Removed nginx setup

2026-01-28 12:10:45 -05:00
parent b2626f56ea
commit d960f6aa15
5 changed files with 250 additions and 112 deletions
--- a/PRODUCTION_README.md
+++ b/PRODUCTION_README.md
@@ -8,13 +8,11 @@ This application is ready for production deployment with proper security measure

 - Environment variable support (.env files)
 - Secrets excluded from git (.gitignore)
- HTTPS/SSL configuration (via Let's Encrypt)
 - JWT-based authentication
- Nginx reverse proxy configuration
 - Systemd service for process management
 - Firewall configuration
 - Automated backups
- Security headers
+- Ready for reverse proxy integration (nginx, caddy, traefik, etc.)

 ## Prerequisites

@@ -39,37 +37,44 @@ This application is ready for production deployment with proper security measure

 3. The script will:
   - Install all dependencies
-   - Configure Nginx
-   - Get SSL certificate
   - Setup systemd service
   - Configure firewall
   - Setup automated backups
+   - Start the application on HTTP

 4. Follow prompts to:
-   - Enter your domain name
-   - Enter your email (for SSL)
+   - Choose application port (default: 8000)
   - Configure your .env file with secrets

+5. Configure your reverse proxy separately for HTTPS
+
 ## Manual Setup

 See [DEPLOYMENT.md](DEPLOYMENT.md) for detailed step-by-step instructions.

-## Free Domain Options
+## Reverse Proxy Options (for HTTPS)

-### Option 1: DuckDNS (Recommended)
- Visit https://www.duckdns.org
- Sign in and create a subdomain (e.g., `myfaction.duckdns.org`)
- Note your token for DNS updates
- Free HTTPS support with Let's Encrypt
+The application runs on HTTP. You'll need to configure a reverse proxy for HTTPS:

-### Option 2: FreeDNS
- Visit https://freedns.afraid.org
- Create free subdomain
- Choose from many domain options
+### Option 1: Nginx
+- Simple configuration
+- Widely used and documented
+- Free SSL with Let's Encrypt/Certbot

-### Option 3: No-IP
- Visit https://www.noip.com
- Free tier includes dynamic DNS
+### Option 2: Caddy
+- Automatic HTTPS with built-in Let's Encrypt
+- Simple configuration file
+- Recommended for ease of use
+
+### Option 3: Traefik
+- Great for containerized deployments
+- Automatic SSL certificate management
+- Dynamic configuration
+
+### Free Domain Options:
+- **DuckDNS** (https://www.duckdns.org) - Free subdomain
+- **FreeDNS** (https://freedns.afraid.org) - Multiple domain options
+- **No-IP** (https://www.noip.com) - Dynamic DNS support

 ## Critical Security Steps

@@ -112,7 +117,8 @@ See [DEPLOYMENT.md](DEPLOYMENT.md) for detailed step-by-step instructions.

 ### Access Your Application
 ```
-https://yourdomain.com
+Local: http://localhost:8000 (or your configured port)
+Remote: http://YOUR_SERVER_IP:8000
 ```

 ### Check Service Status
@@ -130,10 +136,17 @@ sudo journalctl -u faction-war -f
 sudo systemctl restart faction-war
 ```

+### Configure Reverse Proxy
+Set up your reverse proxy (nginx, caddy, etc.) to:
+- Listen on ports 80/443
+- Forward requests to `http://127.0.0.1:8000` (or your configured port)
+- Handle SSL/TLS termination
+- Add security headers
+
 ## Configuration

 ### Option 1: Web Interface (Recommended)
-1. Visit `https://yourdomain.com/config`
+1. Visit your application URL (e.g., `http://yourserver:8000/config`)
 2. Configure all settings through the UI
 3. Settings are saved to `data/config.json`

@@ -147,20 +160,22 @@ sudo systemctl restart faction-war

 **Priority**: Environment variables > config.json > defaults

+**Note**: Once you configure your reverse proxy with HTTPS, access via secure URL
+
 ## Security Checklist

 Before going live, verify:

 - [ ] Strong AUTH_PASSWORD generated and set
 - [ ] Strong JWT_SECRET generated and set
- [ ] HTTPS/SSL certificate installed
- [ ] Firewall configured (only ports 22, 80, 443)
- [ ] Port 8000 blocked from external access
+- [ ] Reverse proxy configured with HTTPS/SSL
+- [ ] Firewall configured (SSH + application port only)
+- [ ] Application port accessible only via reverse proxy (if using one)
 - [ ] .env file has permissions 600
 - [ ] data/ directory has permissions 700
- [ ] Automatic SSL renewal working
 - [ ] Backups configured (2 AM daily)
 - [ ] Logs accessible and monitoring setup
+- [ ] Security headers configured on reverse proxy

 ## File Structure

@@ -195,12 +210,8 @@ sudo -u factionwar venv/bin/pip install --upgrade -r requirements.txt
 sudo systemctl restart faction-war
 ```

