diff --git a/docs/guides/discord-bot-admin-panel.md b/docs/guides/discord-bot-admin-panel.md index 66fd78c..ca643a2 100644 --- a/docs/guides/discord-bot-admin-panel.md +++ b/docs/guides/discord-bot-admin-panel.md @@ -210,24 +210,36 @@ Edit the service file: sudo nano /etc/systemd/system/firefrost-discord-bot.service ``` -Update these lines: +**Replace contents with this complete configuration:** ```ini +[Unit] +Description=Firefrost Discord Bot & Admin Panel +After=network.target + [Service] +Type=simple User=firefrost-bot Group=firefrost-bot WorkingDirectory=/opt/firefrost-discord-bot -ExecStart=/usr/bin/node /opt/firefrost-discord-bot/bot.js -Restart=always +ExecStart=/usr/bin/node bot.js +Restart=on-failure RestartSec=10 - -# Environment Environment=NODE_ENV=production [Install] WantedBy=multi-user.target ``` +**What this configuration does:** +- **After=network.target:** Waits for network before starting +- **User/Group=firefrost-bot:** Runs as dedicated user (NOT root) +- **Restart=on-failure:** Auto-restarts if bot crashes +- **RestartSec=10:** Waits 10 seconds before restart +- **NODE_ENV=production:** Sets production environment + +Save and exit: `Ctrl+X`, `Y`, `Enter` + Reload and restart: ```bash @@ -1064,41 +1076,33 @@ Next: Configure Nginx & SSL (Part 6) ## 🌐 PART 6: CONFIGURE NGINX & SSL +### Overview + +Configure Nginx reverse proxy to forward HTTPS traffic to the Node.js app, then secure with Let's Encrypt SSL certificate. + +**What this does:** +- Nginx listens on port 80 (HTTP) and 443 (HTTPS) +- Forwards traffic to Node.js app on localhost:3100 +- Let's Encrypt provides free SSL certificate +- Auto-renews certificate every 90 days + +--- + ### Step 1: Create Nginx Configuration Create new site config: ```bash -sudo nano /etc/nginx/sites-available/discord-bot-admin +sudo nano /etc/nginx/sites-available/discord-bot.firefrostgaming.com ``` -Add this configuration: +**Paste this complete configuration:** ```nginx server { listen 80; server_name discord-bot.firefrostgaming.com; - - # Redirect HTTP to HTTPS - return 301 https://$server_name$request_uri; -} -server { - listen 443 ssl http2; - server_name discord-bot.firefrostgaming.com; - - # SSL Configuration (Let's Encrypt) - ssl_certificate /etc/letsencrypt/live/discord-bot.firefrostgaming.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/discord-bot.firefrostgaming.com/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - - # Security Headers - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Proxy to Node.js app location / { proxy_pass http://localhost:3100; proxy_http_version 1.1; @@ -1109,60 +1113,246 @@ server { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_cache_bypass $http_upgrade; - - # Timeouts - proxy_connect_timeout 60s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; } } ``` -Save and exit. +**What these headers do:** +- **X-Real-IP:** Passes client's real IP to Node.js (not Nginx's IP) +- **X-Forwarded-For:** Shows full proxy chain +- **X-Forwarded-Proto:** Tells app if request was HTTP or HTTPS +- **Upgrade/Connection:** Required for WebSocket support (future-proofing) + +Save and exit: `Ctrl+X`, `Y`, `Enter` + +--- ### Step 2: Enable Site +Create symlink to enable the site: + ```bash -# Create symlink to enable site -sudo ln -s /etc/nginx/sites-available/discord-bot-admin /etc/nginx/sites-enabled/ +sudo ln -s /etc/nginx/sites-available/discord-bot.firefrostgaming.com /etc/nginx/sites-enabled/ +``` -# Test Nginx configuration +Test Nginx configuration for syntax errors: + +```bash sudo nginx -t -# Should show: syntax is okay, test is successful +``` -# Reload Nginx +**Expected output:** +``` +nginx: the configuration file /etc/nginx/nginx.conf syntax is ok +nginx: configuration file /etc/nginx/nginx.conf test is successful +``` + +If test passes, reload Nginx: + +```bash sudo systemctl reload nginx ``` -### Step 3: Obtain SSL Certificate +--- + +### Step 3: Verify HTTP Access (Before SSL) + +**Test that Nginx is forwarding correctly:** + +1. Open browser +2. Go to: `http://discord-bot.firefrostgaming.com` +3. Should see admin panel login screen + +**If you get an error:** +- Check bot is running: `sudo systemctl status firefrost-discord-bot` +- Check Nginx logs: `sudo tail -f /var/log/nginx/error.log` +- Verify DNS: `dig discord-bot.firefrostgaming.com` (should show 63.143.34.217) + +--- + +### Step 4: Install Certbot (If Not Already Installed) + +Check if Certbot is installed: ```bash -# Install certbot if not already installed -sudo apt install certbot python3-certbot-nginx -y - -# Obtain certificate -sudo certbot --nginx -d discord-bot.firefrostgaming.com - -# Follow prompts: -# - Enter email address -# - Agree to Terms of Service -# - Choose: Redirect HTTP to HTTPS (option 2) +certbot --version ``` +**If not installed:** + +```bash +# Install Certbot and Nginx plugin +sudo apt update +sudo apt install certbot python3-certbot-nginx -y +``` + +--- + +### Step 5: Obtain SSL Certificate + +Run Certbot with Nginx plugin: + +```bash +sudo certbot --nginx -d discord-bot.firefrostgaming.com +``` + +**Certbot will ask:** + +1. **Email address:** (for renewal notices) + - Enter Michael's email or devops@firefrostgaming.com + +2. **Terms of Service:** (A)gree + - Type `A` and press Enter + +3. **Share email with EFF?