Removed nginx setup

2026-01-28 12:10:45 -05:00
parent b2626f56ea
commit d960f6aa15
5 changed files with 250 additions and 112 deletions
--- a/PRODUCTION_README.md
+++ b/PRODUCTION_README.md
@@ -8,13 +8,11 @@ This application is ready for production deployment with proper security measure
 - Environment variable support (.env files)
 - Secrets excluded from git (.gitignore)
 - HTTPS/SSL configuration (via Let's Encrypt)
 - JWT-based authentication
 - Nginx reverse proxy configuration
 - Systemd service for process management
 - Firewall configuration
 - Automated backups
- Security headers
+- Ready for reverse proxy integration (nginx, caddy, traefik, etc.)
 ## Prerequisites
@@ -39,37 +37,44 @@ This application is ready for production deployment with proper security measure
 3. The script will:
   - Install all dependencies
   - Configure Nginx
   - Get SSL certificate
   - Setup systemd service
   - Configure firewall
   - Setup automated backups
   - Start the application on HTTP
 4. Follow prompts to:
-   - Enter your domain name
+   - Choose application port (default: 8000)
   - Enter your email (for SSL)
   - Configure your .env file with secrets
 5. Configure your reverse proxy separately for HTTPS
 ## Manual Setup
 See [DEPLOYMENT.md](DEPLOYMENT.md) for detailed step-by-step instructions.
-## Free Domain Options
+## Reverse Proxy Options (for HTTPS)
-### Option 1: DuckDNS (Recommended)
+The application runs on HTTP. You'll need to configure a reverse proxy for HTTPS:
 - Visit https://www.duckdns.org
 - Sign in and create a subdomain (e.g., `myfaction.duckdns.org`)
 - Note your token for DNS updates
 - Free HTTPS support with Let's Encrypt
-### Option 2: FreeDNS
+### Option 1: Nginx
- Visit https://freedns.afraid.org
+- Simple configuration
- Create free subdomain
+- Widely used and documented
- Choose from many domain options
+- Free SSL with Let's Encrypt/Certbot
-### Option 3: No-IP
+### Option 2: Caddy
- Visit https://www.noip.com
+- Automatic HTTPS with built-in Let's Encrypt
- Free tier includes dynamic DNS
+- Simple configuration file
 - Recommended for ease of use
 ### Option 3: Traefik
 - Great for containerized deployments
 - Automatic SSL certificate management
 - Dynamic configuration
 ### Free Domain Options:
 - **DuckDNS** (https://www.duckdns.org) - Free subdomain
 - **FreeDNS** (https://freedns.afraid.org) - Multiple domain options
 - **No-IP** (https://www.noip.com) - Dynamic DNS support
 ## Critical Security Steps
@@ -112,7 +117,8 @@ See [DEPLOYMENT.md](DEPLOYMENT.md) for detailed step-by-step instructions.
 ### Access Your Application
 ```
-https://yourdomain.com
+Local: http://localhost:8000 (or your configured port)
 Remote: http://YOUR_SERVER_IP:8000
 ```
 ### Check Service Status
@@ -130,10 +136,17 @@ sudo journalctl -u faction-war -f
 sudo systemctl restart faction-war
 ```
 ### Configure Reverse Proxy
 Set up your reverse proxy (nginx, caddy, etc.) to:
 - Listen on ports 80/443
 - Forward requests to `http://127.0.0.1:8000` (or your configured port)
 - Handle SSL/TLS termination
 - Add security headers
 ## Configuration
 ### Option 1: Web Interface (Recommended)
-1. Visit `https://yourdomain.com/config`
+1. Visit your application URL (e.g., `http://yourserver:8000/config`)
 2. Configure all settings through the UI
 3. Settings are saved to `data/config.json`
@@ -147,20 +160,22 @@ sudo systemctl restart faction-war
 **Priority**: Environment variables > config.json > defaults
 **Note**: Once you configure your reverse proxy with HTTPS, access via secure URL
 ## Security Checklist
 Before going live, verify:
 - [ ] Strong AUTH_PASSWORD generated and set
 - [ ] Strong JWT_SECRET generated and set
- [ ] HTTPS/SSL certificate installed
+- [ ] Reverse proxy configured with HTTPS/SSL
- [ ] Firewall configured (only ports 22, 80, 443)
+- [ ] Firewall configured (SSH + application port only)
- [ ] Port 8000 blocked from external access
+- [ ] Application port accessible only via reverse proxy (if using one)
 - [ ] .env file has permissions 600
 - [ ] data/ directory has permissions 700
 - [ ] Automatic SSL renewal working
 - [ ] Backups configured (2 AM daily)
 - [ ] Logs accessible and monitoring setup
 - [ ] Security headers configured on reverse proxy
 ## File Structure
@@ -195,12 +210,8 @@ sudo -u factionwar venv/bin/pip install --upgrade -r requirements.txt
 sudo systemctl restart faction-war
 ```
-### Update SSL Certificate
+### Update Reverse Proxy Configuration
-```bash
+Configure SSL certificate renewal in your reverse proxy (nginx, caddy, etc.)
