# SSL and DNS Setup Guide
## Quick Deployment
To deploy the entire site with SSL and systemd services:
```bash
cd /media/pts/Website/Church_HOP_MusicData/new-site
sudo ./deploy.sh
```
This will:
- ✅ Install systemd services for backend and frontend
- ✅ Obtain SSL certificate from Let's Encrypt
- ✅ Configure Nginx as reverse proxy
- ✅ Set up automatic SSL renewal
- ✅ Enable services to start on boot
## Manual Setup
### Step 1: Install SSL Certificate Only
```bash
cd /media/pts/Website/Church_HOP_MusicData/new-site
sudo ./setup-ssl.sh
```
### Step 2: Restart Backend with Updated CORS
```bash
sudo systemctl restart church-music-backend
# OR manually:
cd /media/pts/Website/Church_HOP_MusicData/new-site/backend
pkill -f "node server.js"
nohup node server.js > /tmp/backend.log 2>&1 &
```
## Configuration Details
### Domain
- **DNS**: houseofprayer.ddns.net
- **HTTP**: Port 80 (redirects to HTTPS)
- **HTTPS**: Port 443 (SSL/TLS)
### Backend
- **Port**: 8080 (internal)
- **URL**:
- **CORS**: Allows localhost and houseofprayer.ddns.net
### Frontend
- **Port**: 5100 (internal, Vite dev server)
- **URL**:
- **Proxy**: Nginx forwards to localhost:5100
### SSL Certificate
- **Provider**: Let's Encrypt
- **Location**: `/etc/letsencrypt/live/houseofprayer.ddns.net/`
- **Renewal**: Automatic (daily at 3 AM)
- **Manual Renewal**: `sudo certbot renew`
## Service Management
### Start/Stop Services
```bash
# Backend
sudo systemctl start church-music-backend
sudo systemctl stop church-music-backend
sudo systemctl restart church-music-backend
sudo systemctl status church-music-backend
# Frontend
sudo systemctl start church-music-frontend
sudo systemctl stop church-music-frontend
sudo systemctl restart church-music-frontend
sudo systemctl status church-music-frontend
# Nginx
sudo systemctl start nginx
sudo systemctl stop nginx
sudo systemctl restart nginx
sudo systemctl status nginx
```
### View Logs
```bash
# Backend logs (real-time)
sudo journalctl -u church-music-backend -f
# Frontend logs (real-time)
sudo journalctl -u church-music-frontend -f
# Nginx access logs
sudo tail -f /var/log/nginx/church-music-access.log
# Nginx error logs
sudo tail -f /var/log/nginx/church-music-error.log
```
## Firewall Configuration
Make sure these ports are open:
```bash
# Check current firewall status
sudo ufw status
# Allow HTTP (for Let's Encrypt)
sudo ufw allow 80/tcp
# Allow HTTPS
sudo ufw allow 443/tcp
# Allow SSH (if not already)
sudo ufw allow 22/tcp
# Enable firewall
sudo ufw enable
```
## Router Port Forwarding
Ensure your router forwards these ports to this server:
- **Port 80** → Internal IP:80 (HTTP)
- **Port 443** → Internal IP:443 (HTTPS)
## Testing
### 1. Test SSL Certificate
```bash
# Check certificate validity
sudo certbot certificates
# Test SSL configuration
curl -I https://houseofprayer.ddns.net
# Check SSL rating
# Visit: https://www.ssllabs.com/ssltest/analyze.html?d=houseofprayer.ddns.net
```
### 2. Test API Endpoints
```bash
# Test backend API
curl https://houseofprayer.ddns.net/api/stats
# Test login
curl -X POST https://houseofprayer.ddns.net/api/auth/login \
-H "Content-Type: application/json" \
-d '{"username":"hop","password":"hopmusic2025"}'
```
### 3. Test from Browser
Open:
Expected:
- ✅ Valid SSL certificate (green padlock)
- ✅ Login page appears
- ✅ Can log in with credentials
- ✅ All features work normally
## Troubleshooting
### SSL Certificate Issues
```bash
# Check if certificate exists
ls -la /etc/letsencrypt/live/houseofprayer.ddns.net/
# Verify DNS is pointing to this server
nslookup houseofprayer.ddns.net
# Test port 80 accessibility
curl -I http://houseofprayer.ddns.net
# Force certificate renewal
sudo certbot renew --force-renewal
```
### Service Won't Start
```bash
# Check service status
sudo systemctl status church-music-backend
# View recent logs
sudo journalctl -u church-music-backend -n 50
# Check if port is already in use
sudo lsof -i:8080
sudo lsof -i:5100
# Manually test backend
cd /media/pts/Website/Church_HOP_MusicData/new-site/backend
node server.js
```
### Nginx Issues
```bash
# Test Nginx configuration
sudo nginx -t
# View Nginx error log
sudo tail -f /var/log/nginx/error.log
# Reload Nginx configuration
sudo systemctl reload nginx
```
### Can't Access from Outside
1. **Check DNS**: `nslookup houseofprayer.ddns.net`
2. **Check router port forwarding**: Ports 80 and 443
3. **Check firewall**: `sudo ufw status`
4. **Check if ports are listening**: `sudo netstat -tlnp | grep -E ':(80|443)'`
5. **Test from external site**:
## Security Recommendations
### 1. Change Default Passwords
Update all user passwords from defaults in [CREDENTIALS.md](CREDENTIALS.md)
### 2. Enable Production CORS
Edit `backend/server.js` and restrict CORS to only your domain
### 3. Rate Limiting
Already enabled (1000 requests per 15 minutes)
### 4. Keep System Updated
```bash
# Update packages
sudo apt update && sudo apt upgrade -y
# Update Node.js packages
cd /media/pts/Website/Church_HOP_MusicData/new-site/backend
npm update
cd /media/pts/Website/Church_HOP_MusicData/new-site/frontend
npm update
```
### 5. Monitor Logs Regularly
```bash
# Set up log rotation (already configured by systemd)
# Check logs weekly for suspicious activity
sudo journalctl -u church-music-backend --since "1 week ago" | grep -i error
```
## Backup SSL Certificates
```bash
# Backup certificates
sudo tar -czf ~/letsencrypt-backup-$(date +%Y%m%d).tar.gz /etc/letsencrypt/
# Restore certificates (if needed)
sudo tar -xzf ~/letsencrypt-backup-YYYYMMDD.tar.gz -C /
```
## Additional Resources
- **Let's Encrypt**:
- **Nginx Documentation**:
- **Certbot**:
- **SSL Labs Test**:
---
Last Updated: January 25, 2026