-### Update SSL Certificate
-```bash
-# Auto-renewal is configured by certbot
-# Test renewal:
-sudo certbot renew --dry-run
-```
+### Update Reverse Proxy Configuration
+Configure SSL certificate renewal in your reverse proxy (nginx, caddy, etc.)

 ## Backups

@@ -223,23 +234,23 @@ sudo journalctl -u faction-war -n 50
 sudo -u factionwar /opt/faction-war/app/venv/bin/python /opt/faction-war/app/main.py
 ```

-### 502 Bad Gateway
+### Cannot Connect to Application
 ```bash
 # Check if app is running
 sudo systemctl status faction-war

-# Check if listening on port 8000
-sudo netstat -tlnp | grep 8000
+# Check if listening on configured port
+sudo netstat -tlnp | grep 8000  # or your configured port
+
+# Check firewall rules
+sudo ufw status
+
+# Test direct connection
+curl http://localhost:8000
 ```

-### SSL Certificate Issues
-```bash
-# Renew manually
-sudo certbot renew
-
-# Check certificate status
-sudo certbot certificates
-```
+### Reverse Proxy Issues
+Refer to your reverse proxy documentation (nginx, caddy, etc.) for SSL/HTTPS troubleshooting

 ## Support

@@ -256,7 +267,6 @@ sudo systemctl status faction-war

 # View logs
 sudo journalctl -u faction-war -f
-sudo tail -f /var/log/nginx/faction-war-error.log

 # Update application
 cd /opt/faction-war/app && git pull && sudo systemctl restart faction-war
@@ -264,28 +274,31 @@ cd /opt/faction-war/app && git pull && sudo systemctl restart faction-war
 # Manual backup
 /opt/faction-war/backup.sh

-# Renew SSL
-sudo certbot renew
+# Check if application is listening
+sudo netstat -tlnp | grep 8000  # or your port
+
+# Test application directly
+curl http://localhost:8000
 ```

 ## Monitoring

 Monitor these logs regularly:
 - Application: `sudo journalctl -u faction-war -f`
- Nginx Access: `/var/log/nginx/faction-war-access.log`
- Nginx Errors: `/var/log/nginx/faction-war-error.log`
+- Reverse Proxy: Check your proxy logs (nginx, caddy, etc.)
 - System: `sudo tail -f /var/log/syslog`

 ## Production Best Practices

 1. **Use strong passwords** - Generate with OpenSSL
-2. **Keep dependencies updated** - Regular `pip install --upgrade`
-3. **Monitor logs** - Check for errors and suspicious activity
-4. **Backup regularly** - Automated daily backups configured
-5. **Use HTTPS only** - HTTP auto-redirects to HTTPS
+2. **Configure HTTPS** - Use a reverse proxy with SSL/TLS
+3. **Keep dependencies updated** - Regular `pip install --upgrade`
+4. **Monitor logs** - Check for errors and suspicious activity
+5. **Backup regularly** - Automated daily backups configured
 6. **Restrict firewall** - Only necessary ports open
 7. **Update system** - Regular `apt update && apt upgrade`
 8. **Test backups** - Periodically restore from backup to verify
+9. **Secure headers** - Configure security headers on your reverse proxy

 ## Features