Finish README. Separate docker configs from example configs.

2025-06-18 09:34:41 -04:00 · 2025-06-18 09:34:41 -04:00 · 4bd65daf5d
commit 4bd65daf5d
parent a3a6471ced
15 changed files with 263 additions and 158 deletions
--- a/README.md
+++ b/README.md
@ -2,7 +2,28 @@
 A lightweight, HTML-only status feed for self-hosted personal websites. Written in PHP. Heavily inspired by [status.cafe](https://status.cafe).
-![tkr homepage](https://subcultureofone.org/images/tkr/tkr-homepage.png)
+## Screenshots
 ### Mobile
 <img src="https://subcultureofone.org/images/tkr/tkr-logged-out-mobile.png"
     alt="tkr logged out view - mobile"
     width="40%" height="40%">
 <img src="https://subcultureofone.org/images/tkr/tkr-logged-in-mobile.png"
     alt="tkr logged in view - mobile"
     width="40%" height="40%">
 ### Desktop
 <img src="https://subcultureofone.org/images/tkr/tkr-logged-out-desktop.png"
     alt="tkr logged in view - desktop"
     width="60%" height="60%">
 <img src="https://subcultureofone.org/images/tkr/tkr-logged-in-desktop.png"
     alt="tkr logged in view - desktop"
     width="60%" height="60%">
 ## Features
@ -11,6 +32,8 @@ A lightweight, HTML-only status feed for self-hosted personal websites. Written
 * CSS uploads for custom theming
 * Custom emoji to personalize moods (unicode only)
 I'm trying to make sure that the HTML is both semantically valid and accessible, but I have a lot to learn about both. If you see something I should fix, please let me know!
 ## Prerequisites
 * A web server with PHP support, such as:
@ -27,14 +50,21 @@ A lightweight, HTML-only status feed for self-hosted personal websites. Written
 1. Copy the `tkr` directory to the location you want to serve it from
    * on debian-based systems, `/var/www/tkr` is recommended
 1. Make the `storage` directory writable by the web server account.
    * For example, on nginx on debian-based distributions:
    ```sh
    chown www-data:www-data /path/to/tkr/storage
    chmod 0770 /path/to/tkr/storage
    ```
-1. Add the necessary web server configuration
+1. Add the necessary web server configuration.
-    * Examples for common deployment scenarios, including documentation, are in the examples directory.
+    * Examples for common scenarios can be found in the [examples](./examples) directory.
        * Apache VPS, subdomain (e.g. `https://tkr.your-domain.com`): [examples/apache/vps/root](./examples/apache/vps/root)
        * Apache VPS, subfolder (e.g. `https://your-domain.com/tkr`): [examples/apache/vps/subfolder](./examples/apache/vps/subfolder)
        * Nginx VPS, subdomain (e.g. `https://tkr.your-domain.com`): [examples/nginx/root](./examples/nginx/root)
        * Nginx VPS, subfolder (e.g. `https://your-domain.com/tkr`): [examples/nginx/subfolder](./examples/nginx/subfolder)
    * Any values that need to be configured for your environment are labeled with `CONFIG`.
    * The SSL configurations are basic, but should work. For more robust SSL configurations, see https://ssl-config.mozilla.org
-## From git
+
 ### From git
 If you'd prefer to install from git:
@ -46,7 +76,7 @@ If you'd prefer to install from git:
        1. `storage`
        1. `templates`
    * Exclude the other directories
-2. Follow the main installation from step 2.
+2. Follow the main installation from step 4.
 ## Initial configuration
@ -71,7 +101,7 @@ The document root should be `/PATH/TO/tkr/public`. This will ensure that only th
 There is an `.htaccess` file in the `tkr/` root directory. It's designed for the following installation scenario:
 * shared hosting
-* `tkr/` is deployed installed to `tkr/` under your web root. (e.g. `public_html/tkr`).
+* `tkr/` is installed to `tkr/` under your web root. (e.g. `public_html/tkr`).
 * `tkr/public` is the document root
 * The other application directories are blocked both by `tkr/.htaccess` and by `.htaccess` files in the directories themselves. These are:
    * `tkr/config`
@ -80,16 +110,12 @@ There is an `.htaccess` file in the `tkr/` root directory. It's designed for the
    * `tkr/storage`
    * `tkr/templates`
 There are example configurations for other common scenarios in the [examples](./examples) directory.