 # Auto-renewal is configured by certbot
 # Test renewal:
 sudo certbot renew --dry-run
 ```
 ## Backups
@@ -223,23 +234,23 @@ sudo journalctl -u faction-war -n 50
 sudo -u factionwar /opt/faction-war/app/venv/bin/python /opt/faction-war/app/main.py
 ```
-### 502 Bad Gateway
+### Cannot Connect to Application
 ```bash
 # Check if app is running
 sudo systemctl status faction-war
-# Check if listening on port 8000
+# Check if listening on configured port
-sudo netstat -tlnp | grep 8000
+sudo netstat -tlnp | grep 8000  # or your configured port
 # Check firewall rules
 sudo ufw status
 # Test direct connection
 curl http://localhost:8000
 ```
-### SSL Certificate Issues
+### Reverse Proxy Issues
-```bash
+Refer to your reverse proxy documentation (nginx, caddy, etc.) for SSL/HTTPS troubleshooting
 # Renew manually
 sudo certbot renew
 # Check certificate status
 sudo certbot certificates
 ```
 ## Support
@@ -256,7 +267,6 @@ sudo systemctl status faction-war
 # View logs
 sudo journalctl -u faction-war -f
 sudo tail -f /var/log/nginx/faction-war-error.log
 # Update application
 cd /opt/faction-war/app && git pull && sudo systemctl restart faction-war
@@ -264,28 +274,31 @@ cd /opt/faction-war/app && git pull && sudo systemctl restart faction-war
 # Manual backup
 /opt/faction-war/backup.sh
-# Renew SSL
+# Check if application is listening
-sudo certbot renew
+sudo netstat -tlnp | grep 8000  # or your port
 # Test application directly
 curl http://localhost:8000
 ```
 ## Monitoring
 Monitor these logs regularly:
 - Application: `sudo journalctl -u faction-war -f`
- Nginx Access: `/var/log/nginx/faction-war-access.log`
+- Reverse Proxy: Check your proxy logs (nginx, caddy, etc.)
