webmaster/crewsportswear
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add SSH keys setup guide and update configurations for secure key management
All checks were successful
Deploy Production (crewsportswear.com) / deploy (push) Successful in 4m31s
Details

Browse Source
This commit is contained in:
Frank John Begornia
2026-02-23 02:01:12 +08:00
parent 3dac8ee685
commit dfdb48920d
5 changed files with 139 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
.gitignore vendored
View File

@@ -1,3 +1,14 @@
/vendor /vendor
/node_modules /node_modules
.env .env
# SSH Keys - Never commit private keys
*.ppk
*.pem
*.key
id_rsa
id_dsa
id_ecdsa
id_ed25519
_key/
.ssh/

125
SSH_KEYS_SETUP.md Normal file
View File

@@ -0,0 +1,125 @@
# SSH Keys Setup Guide
## Security Notice
SSH private keys (.ppk, .pem, id_rsa, etc.) should **NEVER** be:
- Stored in the application directory
- Committed to git repositories
- Placed in web-accessible locations
## Recommended Setup
### 1. Create Secure Keys Directory on Server
```bash
# On your production server
sudo mkdir -p /var/crew-keys
sudo chmod 700 /var/crew-keys
```
### 2. Place Your SSH Key
```bash
# Copy your key to the secure location
sudo cp /path/to/your/root.ppk /var/crew-keys/
sudo chmod 600 /var/crew-keys/root.ppk
sudo chown root:root /var/crew-keys/root.ppk
```
### 3. Verify Permissions
```bash
ls -la /var/crew-keys/
# Should show: drwx------ (700) for directory
# Should show: -rw------- (600) for key file
```
## Docker Configuration
The `docker-compose.prod.yml` and `docker-compose.dev.yml` files are configured to mount `/var/crew-keys` as a **read-only** volume:
```yaml
volumes:
- /var/crew-keys:/var/keys:ro
```
The `:ro` flag ensures the container can only read the keys, not modify them.
## Application Configuration
The [config/filesystems.php](config/filesystems.php) references the key at:
```php
'privateKey' => '/var/keys/root.ppk',
```
This path is inside the container and maps to `/var/crew-keys/root.ppk` on the host.
## Testing
To verify the SFTP connection works:
```bash
docker exec crewsportswear_app_prod php -r "
use League\Flysystem\Sftp\SftpAdapter;
try {
\$adapter = new SftpAdapter([
'host' => '35.232.234.8',
'port' => 22,
'username' => 'root',
'privateKey' => '/var/keys/root.ppk',
'root' => '/var/www/html/images',
'timeout' => 10,
]);
echo 'SFTP connection: SUCCESS';
} catch (Exception \$e) {
echo 'SFTP connection failed: ' . \$e->getMessage();
}
"
```
## Troubleshooting
### Permission Denied
If you get permission errors:
```bash
# Fix directory permissions
sudo chmod 700 /var/crew-keys
# Fix key file permissions
sudo chmod 600 /var/crew-keys/root.ppk
```
### Key Format Issues
PuTTY keys (.ppk) may need conversion for Linux/PHP:
```bash
# Convert .ppk to OpenSSH format
puttygen root.ppk -O private-openssh -o /var/crew-keys/root.pem
chmod 600 /var/crew-keys/root.pem
```
Then update `filesystems.php`:
```php
'privateKey' => '/var/keys/root.pem',
```
## Security Best Practices
**DO:**
- Store keys outside application directory
- Use restrictive permissions (600 for files, 700 for directories)
- Mount as read-only in Docker
- Keep keys out of version control
- Use SSH key authentication instead of passwords
- Rotate keys regularly
**DON'T:**
- Commit keys to git
- Store in web-accessible directories
- Use world-readable permissions
- Share keys across multiple services
- Use password-protected keys without proper passphrase management

2
config/filesystems.php
View File

@@ -77,7 +77,7 @@ return [
'port' => 22, 'port' => 22,
'username' => 'root', 'username' => 'root',
'password' => '', 'password' => '',
'privateKey' => '/var/www/html/_key/instance2/root.ppk', 'privateKey' => '/var/keys/root.ppk',
'root' => '/var/www/html/images', 'root' => '/var/www/html/images',
'timeout' => 10 'timeout' => 10
], ],

1
docker-compose.dev.yml
View File

@@ -31,6 +31,7 @@ services:
volumes: volumes:
- ./storage:/var/www/html/storage - ./storage:/var/www/html/storage
- ./public/uploads:/var/www/html/public/uploads - ./public/uploads:/var/www/html/public/uploads
- /var/crew-keys:/var/keys:ro
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
# Development environment (dev.crewsportswear.app) # Development environment (dev.crewsportswear.app)

1
docker-compose.prod.yml
View File

@@ -31,6 +31,7 @@ services:
volumes: volumes:
- ./storage:/var/www/html/storage - ./storage:/var/www/html/storage
- ./public/uploads:/var/www/html/public/uploads - ./public/uploads:/var/www/html/public/uploads
- /var/crew-keys:/var/keys:ro
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
# Production environment (crewsportswear.com) - Uses paid SSL certificate # Production environment (crewsportswear.com) - Uses paid SSL certificate