 * Apache VPS, subdomain (e.g. `https://tkr.your-domain.com`): [examples/apache/vps/root](./examples/apache/vps/subdomain)
 * Apache VPS, subfolder (e.g. `https://your-domain.com/tkr`): [examples/apache/vps/subfolder](./examples/apache/vps/subfolder)
 * Nginx VPS, subdomain (e.g. `https://tkr.your-domain.com`): [examples/nginx/root](./examples/nginx/subfolder)
 * Nginx VPS, subfolder (e.g. `https://your-domain.com/tkr`): [examples/nginx/subfolder](./examples/nginx/subfolder)
 ### Docker compose
-The example directories contain docker-compose.yml files for the different configurations. To run tkr locally on your machine, copy the docker-compose file you're interested in to `tkr/` and run `docker compose up`.
+The [docker](./docker) directory contains docker-compose.yml files and web server configs for some different server configurations. For simplicity, these do not use SSL.
 To run tkr locally on your machine, copy the docker-compose file you're interested in to `tkr/` and run `docker compose up`.
 ## Storage
@ -109,7 +135,7 @@ For illustration, here's a sample from the file `/tkr/storage/ticks/2025/05/25`
 ### SQLite Database
-tkr stores profile information, custom emojis, and uploaded css metadata in a SQLite database located at `tkr/storage/db`.
+tkr stores profile information, custom emojis, and uploaded css metadata in a SQLite database located at `tkr/storage/db/tkr.sqlite`.
 You don't have to do any database setup. The database is automatically created and initialized on first run.
--- a/docker/apache/shared-hosting/.htaccess
+++ b/docker/apache/shared-hosting/.htaccess
@ -0,0 +1,49 @@
 # Example Apache VirtualHost
 # for serving tkr as a subdirectory path
 # on shared hosting via .htaccess
 #
 # e.g. http://www.my-domain.com/tkr
 #
 # This should work without modification if you extract the app
 # to /tkr from your web document root
 # Enable mod_rewrite
 RewriteEngine On
 # Security headers
 Header always set X-Frame-Options "SAMEORIGIN"
 Header always set X-XSS-Protection "1; mode=block"
 Header always set X-Content-Type-Options "nosniff"
 # Directory index
 DirectoryIndex public/index.php
 # Security: Block direct access to .php files (except through rewrites)
 RewriteCond %{THE_REQUEST} \s/[^?\s]*\.php[\s?] [NC]
 RewriteRule ^.*$ - [R=404,L]
 # Security: Block access to sensitive directories
 RewriteRule ^(storage|src|templates|examples|config)(/.*)?$ - [F,L]
 # Security: Block access to hidden files
 RewriteRule ^\..*$ - [F,L]
 # Cache CSS files for 1 hour
 <FilesMatch "\.css$">
    Header set Cache-Control "public, max-age=3600"
 </FilesMatch>
 # Serve the one static file that exists: css/tkr.css
 # (Pass requests to css/custom/ through to the PHP app)
 RewriteCond %{REQUEST_URI} !^/css/custom/
 RewriteRule ^css/tkr\.css$ public/css/tkr.css [L]
 # 404 all other static files (images, js, fonts, etc.)
 # so those requests don't hit the PHP app
 # (this is to reduce load on the PHP app from bots and scanners)
 RewriteRule \.(js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|pdf|zip|mp3|mp4|avi|mov)$ - [R=404,L]
 # Everything else goes to the front controller
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule ^(.*)$ public/index.php [L]
--- a/examples/apache/shared-hosting/docker-compose.yml
+++ b/examples/apache/shared-hosting/docker-compose.yml
@ -10,7 +10,7 @@ services:
      - ./src:/var/www/html/tkr/src
      - ./storage:/var/www/html/tkr/storage
      - ./templates:/var/www/html/tkr/templates
-      - ./examples/apache/shared-hosting/.htaccess:/var/www/html/tkr/.htaccess
+      - ./docker/apache/shared-hosting/.htaccess:/var/www/html/tkr/.htaccess
    command: >
      bash -c "a2enmod rewrite headers expires &&
               apache2-foreground &&
--- a/examples/apache/vps/root/docker-compose.yml
+++ b/examples/apache/vps/root/docker-compose.yml
@ -10,7 +10,7 @@ services:
      - ./src:/var/www/tkr/src
      - ./storage:/var/www/tkr/storage
      - ./templates:/var/www/tkr/templates
-      - ./examples/apache/vps/root/tkr.my-domain.com.conf:/etc/apache2/sites-enabled/tkr.my-domain.com.conf
+      - ./docker/apache/vps/root/tkr.my-domain.com.conf:/etc/apache2/sites-enabled/tkr.my-domain.com.conf
    command: >
      bash -c "a2enmod rewrite headers expires &&
               apache2-foreground &&
--- a/examples/apache/vps/root/tkr.my-domain.com.ssl.conf
+++ b/examples/apache/vps/root/tkr.my-domain.com.ssl.conf
@ -1,29 +1,13 @@
 # Example Apache VirtualHost
-# for serving tkr as a subdomain root with SSL
+# for serving tkr as a subdomain root without SSL
-# e.g. https://tkr.my-domain.com/
+# e.g. http://tkr.my-domain.com/
 #
-# Use SSL in production.
