bert.hausmans
a748c9ee7a
deploy.sh referenced apps/portal which was deleted in WS-3 PR-B1; the script has been broken in main since that merge (npm run build -w apps/portal would fail). Collapse to a single-app build. Changes: - deploy.sh: replace dual-build block (build app + portal, verify both dist/) with single-app build (build app, verify dist/index.html) - deploy/nginx/csp-portal.conf: deleted (content was identical to csp-spa.conf — verified before removal) - deploy/README.md: replace "Portal (portal.crewli.app)" server-block section with "Legacy portal redirect" — a 301 server block template that redirects portal.crewli.app → crewli.app preserving the request URI. Notes that DNS retirement is a separate ops task Out of scope: actually retiring the portal.crewli.app DNS record (operational, tracked separately). bash -n deploy.sh: clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
66 lines
1.7 KiB
Markdown
66 lines
1.7 KiB
Markdown
# Crewli Deployment — Security Configuration
|
|
|
|
## Nginx Security Headers
|
|
|
|
Copy the configuration snippets to your Nginx server:
|
|
|
|
### API (api.crewli.app)
|
|
```nginx
|
|
server {
|
|
server_name api.crewli.app;
|
|
|
|
include /path/to/deploy/nginx/security-headers.conf;
|
|
include /path/to/deploy/nginx/csp-api.conf;
|
|
|
|
# ... rest of config
|
|
}
|
|
```
|
|
|
|
### Organizer App (crewli.app)
|
|
```nginx
|
|
server {
|
|
server_name crewli.app;
|
|
|
|
include /path/to/deploy/nginx/security-headers.conf;
|
|
include /path/to/deploy/nginx/csp-spa.conf;
|
|
|
|
# ... rest of config
|
|
}
|
|
```
|
|
|
|
### Legacy portal redirect (portal.crewli.app)
|
|
|
|
Pre-WS-3 (April 2026), Crewli ran a separate portal SPA at
|
|
`portal.crewli.app`. The dual-SPA was consolidated into a single
|
|
workspace; the legacy host should redirect 301 → `crewli.app`:
|
|
|
|
```nginx
|
|
server {
|
|
server_name portal.crewli.app;
|
|
listen 443 ssl;
|
|
# ... TLS config from DirectAdmin / Let's Encrypt ...
|
|
|
|
return 301 https://crewli.app$request_uri;
|
|
}
|
|
```
|
|
|
|
DNS retirement of `portal.crewli.app` is a separate operational task
|
|
tracked outside this repo. Until DNS is repointed, this redirect
|
|
handles any stale links.
|
|
|
|
## CSP Rollout Process
|
|
|
|
1. Start with `Content-Security-Policy-Report-Only` (uncomment in `csp-spa.conf`)
|
|
2. Monitor browser console for CSP violations for 1-2 weeks
|
|
3. Add any missing sources to the policy
|
|
4. Switch to enforcing `Content-Security-Policy`
|
|
5. Monitor for false positives after enforcement
|
|
|
|
## DirectAdmin Integration
|
|
|
|
If using DirectAdmin with Nginx:
|
|
1. Place the `.conf` files in `/usr/local/directadmin/data/users/USERNAME/nginx.conf`
|
|
or use DirectAdmin's custom Nginx configuration feature
|
|
2. Reload Nginx: `service nginx reload`
|
|
3. Verify headers: `curl -I https://crewli.app | grep -i security`
|