 - Nginx Errors: `/var/log/nginx/faction-war-error.log`
 - System: `sudo tail -f /var/log/syslog`
 ## Production Best Practices
 1. **Use strong passwords** - Generate with OpenSSL
-2. **Keep dependencies updated** - Regular `pip install --upgrade`
+2. **Configure HTTPS** - Use a reverse proxy with SSL/TLS
-3. **Monitor logs** - Check for errors and suspicious activity
+3. **Keep dependencies updated** - Regular `pip install --upgrade`
-4. **Backup regularly** - Automated daily backups configured
+4. **Monitor logs** - Check for errors and suspicious activity
-5. **Use HTTPS only** - HTTP auto-redirects to HTTPS
+5. **Backup regularly** - Automated daily backups configured
 6. **Restrict firewall** - Only necessary ports open
 7. **Update system** - Regular `apt update && apt upgrade`
 8. **Test backups** - Periodically restore from backup to verify
 9. **Secure headers** - Configure security headers on your reverse proxy
 ## Features
--- a/caddy-reverse-proxy.example
+++ b/caddy-reverse-proxy.example
@@ -0,0 +1,72 @@
 # Example Caddy Reverse Proxy Configuration
 # This is an OPTIONAL configuration if you want to use Caddy as your reverse proxy
 # The application runs on HTTP and does not require Caddy - you can use any reverse proxy
 #
 # Caddy is recommended for its simplicity and automatic HTTPS with Let's Encrypt
 # Step 1: Install Caddy
 # Ubuntu/Debian:
 # sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
 # curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
 # curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
 # sudo apt update
 # sudo apt install caddy
 # Step 2: Create/edit /etc/caddy/Caddyfile with the content below
 # Replace 'yourdomain.com' with your actual domain
 # Replace '8000' with your application port if different
 # ========== Caddyfile Content ==========
 yourdomain.com {
    # Caddy automatically handles HTTPS with Let's Encrypt!
    # Reverse proxy to your application
    reverse_proxy localhost:8000
    # Optional: Add security headers
    header {
        # Enable HSTS
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        # Prevent clickjacking
        X-Frame-Options "SAMEORIGIN"
        # Prevent MIME type sniffing
        X-Content-Type-Options "nosniff"
        # Enable XSS protection
        X-XSS-Protection "1; mode=block"
    }
    # Optional: Custom logging
    log {
        output file /var/log/caddy/faction-war.log
    }
 }
 # ========== End Caddyfile Content ==========
 # Step 3: Validate configuration
 # sudo caddy validate --config /etc/caddy/Caddyfile
 # Step 4: Reload Caddy
 # sudo systemctl reload caddy
 # Step 5: Configure firewall
 # sudo ufw allow 80/tcp
 # sudo ufw allow 443/tcp
 # That's it! Caddy will automatically:
 # - Get SSL certificate from Let's Encrypt
 # - Renew certificates automatically
 # - Redirect HTTP to HTTPS
 # - Handle all SSL/TLS configuration
 # Your application will now be accessible at https://yourdomain.com
 # Useful Caddy commands:
 # sudo systemctl status caddy     # Check status
 # sudo systemctl restart caddy    # Restart Caddy
 # sudo journalctl -u caddy -f     # View logs
 # caddy version                   # Check Caddy version
--- a/main.py
+++ b/main.py
@@ -98,13 +98,21 @@ async def start_bot():
 # Main Entry Point
 async def main():
    # Parse command-line arguments
    import argparse
    parser = argparse.ArgumentParser(description="Faction War Dispatch Bot")
    parser.add_argument("--port", type=int, default=8000, help="Port to run the application on (default: 8000)")
    parser.add_argument("--host", type=str, default="127.0.0.1", help="Host to bind to (default: 127.0.0.1)")
    args = parser.parse_args()
    # Start Discord bot in background
    bot_task = asyncio.create_task(start_bot())
    # Configure and run FastAPI server
-    config = uvicorn.Config(app, host="127.0.0.1", port=8000, log_level="info")
+    config = uvicorn.Config(app, host=args.host, port=args.port, log_level="info")
    server = uvicorn.Server(config)
    print(f"Starting server on {args.host}:{args.port}")
    await server.serve()
 if __name__ == "__main__":
--- a/nginx-reverse-proxy.example
+++ b/nginx-reverse-proxy.example
@@ -0,0 +1,89 @@
 # Example Nginx Reverse Proxy Configuration
 # This is an OPTIONAL configuration if you want to use Nginx as your reverse proxy
 # The application runs on HTTP and does not require nginx - you can use any reverse proxy
 # Step 1: Install nginx and certbot
 # sudo apt install nginx certbot python3-certbot-nginx
 # Step 2: Create this file at /etc/nginx/sites-available/faction-war
 # Replace 'yourdomain.com' with your actual domain
 # Replace '8000' with your application port if different
 # HTTP - Redirect to HTTPS
 server {
    listen 80;
    listen [::]:80;
    server_name yourdomain.com;  # REPLACE WITH YOUR DOMAIN
    # Redirect all HTTP to HTTPS
    return 301 https://$server_name$request_uri;
 }
 # HTTPS - Main Application
 server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name yourdomain.com;  # REPLACE WITH YOUR DOMAIN
    # SSL Configuration (will be managed by Certbot)
    # After running certbot, these lines will be automatically added:
    # ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    # ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    # include /etc/letsencrypt/options-ssl-nginx.conf;
    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    # Security Headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    # Logging
    access_log /var/log/nginx/faction-war-access.log;
    error_log /var/log/nginx/faction-war-error.log;
    # Proxy settings
    location / {
        # Replace 8000 with your application port if different
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        # WebSocket support (if needed in future)
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        # Timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }
    # Static files (optional optimization)
    location /static/ {
        alias /opt/faction-war/app/static/;
        expires 1d;
        add_header Cache-Control "public, immutable";
    }
 }
 # Step 3: Enable the site
 # sudo ln -s /etc/nginx/sites-available/faction-war /etc/nginx/sites-enabled/
 # Step 4: Test configuration
 # sudo nginx -t
 # Step 5: Get SSL certificate with Certbot
 # sudo certbot --nginx -d yourdomain.com
 # Step 6: Reload nginx
 # sudo systemctl reload nginx
 # Step 7: Configure firewall
 # sudo ufw allow 80/tcp
 # sudo ufw allow 443/tcp
 # Your application will now be accessible at https://yourdomain.com
--- a/setup_production.sh
+++ b/setup_production.sh
@@ -26,24 +26,14 @@ if [ "$EUID" -ne 0 ]; then
    exit 1
 fi
-# Get domain name
+# Get port to run on (default 8000)
-read -p "Enter your domain name (e.g., faction.yourdomain.com): " DOMAIN
+read -p "Enter port to run application on (default: 8000): " APP_PORT
-if [ -z "$DOMAIN" ]; then
+APP_PORT=${APP_PORT:-8000}
    echo "Domain name is required!"
