#!/bin/bash # Security Setup Script for Production Deployment # Run this on your web hosting server after uploading files set -e echo "=== Zanaka App Production Security Setup ===" echo "" # === Step 1: Environment Setup === echo "Step 1: Environment Configuration" if [ ! -f .env ]; then echo "❌ .env file not found! Copy .env.production.example to .env and configure it." exit 1 fi # Check critical env vars if grep -q "APP_KEY=$" .env; then echo "⚠️ Generating APP_KEY..." php artisan key:generate --force fi if grep -q "APP_ENV=local" .env || grep -q "APP_DEBUG=true" .env; then echo "❌ WARNING: APP_ENV must be 'production' and APP_DEBUG must be 'false'" echo " Please update .env before continuing." exit 1 fi echo "✅ Environment configured" # === Step 2: File Permissions === echo "" echo "Step 2: Setting File Permissions" # Secure .env chmod 600 .env echo "✅ .env secured (600)" # Storage and cache writable chmod -R 775 storage bootstrap/cache chown -R www-data:www-data storage bootstrap/cache echo "✅ Storage directories writable" # Public uploads mkdir -p public/uploads/videos chmod 755 public/uploads/videos chown -R www-data:www-data public/uploads echo "✅ Public uploads directory created" # Ensure storage/app/videos exists mkdir -p storage/app/videos chmod 775 storage/app/videos echo "✅ Secure video storage created" # Protect sensitive files chmod 644 composer.json composer.lock package.json chmod 755 artisan echo "✅ File permissions set" # === Step 3: Laravel Setup === echo "" echo "Step 3: Laravel Artisan Commands" php artisan config:cache php artisan route:cache php artisan view:cache echo "✅ Caches built" php artisan storage:link echo "✅ Storage symlink created" php artisan migrate --force echo "✅ Database migrated" # === Step 4: Security Verification === echo "" echo "Step 4: Security Verification" # Check if .env is accessible via web (should fail) if curl -sf "${APP_URL}/.env" > /dev/null 2>&1; then echo "❌ CRITICAL: .env is publicly accessible! Fix webroot configuration." exit 1 fi echo "✅ .env not publicly accessible" # Check if storage is accessible via web (should fail) if curl -sf "${APP_URL}/storage/app/videos" > /dev/null 2>&1; then echo "⚠️ WARNING: storage/app might be publicly accessible" fi # Verify HTTPS if ! curl -sfI "${APP_URL}" | grep -q "HTTP/2 200\|HTTP/1.1 200"; then echo "⚠️ WARNING: Application not responding on ${APP_URL}" fi if ! curl -sfI "${APP_URL}" | grep -q "Strict-Transport-Security"; then echo "⚠️ WARNING: HSTS header not present. Enable SSL/TLS." fi echo "✅ Security headers check complete" # === Step 5: Final Checklist === echo "" echo "=== Security Checklist ===" echo "✅ APP_ENV=production" echo "✅ APP_DEBUG=false" echo "✅ Strong APP_KEY generated" echo "✅ File permissions hardened" echo "✅ Laravel caches optimized" echo "✅ Database migrated" echo "" echo "📋 MANUAL TASKS:" echo " 1. Enable SSL/TLS (Let's Encrypt or cPanel AutoSSL)" echo " 2. Configure HTTP → HTTPS redirect" echo " 3. Set up firewall (allow only 80/443/22)" echo " 4. Enable SSH key-only auth, disable root login" echo " 5. Configure backup schedule (daily DB, weekly files)" echo " 6. Set up monitoring (uptime, logs, errors)" echo " 7. Enable MFA on hosting panel and admin accounts" echo " 8. Configure Cloudflare WAF/Bot Fight if using CDN" echo " 9. Set up log rotation (logrotate or hosting panel)" echo " 10. Test all critical flows (login, upload, payment)" echo "" echo "✅ Security setup complete!" echo "🔒 Remember to:" echo " - Rotate secrets quarterly" echo " - Review access logs weekly" echo " - Keep Laravel and dependencies updated" echo " - Test backup restoration monthly"