# DNS and SSL Deployment Summary

## 🎯 What's Ready

All configuration files and scripts have been created for deploying your site with SSL encryption at:

**<https://houseofprayer.ddns.net>**

## 📋 Prerequisites Checklist

Before running the deployment, verify:

- [ ] DNS record `houseofprayer.ddns.net` points to this server's public IP
- [ ] Router forwards ports 80 and 443 to this server
- [ ] Firewall allows incoming traffic on ports 80 and 443
- [ ] Backend and frontend are currently running (ports 8080 and 5100)

## 🚀 Quick Deployment

Run this single command to set everything up:

```bash
cd /media/pts/Website/Church_HOP_MusicData/new-site
sudo ./deploy.sh
```

This automated script will:

1. ✅ Install systemd services (auto-start on boot)
2. ✅ Obtain SSL certificate from Let's Encrypt
3. ✅ Configure Nginx as reverse proxy
4. ✅ Set up automatic SSL renewal
5. ✅ Start all services

## 📁 Files Created

### Configuration Files

- `nginx-ssl.conf` - Nginx configuration with SSL
- `church-music-backend.service` - Backend systemd service
- `church-music-frontend.service` - Frontend systemd service

### Scripts

- `deploy.sh` - Complete deployment automation
- `setup-ssl.sh` - SSL certificate and Nginx setup only

### Documentation

- `SSL_SETUP_GUIDE.md` - Complete guide with troubleshooting
- `CREDENTIALS.md` - Login credentials for all users

## 🔧 What Was Updated

### Backend CORS Settings

Updated to accept requests from:

- ✅ `https://houseofprayer.ddns.net`
- ✅ `http://houseofprayer.ddns.net`
- ✅ `http://localhost:5100` (development)
- ✅ `http://localhost:3000` (development)

### Nginx Configuration

- HTTP → HTTPS redirect
- WebSocket support for Vite HMR
- Proxy to backend (port 8080)
- Proxy to frontend (port 5100)
- Modern SSL/TLS settings (TLS 1.2, 1.3)
- Security headers (HSTS, X-Frame-Options, etc.)
- OCSP stapling
- Gzip compression

## 🔐 SSL Certificate Details

- **Provider**: Let's Encrypt (free)
- **Validity**: 90 days
- **Auto-renewal**: Daily check at 3 AM
- **Protocols**: TLS 1.2, TLS 1.3
- **Cipher Suites**: Modern, secure ciphers only

## 🌐 Access Points

After deployment:

| Service | Internal | External |
|---------|----------|----------|
| Frontend | <http://localhost:5100> | <https://houseofprayer.ddns.net> |
| Backend API | <http://localhost:8080/api> | <https://houseofprayer.ddns.net/api> |
| Direct Access | ✅ Works | ⚠️ Use domain instead |

## 📊 Service Management

### View Service Status

```bash
sudo systemctl status church-music-backend
sudo systemctl status church-music-frontend
sudo systemctl status nginx
```

### Restart Services

```bash
sudo systemctl restart church-music-backend
sudo systemctl restart church-music-frontend
sudo systemctl restart nginx
```

### View Logs

```bash
# Backend
sudo journalctl -u church-music-backend -f

# Frontend
sudo journalctl -u church-music-frontend -f

# Nginx
sudo tail -f /var/log/nginx/church-music-*.log
```

## ✅ Testing Checklist

After deployment, test:

1. **DNS Resolution**

   ```bash
   nslookup houseofprayer.ddns.net
   ```

2. **SSL Certificate**

   ```bash
   curl -I https://houseofprayer.ddns.net
   ```

3. **HTTP → HTTPS Redirect**

   ```bash
   curl -I http://houseofprayer.ddns.net
   # Should return 301 redirect to HTTPS
   ```

4. **API Endpoint**

   ```bash
   curl https://houseofprayer.ddns.net/api/stats
   ```

5. **Login Functionality**
   - Open: <https://houseofprayer.ddns.net>
   - Login with: hop / hopmusic2025
   - Verify all features work

6. **SSL Rating** (optional)
   - Visit: <https://www.ssllabs.com/ssltest/analyze.html?d=houseofprayer.ddns.net>
   - Expected: A or A+ rating

## 🛡️ Security Features Enabled

- ✅ HTTPS enforcement (HTTP redirects to HTTPS)
- ✅ HSTS (HTTP Strict Transport Security)
- ✅ Secure cipher suites only
- ✅ X-Frame-Options: DENY (prevents clickjacking)
- ✅ X-Content-Type-Options: nosniff
- ✅ X-XSS-Protection enabled
- ✅ OCSP stapling
- ✅ Rate limiting (1000 req/15min)
- ✅ Bcrypt password hashing
- ✅ JWT token authentication (7-day expiry)

## ⚠️ Important Notes

1. **First-time SSL Setup**: Certificate generation takes 1-2 minutes
2. **DNS Propagation**: If DNS was just updated, wait up to 24 hours
3. **Port Forwarding**: Must be configured on your router
4. **Firewall**: Must allow ports 80 and 443
5. **Email for SSL**: Update in `setup-ssl.sh` before running

## 🔄 Next Steps

1. **Before Deployment**:
   - Verify DNS points to this server
   - Check router port forwarding
   - Update email in `setup-ssl.sh` (line 12)

2. **Run Deployment**:

   ```bash
   sudo ./deploy.sh
   ```

3. **Test Everything**:
   - Access <https://houseofprayer.ddns.net>
   - Test all login credentials
   - Test biometric authentication
   - Verify mobile responsiveness

4. **Monitor**:
   - Check logs daily for first week
   - Verify SSL auto-renewal works (after 60 days)

## 📞 Support Commands

```bash
# Quick status check
sudo systemctl status church-music-* nginx

# View all logs
sudo journalctl -xe

# Restart everything
cd /media/pts/Website/Church_HOP_MusicData/new-site
sudo ./deploy.sh

# SSL certificate info
sudo certbot certificates

# Renew SSL manually
sudo certbot renew --force-renewal
```

## 📚 Additional Documentation

- [SSL_SETUP_GUIDE.md](SSL_SETUP_GUIDE.md) - Detailed SSL setup and troubleshooting
- [CREDENTIALS.md](CREDENTIALS.md) - All user login credentials

---

**Ready to Deploy?**

```bash
cd /media/pts/Website/Church_HOP_MusicData/new-site
sudo ./deploy.sh
```

---

Last Updated: January 25, 2026