    exit 1
 fi
 # Get email for Let's Encrypt
 read -p "Enter your email for SSL certificate (Let's Encrypt): " EMAIL
 if [ -z "$EMAIL" ]; then
    echo "Email is required for SSL certificate!"
    exit 1
 fi
 echo ""
 echo "Installing required packages..."
 apt update
-apt install -y python3 python3-pip python3-venv nginx certbot python3-certbot-nginx git
+apt install -y python3 python3-pip python3-venv git
 echo ""
 echo "Creating application user..."
@@ -120,47 +110,10 @@ fi
 chown factionwar:factionwar .env
 chmod 600 .env
 echo ""
 echo "Setting up Nginx configuration..."
 # Create a basic HTTP-only config first (Certbot will add SSL)
 cat > /etc/nginx/sites-available/faction-war << EOF
 # Basic HTTP configuration - Certbot will add SSL
 server {
    listen 80;
    listen [::]:80;
    server_name $DOMAIN;
    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
    }
 }
 EOF
 ln -sf /etc/nginx/sites-available/faction-war /etc/nginx/sites-enabled/faction-war
 # Remove default nginx site if it exists
 rm -f /etc/nginx/sites-enabled/default
 echo ""
 echo "Testing Nginx configuration..."
 nginx -t
 echo ""
 echo "Reloading Nginx..."
 systemctl reload nginx
 echo ""
 echo "Getting SSL certificate from Let's Encrypt..."
 echo "Certbot will automatically configure SSL in the Nginx config"
 certbot --nginx -d $DOMAIN --non-interactive --agree-tos --email $EMAIL --redirect
 echo ""
 echo "Setting up systemd service..."
-cp faction-war.service /etc/systemd/system/faction-war.service
+# Update the service file with the configured port
 sed "s|ExecStart=.*|ExecStart=/opt/faction-war/app/venv/bin/python main.py --port $APP_PORT|g" faction-war.service > /etc/systemd/system/faction-war.service
 systemctl daemon-reload
 systemctl enable faction-war
 systemctl start faction-war
@@ -169,8 +122,7 @@ echo ""
 echo "Configuring firewall..."
 ufw --force enable
 ufw allow ssh
-ufw allow 80/tcp
+ufw allow $APP_PORT/tcp
 ufw allow 443/tcp
 echo ""
 echo "Setting up backup cron job..."
@@ -196,7 +148,7 @@ echo "========================================"
 echo "Setup Complete!"
 echo "========================================"
 echo ""
-echo "Your application should now be running at: https://$DOMAIN"
+echo "Your application should now be running on port $APP_PORT"
 echo ""
 echo "User Account Information:"
 echo "  - Service user: factionwar (no password by default)"
@@ -208,9 +160,12 @@ echo "Important next steps:"
 echo "1. Configure /opt/faction-war/app/.env with your secrets (if not done already)"
 echo "   - Edit with: sudo -u factionwar nano /opt/faction-war/app/.env"
 echo "   - Then restart: sudo systemctl restart faction-war"
-echo "2. Visit https://$DOMAIN and log in with your AUTH_PASSWORD"
+echo "2. Access the application:"
-echo "3. Configure your API keys in the Settings page (or use .env)"
+echo "   - Local: http://localhost:$APP_PORT"
-echo "4. Test the application functionality"
+echo "   - Remote: http://YOUR_SERVER_IP:$APP_PORT"
 echo "3. Configure your reverse proxy (nginx, caddy, etc.) to handle HTTPS"
 echo "4. Configure your API keys in the Settings page (or use .env)"
 echo "5. Test the application functionality"
 echo ""
 echo "Useful commands:"
 echo "  - Check status: sudo systemctl status faction-war"
@@ -220,6 +175,7 @@ echo "  - Update code: cd /opt/faction-war/app && sudo -u factionwar git pull &&
 echo "  - Edit config: sudo -u factionwar nano /opt/faction-war/app/.env"
 echo ""
 echo "Security reminders:"
 echo "  - Configure HTTPS on your reverse proxy"
 echo "  - Keep your .env file secure (chmod 600)"
 echo "  - Regularly update: apt update && apt upgrade"
 echo "  - Monitor logs for suspicious activity"