** (Y)es or (N)o + - Your choice (either is fine) + **Certbot will automatically:** -- Obtain SSL certificate -- Configure Nginx SSL settings -- Set up auto-renewal - -### Step 4: Verify SSL - -Test in browser: +- ✅ Validate domain ownership (checks DNS points to this server) +- ✅ Obtain SSL certificate from Let's Encrypt +- ✅ Modify Nginx config to enable HTTPS (port 443) +- ✅ Add HTTP → HTTPS redirect +- ✅ Set up auto-renewal (certificate renews every 90 days) +**Expected output:** ``` -https://discord-bot.firefrostgaming.com +Successfully received certificate. +Certificate is saved at: /etc/letsencrypt/live/discord-bot.firefrostgaming.com/fullchain.pem +Key is saved at: /etc/letsencrypt/live/discord-bot.firefrostgaming.com/privkey.pem +... +Congratulations! You have successfully enabled HTTPS on https://discord-bot.firefrostgaming.com ``` -Should show valid SSL certificate (green lock icon). +--- + +### Step 6: Verify HTTPS Access + +Test SSL is working: + +1. Open browser +2. Go to: `https://discord-bot.firefrostgaming.com` +3. Should see: + - ✅ Green padlock icon (valid SSL) + - ✅ Admin panel login screen + - ✅ "Login with Discord" button + +**Test HTTP redirect:** + +1. Go to: `http://discord-bot.firefrostgaming.com` (HTTP, not HTTPS) +2. Should automatically redirect to HTTPS version +3. URL bar should show `https://discord-bot.firefrostgaming.com` + +--- + +### Step 7: Verify Auto-Renewal + +Certbot sets up automatic renewal via systemd timer. + +**Check renewal timer status:** + +```bash +sudo systemctl status certbot.timer +``` + +Should show: `Active: active (waiting)` + +**Test renewal (dry run, doesn't actually renew):** + +```bash +sudo certbot renew --dry-run +``` + +Should show: `Congratulations, all simulated renewals succeeded` + +**Certificate auto-renews:** Every 90 days, systemd timer runs `certbot renew` automatically. + +--- + +### Step 8: View Final Nginx Configuration + +Certbot modified your Nginx config to add SSL. View the changes: + +```bash +cat /etc/nginx/sites-available/discord-bot.firefrostgaming.com +``` + +**You'll now see TWO server blocks:** + +1. **HTTP (port 80):** Redirects to HTTPS +2. **HTTPS (port 443):** Proxies to Node.js with SSL + +**Example of Certbot's additions:** + +```nginx +server { + listen 443 ssl; + server_name discord-bot.firefrostgaming.com; + + ssl_certificate /etc/letsencrypt/live/discord-bot.firefrostgaming.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/discord-bot.firefrostgaming.com/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + # ... your original location / block ... +} + +server { + listen 80; + server_name discord-bot.firefrostgaming.com; + return 301 https://$server_name$request_uri; +} +``` + +--- + +### Step 9: Security Headers (Optional but Recommended) + +Add security headers to HTTPS server block: + +```bash +sudo nano /etc/nginx/sites-available/discord-bot.firefrostgaming.com +``` + +**Add these lines inside the `server { listen 443 ssl; ... }` block:** + +```nginx + # Security Headers + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; +``` + +**What these do:** +- **X-Frame-Options:** Prevents clickjacking (site can't be embedded in iframe) +- **X-Content-Type-Options:** Prevents MIME-type sniffing attacks +- **X-XSS-Protection:** Enables browser XSS filter +- **Referrer-Policy:** Controls what info is sent in Referer header + +Save, test, reload: + +```bash +sudo nginx -t +sudo systemctl reload nginx +``` + +--- + +## ✅ NGINX & SSL COMPLETE + +**You now have:** +- ✅ Nginx reverse proxy forwarding to Node.js +- ✅ Valid SSL certificate from Let's Encrypt +- ✅ HTTPS enforced (HTTP redirects to HTTPS) +- ✅ Auto-renewal configured (every 90 days) +- ✅ Security headers enabled +- ✅ Admin panel accessible at `https://discord-bot.firefrostgaming.com` + +**Next:** Holly's Usage Guide (Part 7) + +--- + +**Configuration provided by:** Gemini (Google AI) - March 23, 2026 ---