From 425387ec3e87cf80779f7f3f3e6d1a1c451f865a Mon Sep 17 00:00:00 2001
From: Andre Cobham <acobham@arisingmedia.us>
Date: Mon, 8 Jun 2026 16:06:23 +0200
Subject: [PATCH] bake htpasswd from build arg, security hardening, fix home
 routing

---
 .gitignore       |  1 +
 .htaccess        | 24 +++++++++++++++---------
 Dockerfile       |  6 +++++-
 infra/nginx.conf |  9 +++++++--
 4 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/.gitignore b/.gitignore
index dac9c40..2a33ad5 100755
--- a/.gitignore
+++ b/.gitignore
@@ -73,3 +73,4 @@ venv/
 *.m4v
 *.mpg
 *.mpeg
+.htpasswd
diff --git a/.htaccess b/.htaccess
index 30cf9de..d93dd03 100755
--- a/.htaccess
+++ b/.htaccess
@@ -1,22 +1,28 @@
 Options -Indexes
 RewriteEngine On
 
-# Deny sensitive files
 <FilesMatch "\.(py|yml|yaml|md|log|sh|env|conf|dockerfile)$">
     Order allow,deny
     Deny from all
 </FilesMatch>
 
-# Deny tools directory
 RewriteRule ^tools/ - [F,L]
 
-# Route homepage and all non-asset, non-api requests through PHP router
-RewriteCond %{REQUEST_FILENAME} !-f
-RewriteCond %{REQUEST_FILENAME} !-d
-RewriteCond %{REQUEST_URI} !^/assets/
-RewriteCond %{REQUEST_URI} !^/api/
-RewriteRule ^$ /api/router.php?type=coming_soon [QSA,L]
-RewriteRule ^(.*)$ /api/router.php?type=coming_soon [QSA,L]
+RewriteCond %{REQUEST_FILENAME} -f
+RewriteRule ^ - [L]
+
+RewriteRule ^$ /api/router.php?type=home [QSA,L]
+RewriteRule ^about/?$ /api/router.php?type=about [QSA,L]
+RewriteRule ^the-practice/?$ /api/router.php?type=practice [QSA,L]
+RewriteRule ^services/?$ /api/router.php?type=services_index [QSA,L]
+RewriteRule ^services/([a-z0-9-]+)/?$ /api/router.php?type=service&slug=$1 [QSA,L]
+RewriteRule ^testimonials/?$ /api/router.php?type=testimonials [QSA,L]
+RewriteRule ^gallery/?$ /api/router.php?type=gallery [QSA,L]
+RewriteRule ^events/?$ /api/router.php?type=events [QSA,L]
+RewriteRule ^events/([a-z0-9-]+)/?$ /api/router.php?type=event_detail&slug=$1 [QSA,L]
+RewriteRule ^contact/?$ /api/router.php?type=contact [QSA,L]
+RewriteRule ^privacy-policy/?$ /api/router.php?type=legal&slug=privacy-policy [QSA,L]
+RewriteRule ^terms-of-service/?$ /api/router.php?type=legal&slug=terms-of-service [QSA,L]
 
 ErrorDocument 404 /404.html
 ErrorDocument 500 /500.html
diff --git a/Dockerfile b/Dockerfile
index e317f93..a1ea44a 100755
--- a/Dockerfile
+++ b/Dockerfile
@@ -27,7 +27,11 @@ COPY src/api/templates           /var/www/html/api/templates/
 COPY src/api/components          /var/www/html/api/components/
 COPY src/api/data                /var/www/html/api/data/
 
-RUN chown -R www-data:www-data /var/www/html
+ARG HTPASSWD_HASH
+RUN echo "bigbreath:${HTPASSWD_HASH}" > /etc/nginx/.htpasswd
+
+RUN chown -R www-data:www-data /var/www/html \
+    && echo 'expose_php = Off' > /usr/local/etc/php/conf.d/security.ini
 
 ENV SEND_FROM_EMAIL="" \
     SEND_TO_EMAIL="" \
diff --git a/infra/nginx.conf b/infra/nginx.conf
index 6410a9d..4d6d7fb 100755
--- a/infra/nginx.conf
+++ b/infra/nginx.conf
@@ -1,3 +1,5 @@
+server_tokens off;
+
 limit_req_zone $binary_remote_addr zone=contact_limit:10m rate=5r/m;
 
 gzip on;
@@ -22,6 +24,9 @@ server {
     add_header Cross-Origin-Resource-Policy "same-origin" always;
     add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; script-src 'self' 'unsafe-inline' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; frame-src https://www.google.com/recaptcha/; connect-src 'self' https://www.google.com/recaptcha/; upgrade-insecure-requests" always;
 
+    auth_basic "Review";
+    auth_basic_user_file /etc/nginx/.htpasswd;
+
     location ~ /\. { deny all; return 404; }
     location ~* \.(env|conf|yml|yaml|md|sh|py|pyc|sql|bak|old|swp|log|dockerfile)$ {
         deny all; return 404;
@@ -61,7 +66,7 @@ server {
         fastcgi_read_timeout 30s;
     }
 
-    location = / { rewrite ^ /api/router.php?type=coming_soon last; }
+    location = / { rewrite ^ /api/router.php?type=home last; }
     location = /about { rewrite ^ /api/router.php?type=about last; }
     location = /about/ { rewrite ^ /api/router.php?type=about last; }
     location = /the-practice { rewrite ^ /api/router.php?type=practice last; }
@@ -89,7 +94,7 @@ server {
     location = /terms-of-service { rewrite ^ /api/router.php?type=legal&slug=terms-of-service last; }
     location = /terms-of-service/ { rewrite ^ /api/router.php?type=legal&slug=terms-of-service last; }
 
-    location / { rewrite ^ /api/router.php?type=coming_soon last; }
+    location / { return 404; }
 
     error_page 404 /404.html;
     error_page 500 502 503 504 /500.html;