Church-Music/new-site/SSL_SETUP_GUIDE.md

# SSL and DNS Setup Guide

## Quick Deployment

To deploy the entire site with SSL and systemd services:

```bash
cd /media/pts/Website/Church_HOP_MusicData/new-site
sudo ./deploy.sh
```

This will:

- ✅ Install systemd services for backend and frontend
- ✅ Obtain SSL certificate from Let's Encrypt
- ✅ Configure Nginx as reverse proxy
- ✅ Set up automatic SSL renewal
- ✅ Enable services to start on boot

## Manual Setup

### Step 1: Install SSL Certificate Only

```bash
cd /media/pts/Website/Church_HOP_MusicData/new-site
sudo ./setup-ssl.sh
```

### Step 2: Restart Backend with Updated CORS

```bash
sudo systemctl restart church-music-backend
# OR manually:
cd /media/pts/Website/Church_HOP_MusicData/new-site/backend
pkill -f "node server.js"
nohup node server.js > /tmp/backend.log 2>&1 &
```

## Configuration Details

### Domain

- **DNS**: houseofprayer.ddns.net
- **HTTP**: Port 80 (redirects to HTTPS)
- **HTTPS**: Port 443 (SSL/TLS)

### Backend

- **Port**: 8080 (internal)
- **URL**: <https://houseofprayer.ddns.net/api/>
- **CORS**: Allows localhost and houseofprayer.ddns.net

### Frontend

- **Port**: 5100 (internal, Vite dev server)
- **URL**: <https://houseofprayer.ddns.net/>
- **Proxy**: Nginx forwards to localhost:5100

### SSL Certificate

- **Provider**: Let's Encrypt
- **Location**: `/etc/letsencrypt/live/houseofprayer.ddns.net/`
- **Renewal**: Automatic (daily at 3 AM)
- **Manual Renewal**: `sudo certbot renew`

## Service Management

### Start/Stop Services

```bash
# Backend
sudo systemctl start church-music-backend
sudo systemctl stop church-music-backend
sudo systemctl restart church-music-backend
sudo systemctl status church-music-backend

# Frontend
sudo systemctl start church-music-frontend
sudo systemctl stop church-music-frontend
sudo systemctl restart church-music-frontend
sudo systemctl status church-music-frontend

# Nginx
sudo systemctl start nginx
sudo systemctl stop nginx
sudo systemctl restart nginx
sudo systemctl status nginx
```

### View Logs

```bash
# Backend logs (real-time)
sudo journalctl -u church-music-backend -f

# Frontend logs (real-time)
sudo journalctl -u church-music-frontend -f

# Nginx access logs
sudo tail -f /var/log/nginx/church-music-access.log

# Nginx error logs
sudo tail -f /var/log/nginx/church-music-error.log
```

## Firewall Configuration

Make sure these ports are open:

```bash
# Check current firewall status
sudo ufw status

# Allow HTTP (for Let's Encrypt)
sudo ufw allow 80/tcp

# Allow HTTPS
sudo ufw allow 443/tcp

# Allow SSH (if not already)
sudo ufw allow 22/tcp

# Enable firewall
sudo ufw enable
```

## Router Port Forwarding

Ensure your router forwards these ports to this server:

- **Port 80** → Internal IP:80 (HTTP)
- **Port 443** → Internal IP:443 (HTTPS)

## Testing

### 1. Test SSL Certificate

```bash
# Check certificate validity
sudo certbot certificates

# Test SSL configuration
curl -I https://houseofprayer.ddns.net

# Check SSL rating
# Visit: https://www.ssllabs.com/ssltest/analyze.html?d=houseofprayer.ddns.net
```

### 2. Test API Endpoints

```bash
# Test backend API
curl https://houseofprayer.ddns.net/api/stats

# Test login
curl -X POST https://houseofprayer.ddns.net/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username":"hop","password":"hopmusic2025"}'
```

### 3. Test from Browser

Open: <https://houseofprayer.ddns.net>

Expected:

- ✅ Valid SSL certificate (green padlock)
- ✅ Login page appears
- ✅ Can log in with credentials
- ✅ All features work normally

## Troubleshooting

### SSL Certificate Issues

```bash
# Check if certificate exists
ls -la /etc/letsencrypt/live/houseofprayer.ddns.net/

# Verify DNS is pointing to this server
nslookup houseofprayer.ddns.net

# Test port 80 accessibility
curl -I http://houseofprayer.ddns.net

# Force certificate renewal
sudo certbot renew --force-renewal
```

### Service Won't Start

```bash
# Check service status
sudo systemctl status church-music-backend

# View recent logs
sudo journalctl -u church-music-backend -n 50

# Check if port is already in use
sudo lsof -i:8080
sudo lsof -i:5100

# Manually test backend
cd /media/pts/Website/Church_HOP_MusicData/new-site/backend
node server.js
```

### Nginx Issues

```bash
# Test Nginx configuration
sudo nginx -t

# View Nginx error log
sudo tail -f /var/log/nginx/error.log

# Reload Nginx configuration
sudo systemctl reload nginx
```

### Can't Access from Outside

1. **Check DNS**: `nslookup houseofprayer.ddns.net`
2. **Check router port forwarding**: Ports 80 and 443
3. **Check firewall**: `sudo ufw status`
4. **Check if ports are listening**: `sudo netstat -tlnp | grep -E ':(80|443)'`
5. **Test from external site**: <https://www.isitdownrightnow.com/houseofprayer.ddns.net.html>

## Security Recommendations

### 1. Change Default Passwords

Update all user passwords from defaults in [CREDENTIALS.md](CREDENTIALS.md)

### 2. Enable Production CORS

Edit `backend/server.js` and restrict CORS to only your domain

### 3. Rate Limiting

Already enabled (1000 requests per 15 minutes)

### 4. Keep System Updated

```bash
# Update packages
sudo apt update && sudo apt upgrade -y

# Update Node.js packages
cd /media/pts/Website/Church_HOP_MusicData/new-site/backend
npm update

cd /media/pts/Website/Church_HOP_MusicData/new-site/frontend
npm update
```

### 5. Monitor Logs Regularly

```bash
# Set up log rotation (already configured by systemd)
# Check logs weekly for suspicious activity
sudo journalctl -u church-music-backend --since "1 week ago" | grep -i error
```

## Backup SSL Certificates

```bash
# Backup certificates
sudo tar -czf ~/letsencrypt-backup-$(date +%Y%m%d).tar.gz /etc/letsencrypt/

# Restore certificates (if needed)
sudo tar -xzf ~/letsencrypt-backup-YYYYMMDD.tar.gz -C /
```

## Additional Resources

- **Let's Encrypt**: <https://letsencrypt.org/>
- **Nginx Documentation**: <https://nginx.org/en/docs/>
- **Certbot**: <https://certbot.eff.org/>
- **SSL Labs Test**: <https://www.ssllabs.com/ssltest/>

---

Last Updated: January 25, 2026