Initial commit - Church Music Database
This commit is contained in:
284
new-site/SSL_SETUP_GUIDE.md
Normal file
284
new-site/SSL_SETUP_GUIDE.md
Normal file
@@ -0,0 +1,284 @@
|
||||
# SSL and DNS Setup Guide
|
||||
|
||||
## Quick Deployment
|
||||
|
||||
To deploy the entire site with SSL and systemd services:
|
||||
|
||||
```bash
|
||||
cd /media/pts/Website/Church_HOP_MusicData/new-site
|
||||
sudo ./deploy.sh
|
||||
```
|
||||
|
||||
This will:
|
||||
|
||||
- ✅ Install systemd services for backend and frontend
|
||||
- ✅ Obtain SSL certificate from Let's Encrypt
|
||||
- ✅ Configure Nginx as reverse proxy
|
||||
- ✅ Set up automatic SSL renewal
|
||||
- ✅ Enable services to start on boot
|
||||
|
||||
## Manual Setup
|
||||
|
||||
### Step 1: Install SSL Certificate Only
|
||||
|
||||
```bash
|
||||
cd /media/pts/Website/Church_HOP_MusicData/new-site
|
||||
sudo ./setup-ssl.sh
|
||||
```
|
||||
|
||||
### Step 2: Restart Backend with Updated CORS
|
||||
|
||||
```bash
|
||||
sudo systemctl restart church-music-backend
|
||||
# OR manually:
|
||||
cd /media/pts/Website/Church_HOP_MusicData/new-site/backend
|
||||
pkill -f "node server.js"
|
||||
nohup node server.js > /tmp/backend.log 2>&1 &
|
||||
```
|
||||
|
||||
## Configuration Details
|
||||
|
||||
### Domain
|
||||
|
||||
- **DNS**: houseofprayer.ddns.net
|
||||
- **HTTP**: Port 80 (redirects to HTTPS)
|
||||
- **HTTPS**: Port 443 (SSL/TLS)
|
||||
|
||||
### Backend
|
||||
|
||||
- **Port**: 8080 (internal)
|
||||
- **URL**: <https://houseofprayer.ddns.net/api/>
|
||||
- **CORS**: Allows localhost and houseofprayer.ddns.net
|
||||
|
||||
### Frontend
|
||||
|
||||
- **Port**: 5100 (internal, Vite dev server)
|
||||
- **URL**: <https://houseofprayer.ddns.net/>
|
||||
- **Proxy**: Nginx forwards to localhost:5100
|
||||
|
||||
### SSL Certificate
|
||||
|
||||
- **Provider**: Let's Encrypt
|
||||
- **Location**: `/etc/letsencrypt/live/houseofprayer.ddns.net/`
|
||||
- **Renewal**: Automatic (daily at 3 AM)
|
||||
- **Manual Renewal**: `sudo certbot renew`
|
||||
|
||||
## Service Management
|
||||
|
||||
### Start/Stop Services
|
||||
|
||||
```bash
|
||||
# Backend
|
||||
sudo systemctl start church-music-backend
|
||||
sudo systemctl stop church-music-backend
|
||||
sudo systemctl restart church-music-backend
|
||||
sudo systemctl status church-music-backend
|
||||
|
||||
# Frontend
|
||||
sudo systemctl start church-music-frontend
|
||||
sudo systemctl stop church-music-frontend
|
||||
sudo systemctl restart church-music-frontend
|
||||
sudo systemctl status church-music-frontend
|
||||
|
||||
# Nginx
|
||||
sudo systemctl start nginx
|
||||
sudo systemctl stop nginx
|
||||
sudo systemctl restart nginx
|
||||
sudo systemctl status nginx
|
||||
```
|
||||
|
||||
### View Logs
|
||||
|
||||
```bash
|
||||
# Backend logs (real-time)
|
||||
sudo journalctl -u church-music-backend -f
|
||||
|
||||
# Frontend logs (real-time)
|
||||
sudo journalctl -u church-music-frontend -f
|
||||
|
||||
# Nginx access logs
|
||||
sudo tail -f /var/log/nginx/church-music-access.log
|
||||
|
||||
# Nginx error logs
|
||||
sudo tail -f /var/log/nginx/church-music-error.log
|
||||
```
|
||||
|
||||
## Firewall Configuration
|
||||
|
||||
Make sure these ports are open:
|
||||
|
||||
```bash
|
||||
# Check current firewall status
|
||||
sudo ufw status
|
||||
|
||||
# Allow HTTP (for Let's Encrypt)
|
||||
sudo ufw allow 80/tcp
|
||||
|
||||
# Allow HTTPS
|
||||
sudo ufw allow 443/tcp
|
||||
|
||||
# Allow SSH (if not already)
|
||||
sudo ufw allow 22/tcp
|
||||
|
||||
# Enable firewall
|
||||
sudo ufw enable
|
||||
```
|
||||
|
||||
## Router Port Forwarding
|
||||
|
||||
Ensure your router forwards these ports to this server:
|
||||
|
||||
- **Port 80** → Internal IP:80 (HTTP)
|
||||
- **Port 443** → Internal IP:443 (HTTPS)
|
||||
|
||||
## Testing
|
||||
|
||||
### 1. Test SSL Certificate
|
||||
|
||||
```bash
|
||||
# Check certificate validity
|
||||
sudo certbot certificates
|
||||
|
||||
# Test SSL configuration
|
||||
curl -I https://houseofprayer.ddns.net
|
||||
