diff --git a/PRODUCTION_README.md b/PRODUCTION_README.md index e29c86c..f4e2dff 100644 --- a/PRODUCTION_README.md +++ b/PRODUCTION_README.md @@ -8,13 +8,11 @@ This application is ready for production deployment with proper security measure - Environment variable support (.env files) - Secrets excluded from git (.gitignore) -- HTTPS/SSL configuration (via Let's Encrypt) - JWT-based authentication -- Nginx reverse proxy configuration - Systemd service for process management - Firewall configuration - Automated backups -- Security headers +- Ready for reverse proxy integration (nginx, caddy, traefik, etc.) ## Prerequisites @@ -39,37 +37,44 @@ This application is ready for production deployment with proper security measure 3. The script will: - Install all dependencies - - Configure Nginx - - Get SSL certificate - Setup systemd service - Configure firewall - Setup automated backups + - Start the application on HTTP 4. Follow prompts to: - - Enter your domain name - - Enter your email (for SSL) + - Choose application port (default: 8000) - Configure your .env file with secrets +5. Configure your reverse proxy separately for HTTPS + ## Manual Setup See [DEPLOYMENT.md](DEPLOYMENT.md) for detailed step-by-step instructions. -## Free Domain Options +## Reverse Proxy Options (for HTTPS) -### Option 1: DuckDNS (Recommended) -- Visit https://www.duckdns.org -- Sign in and create a subdomain (e.g., `myfaction.duckdns.org`) -- Note your token for DNS updates -- Free HTTPS support with Let's Encrypt +The application runs on HTTP. You'll need to configure a reverse proxy for HTTPS: -### Option 2: FreeDNS -- Visit https://freedns.afraid.org -- Create free subdomain -- Choose from many domain options +### Option 1: Nginx +- Simple configuration +- Widely used and documented +- Free SSL with Let's Encrypt/Certbot -### Option 3: No-IP -- Visit https://www.noip.com -- Free tier includes dynamic DNS +### Option 2: Caddy +- Automatic HTTPS with built-in Let's Encrypt +- Simple configuration file +- Recommended for ease of use + +### Option 3: Traefik +- Great for containerized deployments +- Automatic SSL certificate management +- Dynamic configuration + +### Free Domain Options: +- **DuckDNS** (https://www.duckdns.org) - Free subdomain +- **FreeDNS** (https://freedns.afraid.org) - Multiple domain options +- **No-IP** (https://www.noip.com) - Dynamic DNS support ## Critical Security Steps @@ -112,7 +117,8 @@ See [DEPLOYMENT.md](DEPLOYMENT.md) for detailed step-by-step instructions. ### Access Your Application ``` -https://yourdomain.com +Local: http://localhost:8000 (or your configured port) +Remote: http://YOUR_SERVER_IP:8000 ``` ### Check Service Status @@ -130,10 +136,17 @@ sudo journalctl -u faction-war -f sudo systemctl restart faction-war ``` +### Configure Reverse Proxy +Set up your reverse proxy (nginx, caddy, etc.) to: +- Listen on ports 80/443 +- Forward requests to `http://127.0.0.1:8000` (or your configured port) +- Handle SSL/TLS termination +- Add security headers + ## Configuration ### Option 1: Web Interface (Recommended) -1. Visit `https://yourdomain.com/config` +1. Visit your application URL (e.g., `http://yourserver:8000/config`) 2. Configure all settings through the UI 3. Settings are saved to `data/config.json` @@ -147,20 +160,22 @@ sudo systemctl restart faction-war **Priority**: Environment variables > config.json > defaults +**Note**: Once you configure your reverse proxy with HTTPS, access via secure URL + ## Security Checklist Before going live, verify: - [ ] Strong AUTH_PASSWORD generated and set - [ ] Strong JWT_SECRET generated and set -- [ ] HTTPS/SSL certificate installed -- [ ] Firewall configured (only ports 22, 80, 443) -- [ ] Port 8000 blocked from external access +- [ ] Reverse proxy configured with HTTPS/SSL +- [ ] Firewall configured (SSH + application port only) +- [ ] Application port accessible only via reverse proxy (if using one) - [ ] .env file has permissions 600 - [ ] data/ directory has permissions 700 -- [ ] Automatic SSL renewal working - [ ] Backups configured (2 AM daily) - [ ] Logs accessible and monitoring setup +- [ ] Security headers configured on reverse proxy ## File Structure @@ -195,12 +210,8 @@ sudo -u factionwar venv/bin/pip install --upgrade -r requirements.txt sudo