+# NOTE: Do not use in production.
-# This is a minimal SSL confiuration
+#       This is provided for docker compose
-# For more robust SSL configuration, refer to https://ssl-config.mozilla.org/
+#       (The included docker-compose file will mount it in the container image)
 <VirtualHost *:80>
    # Replace localhost with your subdomain, e.g. tkr.my-domain.com
    ServerName localhost
    DocumentRoot /var/www/tkr/public
    # Redirect HTTP to HTTPS
    Redirect permanent / https://tkr.my-domain.com/
 </VirtualHost>
 <VirtualHost *:443>
    ServerName localhost
    DocumentRoot /var/www/tkr/public
    # SSL Configuration
    SSLEngine on
    # Assumes you're using letsencrypt for cert generation
    # Replace with the actual paths to your cert and key
    SSLCertificateFile /etc/letsencrypt/live/tkr.my-domain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/tkr.my-domain.com/privkey.pem
    # Security headers
    Header always set X-Frame-Options "SAMEORIGIN"
--- a/examples/apache/vps/subfolder/docker-compose.yml
+++ b/examples/apache/vps/subfolder/docker-compose.yml
@ -10,7 +10,7 @@ services:
      - ./src:/var/www/tkr/src
      - ./storage:/var/www/tkr/storage
      - ./templates:/var/www/tkr/templates
-      - ./examples/apache/vps/subfolder/my-domain.com.conf:/etc/apache2/sites-enabled/my-domain.com.conf
+      - ./docker/apache/vps/subfolder/my-domain.com.conf:/etc/apache2/sites-enabled/my-domain.com.conf
    command: >
      bash -c "a2enmod rewrite headers expires &&
               a2dissite 000-default &&
--- a/examples/apache/vps/subfolder/my-domain.com.ssl.conf
+++ b/examples/apache/vps/subfolder/my-domain.com.ssl.conf
@ -1,30 +1,13 @@
 # Example Apache VirtualHost
-# for serving tkr as a subdirectory path with SSL
+# for serving tkr as a subdirectory path without SSL
-# e.g. https://www.my-domain.com/tkr
+# e.g. http://www.my-domain.com/tkr
 #
-# Use SSL in production.
+# NOTE: Do not use in production.
-# This is a minimal SSL confiuration
+#       This is provided for docker compose
-# For more robust SSL configuration, refer to https://ssl-config.mozilla.org/
+#       (The included docker-compose file will mount it in the container image)
 <VirtualHost *:80>
    # Replace localhost with your subdomain, e.g. tkr.my-domain.com
    ServerName localhost
    DocumentRoot /var/www/html
    # Redirect HTTP to HTTPS
    Redirect permanent / https://my-domain.com/
 </VirtualHost>
 <VirtualHost *:443>
    # Replace localhost with your subdomain, e.g. tkr.my-domain.com
    ServerName localhost
    DocumentRoot /var/www/html
    # SSL Configuration
    SSLEngine on
    # Assumes you're using letsencrypt for cert generation
    # Replace with the actual paths to your cert and key
    SSLCertificateFile /etc/letsencrypt/live/my-domain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/my-domain.com/privkey.pem
    # Security headers
    Header always set X-Frame-Options "SAMEORIGIN"
--- a/examples/nginx/root/docker-compose.yml
+++ b/examples/nginx/root/docker-compose.yml
@ -6,7 +6,7 @@ services:
      - "80:80"
    volumes:
      - ./public:/var/www/tkr/public
-      - ./examples/nginx/root/nginx.conf:/etc/nginx/conf.d/default.conf
+      - ./docker/nginx/root/nginx.conf:/etc/nginx/conf.d/default.conf
    depends_on:
      - php
    restart: unless-stopped
--- a/examples/nginx/root/nginx.ssl.conf
+++ b/examples/nginx/root/nginx.ssl.conf
@ -1,23 +1,14 @@
 # Example nginx config
-# for serving tkr as a subdomain with SSL
+# for serving tkr as a subdomain without SSL
-# e.g. https://tkr.my-domain.com/
+# e.g. http://tkr.my-domain.com/
 #
-# Use SSL in production.
