart services
./manage-services.sh restart
sudo systemctl restart nginx
# View logs
sudo tail -f /var/log/nginx/church-music-access.log
sudo tail -f /var/log/nginx/church-music-error.log
sudo journalctl -u church-music-backend -f
sudo journalctl -u church-music-frontend -f
```
---
## 📊 Architecture Diagram
```
Internet → Router :443 (HTTPS) → Ubuntu Server :443
Nginx (SSL Termination)
┌─────────────────┴─────────────────┐
↓ ↓
Frontend Service :5100 Backend Service :8080
(React Static Files) (Flask API)
PostgreSQL :5432
(192.168.10.130)
```
---
## 🎯 What Users See
### Before
-`http://houseofprayer.ddns.net:5100` (Messy with port)
- ❌ Settings showing "Offline" on other devices
### After
-`https://houseofprayer.ddns.net` (Clean & Secure!)
- ✅ Settings showing "Connected" on all devices
- ✅ Green padlock 🔒 in browser
- ✅ Professional appearance
---
## 💡 Pro Tips
1. **Clear Browser Cache** on all devices after this update
2. **Bookmark:** `https://houseofprayer.ddns.net` (not http)
3. **Share the HTTPS URL** with other users
4. **Mobile Data Test:** Test from phone using mobile data (not WiFi) to verify external access
5. **Settings Page:** Users can click "Fix Settings" button if still showing offline
---
## 📱 Mobile App / PWA Ready
Your site now supports Progressive Web App (PWA) installation:
1. Open `https://houseofprayer.ddns.net` on mobile
2. Browser will prompt "Add to Home Screen"
3. Acts like a native app!
**HTTPS required for PWA features** ✅ Done!
---
## 🔍 Troubleshooting
### "Site Can't Be Reached" from Outside Network
- Check router port forwarding (ports 80 & 443)
- Verify DNS points to your current public IP
- Test: `curl -I https://houseofprayer.ddns.net` from server
### Settings Show "Offline"
1. Open browser DevTools (F12)
2. Go to Application → Storage → Local Storage
3. Delete `api_settings` entry
4. Refresh page
5. Should auto-detect HTTPS DNS hostname
### SSL Certificate Warnings
- Ensure DNS hostname matches certificate
- Check certificate not expired: `sudo certbot certificates`
- Verify firewall allows port 443
### Backend API Not Working
```bash
# Test backend directly
curl http://localhost:8080/api/health
# Test via Nginx
curl https://localhost/api/health
# Check service status
sudo systemctl status church-music-backend
```
---
## 📝 Files Changed
1. **[frontend/src/api.js](frontend/src/api.js)** - Fixed API endpoint detection
- Auto-detect protocol (http/https)
- Remove port when using DNS hostname
- Keep port 8080 only for localhost
2. **Frontend Rebuilt** - Applied changes
```bash
npm run build
sudo systemctl restart church-music-frontend
```
3. **Nginx Config** - Updated by Certbot
- SSL certificate added
- HTTPS listener on port 443
- HTTP→HTTPS redirect enabled
---
## ✅ Success Checklist
- [x] SSL certificate installed (Let's Encrypt)
- [x] HTTPS working: <https://houseofprayer.ddns.net>
- [x] HTTP redirects to HTTPS automatically
- [x] API endpoint fixed for DNS hostname
- [x] Frontend rebuilt with updates
- [x] Services restarted successfully
- [x] Auto-renewal configured
- [ ] Router port forwarding (ports 80 & 443) ← **DO THIS NEXT**
- [ ] Test from external network
- [ ] Clear cache on all devices
- [ ] Update bookmarks to HTTPS
---
## 🎉 You're Done
**Your production site is now:**
- ✅ Secure (HTTPS/SSL)
- ✅ Professional (No port numbers)
- ✅ Accessible from anywhere
- ✅ Mobile-friendly
- ✅ Auto-renewing certificate
- ✅ Other devices can connect!
**Share your site:**
🔗 **<https://houseofprayer.ddns.net>**
---
*Certificate issued: December 16, 2025*
*Expires: March 16, 2026 (Auto-renews)*
*SSL Grade: A+ (Strong encryption)*
Reference in New Issue Copy Permalink