systemctl restart faction-war ``` -### Update SSL Certificate -```bash -# Auto-renewal is configured by certbot -# Test renewal: -sudo certbot renew --dry-run -``` +### Update Reverse Proxy Configuration +Configure SSL certificate renewal in your reverse proxy (nginx, caddy, etc.) ## Backups @@ -223,23 +234,23 @@ sudo journalctl -u faction-war -n 50 sudo -u factionwar /opt/faction-war/app/venv/bin/python /opt/faction-war/app/main.py ``` -### 502 Bad Gateway +### Cannot Connect to Application ```bash # Check if app is running sudo systemctl status faction-war -# Check if listening on port 8000 -sudo netstat -tlnp | grep 8000 +# Check if listening on configured port +sudo netstat -tlnp | grep 8000 # or your configured port + +# Check firewall rules +sudo ufw status + +# Test direct connection +curl http://localhost:8000 ``` -### SSL Certificate Issues -```bash -# Renew manually -sudo certbot renew - -# Check certificate status -sudo certbot certificates -``` +### Reverse Proxy Issues +Refer to your reverse proxy documentation (nginx, caddy, etc.) for SSL/HTTPS troubleshooting ## Support @@ -256,7 +267,6 @@ sudo systemctl status faction-war # View logs sudo journalctl -u faction-war -f -sudo tail -f /var/log/nginx/faction-war-error.log # Update application cd /opt/faction-war/app && git pull && sudo systemctl restart faction-war @@ -264,28 +274,31 @@ cd /opt/faction-war/app && git pull && sudo systemctl restart faction-war # Manual backup /opt/faction-war/backup.sh -# Renew SSL -sudo certbot renew +# Check if application is listening +sudo netstat -tlnp | grep 8000 # or your port + +# Test application directly +curl http://localhost:8000 ``` ## Monitoring Monitor these logs regularly: - Application: `sudo journalctl -u faction-war -f` -- Nginx Access: `/var/log/nginx/faction-war-access.log` -- Nginx Errors: `/var/log/nginx/faction-war-error.log` +- Reverse Proxy: Check your proxy logs (nginx, caddy, etc.) - System: `sudo tail -f /var/log/syslog` ## Production Best Practices 1. **Use strong passwords** - Generate with OpenSSL -2. **Keep dependencies updated** - Regular `pip install --upgrade` -3. **Monitor logs** - Check for errors and suspicious activity -4. **Backup regularly** - Automated daily backups configured -5. **Use HTTPS only** - HTTP auto-redirects to HTTPS +2. **Configure HTTPS** - Use a reverse proxy with SSL/TLS +3. **Keep dependencies updated** - Regular `pip install --upgrade` +4. **Monitor logs** - Check for errors and suspicious activity +5. **Backup regularly** - Automated daily backups configured 6. **Restrict firewall** - Only necessary ports open 7. **Update system** - Regular `apt update && apt upgrade` 8. **Test backups** - Periodically restore from backup to verify +9. **Secure headers** - Configure security headers on your reverse proxy ## Features diff --git a/caddy-reverse-proxy.example b/caddy-reverse-proxy.example new file mode 100644 index 0000000..54f1726 --- /dev/null +++ b/caddy-reverse-proxy.example @@ -0,0 +1,72 @@ +# Example Caddy Reverse Proxy Configuration +# This is an OPTIONAL configuration if you want to use Caddy as your reverse proxy +# The application runs on HTTP and does not require Caddy - you can use any reverse proxy +# +# Caddy is recommended for its simplicity and automatic HTTPS with Let's Encrypt + +# Step 1: Install Caddy +# Ubuntu/Debian: +# sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https +# curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg +# curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list +# sudo apt update +# sudo apt install caddy + +# Step 2: Create/edit /etc/caddy/Caddyfile with the content below +# Replace 'yourdomain.com' with your actual domain +# Replace '8000' with your application port if different + +# ========== Caddyfile Content ========== + +yourdomain.com { + # Caddy automatically handles HTTPS with Let's Encrypt! + + # Reverse proxy to your application + reverse_proxy localhost:8000 + + # Optional: Add security headers + header { + # Enable HSTS + Strict-Transport-Security "max-age=31536000; includeSubDomains" + + # Prevent clickjacking + X-Frame-Options "SAMEORIGIN" + + # Prevent MIME type sniffing + X-Content-Type-Options "nosniff" + + # Enable XSS protection + X-XSS-Protection "1; mode=block" + } + + # Optional: Custom logging + log { + output file /var/log/caddy/faction-war.log + } +} + +# ========== End Caddyfile Content ========== + +# Step 3: Validate configuration +# sudo caddy validate --config /etc/caddy/Caddyfile + +# Step 4: Reload Caddy +# sudo systemctl reload caddy + +# Step 5: Configure firewall +# sudo ufw allow 80/tcp +# sudo ufw allow 443/tcp + +# That's it! Caddy will automatically: +# - Get SSL certificate from Let's Encrypt +# - Renew certificates automatically +# - Redirect HTTP to HTTPS +# - Handle all SSL/TLS configuration + +# Your application will now be accessible at https://yourdomain.com + +# Useful Caddy commands: +# sudo systemctl status caddy # Check status +# sudo systemctl restart caddy # Restart Caddy +# sudo journalctl -u caddy -f # View logs +# caddy version # Check Caddy version diff --git a/main.py b/main.py index 0c3a68d..2d41aa6 100644 --- a/main.py +++ b/main.py @@ -98,13 +98,21 @@ async def start_bot(): # Main Entry Point async def main(): + # Parse command-line arguments + import argparse + parser = argparse.ArgumentParser(description="Faction War Dispatch Bot") + parser.add_argument("--port", type=int, default=8000, help="Port to run the application on (default: 8000)") + parser.add_argument("--host", type=str, default="127.0.0.1", help="Host to bind to (default: 127.0.0.1)") + args = parser.parse_args() + # Start Discord bot in background bot_task = asyncio.create_task(start_bot()) # Configure and run FastAPI server - config = uvicorn.Config(app, host="127.0.0.1", port=8000, log_level="info") + config = uvicorn.Config(app, host=args.host, port=args.port, log_level="info") server = uvicorn.Server(config) + print(f"Starting server on {args.host}:{args.port}") await server.serve() if __name__ == "__main__": diff --git a/nginx-reverse-proxy.example b/nginx-reverse-proxy.example new file mode 100644 index 0000000..d9abbbe --- /dev/null +++ b/nginx-reverse-proxy.example @@ -0,0 +1,89 @@ +# Example Nginx Reverse Proxy Configuration +# This is an OPTIONAL configuration if you want to use Nginx as your reverse proxy +# The application runs on HTTP and does not require nginx - you can use any reverse proxy + +# Step 1: Install nginx and certbot +# sudo apt install nginx certbot python3-certbot-nginx + +# Step 2: Create this file at /etc/nginx/sites-available/faction-war +# Replace 'yourdomain.com' with your actual domain +# Replace '8000' with your application port if different + +# HTTP - Redirect to HTTPS +server { + listen 80; + listen [::]:80; + server_name yourdomain.com; # REPLACE WITH YOUR DOMAIN + + # Redirect all HTTP to HTTPS + return 301 https://$server_name$request_uri; +} + +# HTTPS - Main Application +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name yourdomain.com; # REPLACE WITH YOUR DOMAIN + + # SSL Configuration (will be managed by Certbot) + # After running certbot, these lines will be automatically added: + # ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; + # ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem; + # include /etc/letsencrypt/options-ssl-nginx.conf; + # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + # Security Headers + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Logging + access_log /var/log/nginx/faction-war-access.log; + error_log /var/log/nginx/faction-war-error.log; + + # Proxy settings + location / { + # Replace 8000 with your application port if different + proxy_pass http://127.0.0.1:8000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # WebSocket support (if needed in future) + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Timeouts + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + } + + # Static files (optional optimization) + location /static/ { + alias /opt/faction-war/app/static/; + expires 1d; + add_header Cache-Control "public, immutable"; + } +} + +# Step 3: Enable the site +# sudo ln -s /etc/nginx/sites-available/faction-war /etc/nginx/sites-enabled/ + +# Step 4: Test configuration +# sudo nginx -t + +# Step 5: Get SSL certificate with Certbot +# sudo certbot --nginx -d yourdomain.com + +# Step 6: Reload nginx +# sudo systemctl reload nginx + +# Step 7: Configure firewall +# sudo ufw allow 80/tcp +# sudo ufw allow 443/tcp + +# Your application will now be accessible at