mirror/TimeTracker
1
0
Fork 0
mirror of https://github.com/DRYTRIX/TimeTracker.git synced 2025-12-20 10:19:56 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
TimeTracker/docs/admin/security/README_HTTPS_AUTO.md
Dries Peeters 29f7186ee8 docs: Reorganize documentation structure for better navigation 
Complete reorganization of project documentation to improve discoverability,
navigation, and maintainability. All documentation has been restructured into
a clear, role-based hierarchy.

## Major Changes

### New Directory Structure
- Created `docs/api/` for API documentation
- Created `docs/admin/` with subdirectories:
  - `admin/configuration/` - Configuration guides
  - `admin/deployment/` - Deployment guides
  - `admin/security/` - Security documentation
  - `admin/monitoring/` - Monitoring and analytics
- Created `docs/development/` for developer documentation
- Created `docs/guides/` for user-facing guides
- Created `docs/reports/` for analysis reports and summaries
- Created `docs/changelog/` for detailed changelog entries (ready for future use)

### File Organization

#### Moved from Root Directory (40+ files)
- Implementation notes → `docs/implementation-notes/`
- Test reports → `docs/testing/`
- Analysis reports → `docs/reports/`
- User guides → `docs/guides/`

#### Reorganized within docs/
- API documentation → `docs/api/`
- Administrator documentation → `docs/admin/` (with subdirectories)
- Developer documentation → `docs/development/`
- Security documentation → `docs/admin/security/`
- Telemetry documentation → `docs/admin/monitoring/`

### Documentation Updates

#### docs/README.md
- Complete rewrite with improved navigation
- Added visual documentation map
- Organized by role (Users, Administrators, Developers)
- Better categorization and quick links
- Updated all internal links to new structure

#### README.md (root)
- Updated all documentation links to reflect new structure
- Fixed 8 broken links

#### app/templates/main/help.html
- Enhanced "Where can I get additional help?" section
- Added links to new documentation structure
- Added documentation index link
- Added admin documentation link for administrators
- Improved footer with organized documentation links
- Added "Complete Documentation" section with role-based links

### New Index Files
- Created README.md files for all new directories:
  - `docs/api/README.md`
  - `docs/guides/README.md`
  - `docs/reports/README.md`
  - `docs/development/README.md`
  - `docs/admin/README.md`

### Cleanup
- Removed empty `docs/security/` directory (moved to `admin/security/`)
- Removed empty `docs/telemetry/` directory (moved to `admin/monitoring/`)
- Root directory now only contains: README.md, CHANGELOG.md, LICENSE

## Results

**Before:**
- 45+ markdown files cluttering root directory
- Documentation scattered across root and docs/
- Difficult to find relevant documentation
- No clear organization structure

**After:**
- 3 files in root directory (README, CHANGELOG, LICENSE)
- Clear directory structure organized by purpose and audience
- Easy navigation with role-based organization
- All documentation properly categorized
- Improved discoverability

## Benefits

1. Better Organization - Documentation grouped by purpose and audience
2. Easier Navigation - Role-based sections (Users, Admins, Developers)
3. Improved Discoverability - Clear structure with README files in each directory
4. Cleaner Root - Only essential files at project root
5. Maintainability - Easier to add and organize new documentation

## Files Changed

- 40+ files moved from root to appropriate docs/ subdirectories
- 15+ files reorganized within docs/
- 3 major documentation files updated (docs/README.md, README.md, help.html)
- 5 new README index files created
- 2 empty directories removed

All internal links have been updated to reflect the new structure.
2025-12-14 07:56:07 +01:00

7.8 KiB
Raw Permalink Blame History

🚀 Automatic HTTPS Setup

One-Command HTTPS Startup

HTTPS is now completely automatic! Just run one command and everything is configured:

Windows

start-https.bat

Linux/Mac

bash start-https.sh

That's it! 🎉

What Happens Automatically

When you run the startup script:

  1. Detects your local IP (e.g., 192.168.1.100)
  2. Creates nginx HTTPS configuration automatically
  3. Generates SSL certificates (init container runs once)
  4. Updates security settings to strict mode
  5. Starts all services with HTTPS enabled

No manual steps required!

Two Certificate Options

Option 1: Self-Signed Certificates (Default)

  • Works immediately, zero setup
  • Fully functional HTTPS
  • ⚠️ Browser shows security warning (safe to click through)

When to use: Quick testing, development

Option 2: mkcert (Trusted Certificates)

  • No browser warnings!
  • Trusted by all browsers
  • 📋 Requires one-time mkcert installation

When to use: Cleaner experience, demos, regular development

Quick Start

First Time Setup

1. Create .env file:

cp env.example .env
# Edit .env with your settings

2. Start with HTTPS:

Windows:

start-https.bat

Linux/Mac:

bash start-https.sh

3. Choose certificate method when prompted:

  • Press 1 for self-signed (default)
  • Press 2 for mkcert (if installed)

4. Access your app:

https://localhost
https://192.168.1.100  (your actual IP)

Self-Signed Certificates (Option 1)

What You'll See

Browser will show: "Your connection is not private"

How to Proceed

  1. Click "Advanced"
  2. Click "Proceed to localhost (unsafe)"
  3. That's it! You're in.

Why It's Safe

  • Certificates are generated by YOU
  • Traffic is encrypted
  • Warning is just because it's self-signed
  • Perfect for development

mkcert Certificates (Option 2)

