# QuickBooks POS Help Server - Security & Deployment Guide

## Current Setup Status

✅ Secure production server created
✅ Auto-restart service configured
✅ HTTPS preparation complete
⏳ DNS setup (pending)
⏳ HTTPS enabled (pending)

## Security Features Implemented

### 1. IP Whitelist

- Located in `secure_production_server.py`
- Edit `ALLOWED_IPS` list to restrict access
- Example: `ALLOWED_IPS = ['192.168.10.0/24', '10.0.0.1']`
- Default: Empty list = Allow all (update before production)

### 2. Rate Limiting

- 1000 requests per minute per IP
- Prevents DDoS attacks
- Configurable via `RATE_LIMIT_REQUESTS`

### 3. Security Headers

- X-Content-Type-Options: nosniff
- X-Frame-Options: SAMEORIGIN
- X-XSS-Protection: enabled

### 4. Logging

- All requests logged to `/tmp/qbpos_help_server.log`
- Errors and security events tracked
- Use `sudo journalctl -u qbpos-help -f` for live logs

## Installation Steps

### Step 1: Stop Current Server

```bash
pkill -9 python3
```

### Step 2: Install as System Service (Auto-Restart on Reboot)

```bash
cd /home/pts/Documents/QBPOS_Help_Web
chmod +x install_service.sh
sudo bash install_service.sh
```

### Step 3: Verify Service is Running

```bash
sudo systemctl status qbpos-help
```

### Step 4: Test Access

```bash
curl http://localhost:8888/POS_Help.html
```

## Service Management Commands

```bash
# Start service
sudo systemctl start qbpos-help

# Stop service
sudo systemctl stop qbpos-help

# Restart service
sudo systemctl restart qbpos-help

# Check status
sudo systemctl status qbpos-help

# View logs
sudo journalctl -u qbpos-help -f

# Enable auto-start on boot (already done)
sudo systemctl enable qbpos-help

# Disable auto-start
sudo systemctl disable qbpos-help
```

## HTTPS Setup (When Ready with DNS)

### Prerequisites

1. Domain name (e.g., qbpos.prompttech.com)
2. Domain DNS pointing to server IP: 192.168.10.130
3. Ports 80 and 443 open in firewall

### Setup HTTPS

```bash
cd /home/pts/Documents/QBPOS_Help_Web
chmod +x setup_https.sh
sudo bash setup_https.sh
```

Follow prompts to enter domain name. Script will:

- Install Certbot
- Obtain Let's Encrypt SSL certificate
- Configure server for HTTPS
- Enable auto-renewal
- Change port from 8888 to 443

## Security Hardening Checklist

### Before Production

- [ ] Update `ALLOWED_IPS` in secure_production_server.py
- [ ] Review and adjust `RATE_LIMIT_REQUESTS`
- [ ] Set up firewall rules (UFW)
- [ ] Configure DNS
- [ ] Enable HTTPS
- [ ] Set up monitoring alerts
- [ ] Create backup strategy

### Firewall Configuration (UFW)

```bash
# Install UFW
sudo apt install ufw

# Allow SSH
sudo ufw allow 22/tcp

# Allow HTTP (for Let's Encrypt verification)
sudo ufw allow 80/tcp

# Allow HTTPS (when ready)
sudo ufw allow 443/tcp

# Or allow custom port (current setup)
sudo ufw allow 8888/tcp

# Enable firewall
sudo ufw enable

# Check status
sudo ufw status
```

## Monitoring

### Check Server Health

```bash
# CPU and memory usage
top | grep python3

# Connection count
ss -ant | grep :8888 | wc -l

# Recent errors
sudo journalctl -u qbpos-help --since "1 hour ago" | grep ERROR
```

### Log Analysis

```bash
# View access log
tail -f /tmp/qbpos_help_server.log

# Count requests by IP
grep "GET" /tmp/qbpos_help_server.log | awk '{print $1}' | sort | uniq -c | sort -rn

# Find blocked IPs
grep "Blocked" /tmp/qbpos_help_server.log
```

## Troubleshooting

### Service won't start

```bash
sudo journalctl -u qbpos-help -n 50
```

### Port already in use

```bash
sudo lsof -i :8888
sudo kill -9 <PID>
sudo systemctl restart qbpos-help
```

### Permission issues

```bash
sudo chown -R pts:pts /home/pts/Documents/QBPOS_Help_Web
chmod +x /home/pts/Documents/QBPOS_Help_Web/secure_production_server.py
```

## DNS Setup (When Ready)

1. **Get domain name** (e.g., qbpos.prompttech.com)
2. **Add A record** in DNS provider:
   - Type: A
   - Name: qbpos (or @)
   - Value: 192.168.10.130
   - TTL: 3600
3. **Wait for propagation** (5-30 minutes)
4. **Verify**: `nslookup qbpos.prompttech.com`
5. **Run HTTPS setup**: `sudo bash setup_https.sh`

## Current Access URLs

- **HTTP (current)**: <http://192.168.10.130:8888/POS_Help.html>
- **Localhost**: <http://localhost:8888/POS_Help.html>
- **After DNS**: <http://yourdomain.com:8888/POS_Help.html>
- **After HTTPS**: <https://yourdomain.com/POS_Help.html>

## Backup Strategy

### Configuration Files

```bash
# Backup important files
mkdir -p ~/backups/qbpos_help
cp /home/pts/Documents/QBPOS_Help_Web/secure_production_server.py ~/backups/qbpos_help/
cp /etc/systemd/system/qbpos-help.service ~/backups/qbpos_help/
```

### Full Backup

```bash
tar -czf ~/qbpos_help_backup_$(date +%Y%m%d).tar.gz \
  /home/pts/Documents/QBPOS_Help_Web/
```

## Support & Maintenance

- Server auto-restarts on failure (10 second delay)
- Server auto-starts on system reboot
- SSL certificates auto-renew (when HTTPS enabled)
- Logs rotate automatically via systemd

## Next Steps

1. ✅ Service installed and running
2. ⏳ Configure IP whitelist (edit ALLOWED_IPS)
3. ⏳ Set up firewall (UFW)
4. ⏳ Obtain domain name
5. ⏳ Configure DNS
6. ⏳ Enable HTTPS

For questions: Contact system administrator