feat: Add HTTPS support with mkcert and automatic SSL configuration

Add comprehensive HTTPS support with two deployment options:
- mkcert for local development with trusted certificates
- Automatic SSL with Let's Encrypt for production

HTTPS Implementation:
- Add docker-compose.https-mkcert.yml for local HTTPS development
- Add docker-compose.https-auto.yml for automatic SSL certificates
- Create Dockerfile.mkcert for certificate generation
- Add setup scripts (setup-https-mkcert.sh/bat)
- Add startup scripts (start-https.sh/bat)
- Add certificate generation script (generate-mkcert-certs.sh)

CSRF and IP Access Fixes:
- Fix CSRF token validation for IP-based access
- Add CSRF troubleshooting documentation
- Update configuration to handle various access patterns

Documentation:
- Add HTTPS_MKCERT_GUIDE.md with setup instructions
- Add README_HTTPS.md with general HTTPS documentation
- Add README_HTTPS_AUTO.md for automatic SSL setup
- Add AUTOMATIC_HTTPS_SUMMARY.md
- Add CSRF_IP_ACCESS_FIX.md and CSRF_IP_FIX_SUMMARY.md
- Add docs/CSRF_IP_ACCESS_GUIDE.md
- Update main README.md with HTTPS information

Configuration:
- Update .gitignore for SSL certificates and nginx configs
- Update env.example with new HTTPS-related variables
- Update docker-compose.yml with SSL configuration options

This enables secure HTTPS access in both development and production
environments while maintaining compatibility with existing deployments.

setup-https-mkcert.bat

@@ -0,0 +1,149 @@
+@echo off
+REM Setup HTTPS for TimeTracker using mkcert
+REM Works with localhost and IP addresses - NO certificate warnings!
+
+echo ==========================================
+echo TimeTracker HTTPS Setup with mkcert
+echo ==========================================
+echo.
+
+REM Check if mkcert is installed
+where mkcert >nul 2>&1
+if %errorlevel% neq 0 (
+    echo [ERROR] mkcert is not installed!
+    echo.
+    echo Install mkcert:
+    echo   Using Chocolatey: choco install mkcert
+    echo   Using Scoop:      scoop install mkcert
+    echo.
+    pause
+    exit /b 1
+)
+
+echo [OK] mkcert found
+echo.
+
+REM Install local CA
+echo Installing local Certificate Authority...
+mkcert -install
+echo [OK] Local CA installed
+echo.
+
+REM Get local IP
+for /f "tokens=2 delims=:" %%a in ('ipconfig ^| findstr /c:"IPv4 Address"') do (
+    set LOCAL_IP=%%a
+    goto :found_ip
+)
+:found_ip
+set LOCAL_IP=%LOCAL_IP: =%
+if "%LOCAL_IP%"=="" set LOCAL_IP=192.168.1.100
+
+echo Detected local IP: %LOCAL_IP%
+echo.
+
+REM Create directories
+if not exist nginx\ssl mkdir nginx\ssl
+if not exist nginx\conf.d mkdir nginx\conf.d
+
+REM Generate certificates
+echo Generating certificates...
+mkcert -key-file nginx\ssl\key.pem -cert-file nginx\ssl\cert.pem localhost 127.0.0.1 ::1 %LOCAL_IP% *.local
+
+echo [OK] Certificates generated
+echo.
+
+REM Create nginx config
+(
+echo server {
+echo     listen 80;
+echo     server_name _;
+echo     return 301 https://$host$request_uri;
+echo }
+echo.
+echo server {
+echo     listen 443 ssl http2;
+echo     server_name _;
+echo.
+echo     ssl_certificate /etc/nginx/ssl/cert.pem;
+echo     ssl_certificate_key /etc/nginx/ssl/key.pem;
+echo.
+echo     ssl_protocols TLSv1.2 TLSv1.3;
+echo     ssl_ciphers HIGH:!aNULL:!MD5;
+echo     ssl_prefer_server_ciphers on;
+echo.
+echo     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+echo     add_header X-Frame-Options "DENY" always;
+echo     add_header X-Content-Type-Options "nosniff" always;
+echo.
+echo     location / {
+echo         proxy_pass http://app:8080;
+echo         proxy_set_header Host $host;
+echo         proxy_set_header X-Real-IP $remote_addr;
+echo         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+echo         proxy_set_header X-Forwarded-Proto $scheme;
+echo         
+echo         proxy_http_version 1.1;
+echo         proxy_set_header Upgrade $http_upgrade;
+echo         proxy_set_header Connection "upgrade";
+echo     }
+echo }
+) > nginx\conf.d\https.conf
+
+echo [OK] nginx config created
+echo.
+
+REM Create docker-compose override
+(
+echo services:
+echo   nginx:
+echo     image: nginx:alpine
+echo     container_name: timetracker-nginx
+echo     ports:
+echo       - "80:80"
+echo       - "443:443"
+echo     volumes:
+echo       - ./nginx/conf.d:/etc/nginx/conf.d:ro
+echo       - ./nginx/ssl:/etc/nginx/ssl:ro
+echo     depends_on:
+echo       - app
+echo     restart: unless-stopped
+echo.
+echo   app:
+echo     ports: []
+echo     environment:
+echo       - WTF_CSRF_SSL_STRICT=true
+echo       - SESSION_COOKIE_SECURE=true
+echo       - CSRF_COOKIE_SECURE=true
+) > docker-compose.https.yml
+
+echo [OK] docker-compose.https.yml created
+echo.
+
+REM Update .env if exists
+if exist .env (
+    copy .env .env.backup >nul
+    powershell -Command "$content = Get-Content .env; if ($content -match '^WTF_CSRF_SSL_STRICT=') { $content = $content -replace '^WTF_CSRF_SSL_STRICT=.*', 'WTF_CSRF_SSL_STRICT=true' } else { $content += 'WTF_CSRF_SSL_STRICT=true' }; if ($content -match '^SESSION_COOKIE_SECURE=') { $content = $content -replace '^SESSION_COOKIE_SECURE=.*', 'SESSION_COOKIE_SECURE=true' } else { $content += 'SESSION_COOKIE_SECURE=true' }; if ($content -match '^CSRF_COOKIE_SECURE=') { $content = $content -replace '^CSRF_COOKIE_SECURE=.*', 'CSRF_COOKIE_SECURE=true' } else { $content += 'CSRF_COOKIE_SECURE=true' }; $content | Set-Content .env"
+    echo [OK] .env updated
+) else (
+    echo [WARNING] No .env file - create from env.example
+)
+
+echo.
+echo ==========================================
+echo [OK] HTTPS Setup Complete!
+echo ==========================================
+echo.
+echo Start with HTTPS:
+echo   docker-compose -f docker-compose.yml -f docker-compose.https.yml up -d
+echo.
+echo Access at:
+echo   https://localhost
+echo   https://%LOCAL_IP%
+echo.
+echo For other devices:
+echo   1. Find CA: mkcert -CAROOT
+echo   2. Copy rootCA.pem to device
+echo   3. Import as trusted certificate
+echo.
+pause
+