Prerequisites

Install mkcert first:

Windows:

choco install mkcert

macOS:

brew install mkcert

Linux:

# See HTTPS_MKCERT_GUIDE.md

One-Time CA Installation

After first startup with mkcert:

  1. Find the CA certificate:

    nginx/ssl/rootCA.pem

  2. Install it:

    Windows:

    • Double-click rootCA.pem
    • Install to "Trusted Root Certification Authorities"
    • Restart browser

    macOS:

    • Double-click rootCA.pem
    • Add to Keychain
    • Mark as "Always Trust"

    Linux:

    sudo cp nginx/ssl/rootCA.pem /usr/local/share/ca-certificates/mkcert.crt
sudo update-ca-certificates

  3. Restart browser

  4. Access app - No warnings!

How It Works

Architecture

┌─────────────────┐
│  start-https    │  ← You run this
│     script      │
└────────┬────────┘
         │
         ↓
┌─────────────────┐
│   Init Container│  ← Generates certificates (runs once)
│   (certgen)     │     • Checks if certs exist
└────────┬────────┘     • Creates them if missing
         │              • Self-signed or mkcert
         ↓
┌─────────────────┐
│  nginx (HTTPS)  │  ← Reverse proxy with SSL
│  Port 443       │     • Terminates SSL
└────────┬────────┘     • Proxies to app
         │
         ↓
┌─────────────────┐
│  TimeTracker    │  ← Your application
│  App (HTTP)     │     • Runs on port 8080
│  Port 8080      │     • Behind nginx
└─────────────────┘

Certificate Generation

The certgen init container:

  • Runs before nginx starts
  • Checks for existing certificates in nginx/ssl/
  • If missing, generates new ones
  • Exits (runs only once)
  • nginx starts after successful completion

Persistence

Certificates are stored in nginx/ssl/ on your host machine:

  • Persists across container restarts
  • Regenerated only if deleted
  • Valid for 10 years

File Structure

After automatic startup:

TimeTracker/
├── nginx/
│   ├── conf.d/
│   │   └── https.conf           # Auto-generated nginx config
│   └── ssl/
│       ├── cert.pem             # SSL certificate
│       ├── key.pem              # Private key
│       └── rootCA.pem           # CA cert (mkcert only)
├── docker-compose.yml           # Base config
├── docker-compose.https-auto.yml    # HTTPS with self-signed
├── docker-compose.https-mkcert.yml  # HTTPS with mkcert
├── start-https.sh               # Auto-start script (Linux/Mac)
├── start-https.bat              # Auto-start script (Windows)
└── .env                         # Config (auto-updated)

Commands

Start with HTTPS (Automatic)

bash start-https.sh     # Linux/Mac
start-https.bat         # Windows

Start with HTTPS (Manual)

# Self-signed certificates
docker-compose -f docker-compose.yml -f docker-compose.https-auto.yml up -d

# mkcert certificates (if mkcert installed)
docker-compose -f docker-compose.yml -f docker-compose.https-mkcert.yml up -d

View Logs

docker-compose logs -f
docker-compose logs nginx
docker-compose logs certgen

Stop Services

docker-compose down

Regenerate Certificates

# Delete existing certs
rm -rf nginx/ssl/*

# Restart - new certs will be generated
bash start-https.sh

Environment Variables

After automatic setup, your .env will include:

# HTTPS Security Settings (auto-configured)
WTF_CSRF_SSL_STRICT=true
SESSION_COOKIE_SECURE=true
CSRF_COOKIE_SECURE=true

These settings:

  • Enable strict CSRF protection
  • Require HTTPS for cookies
  • Fix all CSRF cookie issues
  • Provide production-grade security

Troubleshooting

nginx Won't Start

Check if certificates exist:

ls -la nginx/ssl/

Should see:

  • cert.pem
  • key.pem

If missing, check certgen logs:

docker-compose logs certgen

Browser Still Shows Warning (mkcert)

CA not installed or browser not restarted:

  1. Install nginx/ssl/rootCA.pem (see instructions above)
  2. Completely close and restart browser
  3. Clear browser cache

Different IP Address

Update and restart:

export HOST_IP=192.168.1.XXX  # Your actual IP
bash start-https.sh

Port 443 Already in Use

Find what's using it:

# Windows
netstat -ano | findstr :443

# Linux/Mac
lsof -i :443

Stop the conflicting service or change port in nginx config

Access from Other Devices

Using Self-Signed Certificates

  1. Access https://192.168.1.100 from device
  2. Click through security warning
  3. Done!

Using mkcert Certificates

  1. Copy nginx/ssl/rootCA.pem to device
  2. Install as trusted CA (see device-specific instructions)
  3. Access https://192.168.1.100
  4. No warnings!

Production Deployment

For production with a real domain, use Let's Encrypt:

  • See docs/HTTPS_SETUP_GUIDE.md for Caddy (automatic)
  • Or use Traefik, nginx + certbot

Summary

🎉 What You Get

One-command setup - bash start-https.sh
Automatic certificate generation
Auto-configuration of nginx and security settings
Choice of certificate types
Persistent certificates across restarts
No manual steps for basic setup

🚀 Quick Reference

# Start everything with HTTPS
bash start-https.sh

# Access
https://localhost
https://192.168.1.100

# View logs
docker-compose logs -f

# Stop
docker-compose down

That's it! Enjoy automatic HTTPS! 🔒

Reference in New Issue View Git Blame Copy Permalink