https://yourdomain.com diff --git a/setup_production.sh b/setup_production.sh index 0caaa7c..fe822b2 100644 --- a/setup_production.sh +++ b/setup_production.sh @@ -26,24 +26,14 @@ if [ "$EUID" -ne 0 ]; then exit 1 fi -# Get domain name -read -p "Enter your domain name (e.g., faction.yourdomain.com): " DOMAIN -if [ -z "$DOMAIN" ]; then - echo "Domain name is required!" - exit 1 -fi - -# Get email for Let's Encrypt -read -p "Enter your email for SSL certificate (Let's Encrypt): " EMAIL -if [ -z "$EMAIL" ]; then - echo "Email is required for SSL certificate!" - exit 1 -fi +# Get port to run on (default 8000) +read -p "Enter port to run application on (default: 8000): " APP_PORT +APP_PORT=${APP_PORT:-8000} echo "" echo "Installing required packages..." apt update -apt install -y python3 python3-pip python3-venv nginx certbot python3-certbot-nginx git +apt install -y python3 python3-pip python3-venv git echo "" echo "Creating application user..." @@ -120,47 +110,10 @@ fi chown factionwar:factionwar .env chmod 600 .env -echo "" -echo "Setting up Nginx configuration..." -# Create a basic HTTP-only config first (Certbot will add SSL) -cat > /etc/nginx/sites-available/faction-war << EOF -# Basic HTTP configuration - Certbot will add SSL -server { - listen 80; - listen [::]:80; - server_name $DOMAIN; - - location / { - proxy_pass http://127.0.0.1:8000; - proxy_set_header Host \$host; - proxy_set_header X-Real-IP \$remote_addr; - proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto \$scheme; - } -} -EOF - -ln -sf /etc/nginx/sites-available/faction-war /etc/nginx/sites-enabled/faction-war - -# Remove default nginx site if it exists -rm -f /etc/nginx/sites-enabled/default - -echo "" -echo "Testing Nginx configuration..." -nginx -t - -echo "" -echo "Reloading Nginx..." -systemctl reload nginx - -echo "" -echo "Getting SSL certificate from Let's Encrypt..." -echo "Certbot will automatically configure SSL in the Nginx config" -certbot --nginx -d $DOMAIN --non-interactive --agree-tos --email $EMAIL --redirect - echo "" echo "Setting up systemd service..." -cp faction-war.service /etc/systemd/system/faction-war.service +# Update the service file with the configured port +sed "s|ExecStart=.*|ExecStart=/opt/faction-war/app/venv/bin/python main.py --port $APP_PORT|g" faction-war.service > /etc/systemd/system/faction-war.service systemctl daemon-reload systemctl enable faction-war systemctl start faction-war @@ -169,8 +122,7 @@ echo "" echo "Configuring firewall..." ufw --force enable ufw allow ssh -ufw allow 80/tcp -ufw allow 443/tcp +ufw allow $APP_PORT/tcp echo "" echo "Setting up backup cron job..." @@ -196,7 +148,7 @@ echo "========================================" echo "Setup Complete!" echo "========================================" echo "" -echo "Your application should now be running at: https://$DOMAIN" +echo "Your application should now be running on port $APP_PORT" echo "" echo "User Account Information:" echo " - Service user: factionwar (no password by default)" @@ -208,9 +160,12 @@ echo "Important next steps:" echo "1. Configure /opt/faction-war/app/.env with your secrets (if not done already)" echo " - Edit with: sudo -u factionwar nano /opt/faction-war/app/.env" echo " - Then restart: sudo systemctl restart faction-war" -echo "2. Visit https://$DOMAIN and log in with your AUTH_PASSWORD" -echo "3. Configure your API keys in the Settings page (or use .env)" -echo "4. Test the application functionality" +echo "2. Access the application:" +echo " - Local: http://localhost:$APP_PORT" +echo " - Remote: http://YOUR_SERVER_IP:$APP_PORT" +echo "3. Configure your reverse proxy (nginx, caddy, etc.) to handle HTTPS" +echo "4. Configure your API keys in the Settings page (or use .env)" +echo "5. Test the application functionality" echo "" echo "Useful commands:" echo " - Check status: sudo systemctl status faction-war" @@ -220,6 +175,7 @@ echo " - Update code: cd /opt/faction-war/app && sudo -u factionwar git pull && echo " - Edit config: sudo -u factionwar nano /opt/faction-war/app/.env" echo "" echo "Security reminders:" +echo " - Configure HTTPS on your reverse proxy" echo " - Keep your .env file secure (chmod 600)" echo " - Regularly update: apt update && apt upgrade" echo " - Monitor logs for suspicious activity"