|
||||
# Check SSL rating
|
||||
# Visit: https://www.ssllabs.com/ssltest/analyze.html?d=houseofprayer.ddns.net
|
||||
```
|
||||
|
||||
### 2. Test API Endpoints
|
||||
|
||||
```bash
|
||||
# Test backend API
|
||||
curl https://houseofprayer.ddns.net/api/stats
|
||||
|
||||
# Test login
|
||||
curl -X POST https://houseofprayer.ddns.net/api/auth/login \
|
||||
-H "Content-Type: application/json" \
|
||||
-d '{"username":"hop","password":"hopmusic2025"}'
|
||||
```
|
||||
|
||||
### 3. Test from Browser
|
||||
|
||||
Open: <https://houseofprayer.ddns.net>
|
||||
|
||||
Expected:
|
||||
|
||||
- ✅ Valid SSL certificate (green padlock)
|
||||
- ✅ Login page appears
|
||||
- ✅ Can log in with credentials
|
||||
- ✅ All features work normally
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### SSL Certificate Issues
|
||||
|
||||
```bash
|
||||
# Check if certificate exists
|
||||
ls -la /etc/letsencrypt/live/houseofprayer.ddns.net/
|
||||
|
||||
# Verify DNS is pointing to this server
|
||||
nslookup houseofprayer.ddns.net
|
||||
|
||||
# Test port 80 accessibility
|
||||
curl -I http://houseofprayer.ddns.net
|
||||
|
||||
# Force certificate renewal
|
||||
sudo certbot renew --force-renewal
|
||||
```
|
||||
|
||||
### Service Won't Start
|
||||
|
||||
```bash
|
||||
# Check service status
|
||||
sudo systemctl status church-music-backend
|
||||
|
||||
# View recent logs
|
||||
sudo journalctl -u church-music-backend -n 50
|
||||
|
||||
# Check if port is already in use
|
||||
sudo lsof -i:8080
|
||||
sudo lsof -i:5100
|
||||
|
||||
# Manually test backend
|
||||
cd /media/pts/Website/Church_HOP_MusicData/new-site/backend
|
||||
node server.js
|
||||
```
|
||||
|
||||
### Nginx Issues
|
||||
|
||||
```bash
|
||||
# Test Nginx configuration
|
||||
sudo nginx -t
|
||||
|
||||
# View Nginx error log
|
||||
sudo tail -f /var/log/nginx/error.log
|
||||
|
||||
# Reload Nginx configuration
|
||||
sudo systemctl reload nginx
|
||||
```
|
||||
|
||||
### Can't Access from Outside
|
||||
|
||||
1. **Check DNS**: `nslookup houseofprayer.ddns.net`
|
||||
2. **Check router port forwarding**: Ports 80 and 443
|
||||
3. **Check firewall**: `sudo ufw status`
|
||||
4. **Check if ports are listening**: `sudo netstat -tlnp | grep -E ':(80|443)'`
|
||||
5. **Test from external site**: <https://www.isitdownrightnow.com/houseofprayer.ddns.net.html>
|
||||
|
||||
## Security Recommendations
|
||||
|
||||
### 1. Change Default Passwords
|
||||
|
||||
Update all user passwords from defaults in [CREDENTIALS.md](CREDENTIALS.md)
|
||||
|
||||
### 2. Enable Production CORS
|
||||
|
||||
Edit `backend/server.js` and restrict CORS to only your domain
|
||||
|
||||
### 3. Rate Limiting
|
||||
|
||||
Already enabled (1000 requests per 15 minutes)
|
||||
|
||||
### 4. Keep System Updated
|
||||
|
||||
```bash
|
||||
# Update packages
|
||||
sudo apt update && sudo apt upgrade -y
|
||||
|
||||
# Update Node.js packages
|
||||
cd /media/pts/Website/Church_HOP_MusicData/new-site/backend
|
||||
npm update
|
||||
|
||||
cd /media/pts/Website/Church_HOP_MusicData/new-site/frontend
|
||||
npm update
|
||||
```
|
||||
|
||||
### 5. Monitor Logs Regularly
|
||||
|
||||
```bash
|
||||
# Set up log rotation (already configured by systemd)
|
||||
# Check logs weekly for suspicious activity
|
||||
sudo journalctl -u church-music-backend --since "1 week ago" | grep -i error
|
||||
```
|
||||
|
||||
## Backup SSL Certificates
|
||||
|
||||
```bash
|
||||
# Backup certificates
|
||||
sudo tar -czf ~/letsencrypt-backup-$(date +%Y%m%d).tar.gz /etc/letsencrypt/
|
||||
|
||||
# Restore certificates (if needed)
|
||||
sudo tar -xzf ~/letsencrypt-backup-YYYYMMDD.tar.gz -C /
|
||||
```
|
||||
|
||||
## Additional Resources
|
||||
|
||||
- **Let's Encrypt**: <https://letsencrypt.org/>
|
||||
- **Nginx Documentation**: <https://nginx.org/en/docs/>
|
||||
- **Certbot**: <https://certbot.eff.org/>
|
||||
- **SSL Labs Test**: <https://www.ssllabs.com/ssltest/>
|
||||
|
||||
---
|
||||
|
||||
Last Updated: January 25, 2026
|
||||
Reference in New Issue
Block a user