+# NOTE: Do not use in production.
-# This is a minimal SSL confiuration
+#       This is provided for docker compose
-# For more robust SSL configuration, refer to https://ssl-config.mozilla.org/
+#       (The included docker-compose file will mount it in the container image)
 server {
-    listen 443 ssl;
+    listen 80;
    listen [::]:443 ssl;
    # replace localhost with your subdomain
    # e.g. tkr.my-domain.com
    server_name localhost;
    # Assumes you're using letsencrypt for cert generation
    # Replace with the actual paths to your cert and key
    ssl_certificate /etc/letsencrypt/live/tkr.my-domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tkr.my-domain.com/privkey.pem;
    root /var/www/tkr/public;
    index index.php;
@ -44,7 +35,16 @@ server {
        # I've excluded /css/custom so that requests for uploaded css can be handled by the PHP app.
        # That lets me store uploaded content outside of the document root,
        # so it isn't served directly.
-        location ~* ^/(?!css/custom/).+\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+
        # CSS files - 1 hour cache
        location ~* ^/(?!css/custom/).+\.css$ {
            expires 1h;
            add_header Cache-Control "public";
            try_files $uri =404;
        }
        # Other static assets - 1 year cache
        location ~* ^/.+\.(js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
            expires 1y;
            add_header Cache-Control "public, immutable";
            try_files $uri =404;
@ -98,10 +98,3 @@ server {
        return 404;
    }
 }
 server {
    listen 80 default_server;
    listen [::]:80 default_server;
    return 301 https://$host$request_uri;
 }
--- a/examples/nginx/subfolder/docker-compose.yml
+++ b/examples/nginx/subfolder/docker-compose.yml
@ -6,7 +6,7 @@ services:
      - "80:80"
    volumes:
      - ./public:/var/www/tkr/public
-      - ./examples/nginx/subfolder/nginx.conf:/etc/nginx/conf.d/default.conf
+      - ./docker/nginx/subfolder/nginx.conf:/etc/nginx/conf.d/default.conf
    depends_on:
      - php
    restart: unless-stopped
--- a/examples/nginx/subfolder/nginx.ssl.conf
+++ b/examples/nginx/subfolder/nginx.ssl.conf
@ -1,16 +1,16 @@
 # Example nginx config
-# for serving tkr as a subdfolder with SSL
+# for serving tkr as a subdfolder without SSL
-# e.g. https://my-domain.com/tkr
+# e.g. http://my-domain.com/tkr
 #
-# Use SSL in production.
+# NOTE: Do not use in production.
-# This is a minimal SSL confiuration
+#       This is provided for docker compose
-# For more robust SSL configuration, refer to https://ssl-config.mozilla.org/
+#       (The included docker-compose file will mount it in the container image)
 server {
-    listen 443 ssl;
+    listen 80 default_server;
-    listen [::]:443 ssl;
+    listen [::]:80 default_server;
-    # Replace localhost with your domain
+    # replace localhost with your subdomain
-    # e.g. my-domain.com
+    # e.g. tkr.my-domain.com
    server_name localhost;
    root /var/www/html;
@ -42,7 +42,16 @@ server {
        # I've excluded /css/custom so that requests for uploaded css can be handled by the PHP app.
        # That lets me store uploaded content outside of the document root,
        # so it isn't served directly.
-        location ~* ^/tkr/(?!css/custom/).+\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+
        # CSS files - 1 hour cache
        location ~* ^/tkr/(?!css/custom/).+\.css$ {
            expires 1h;
            add_header Cache-Control "public";
            try_files $uri =404;
        }
        # Other static assets - 1 year cache
        location ~* ^/tkr/.+\.(js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
            expires 1y;
            add_header Cache-Control "public, immutable";
            try_files $uri =404;
@ -90,10 +99,3 @@ server {
        return 404;
    }
 }
 server {
    listen 80 default_server;
    listen [::]:80 default_server;
    return 301 https://$host$request_uri;
 }
--- a/examples/apache/vps/root/tkr.my-domain.com.conf
+++ b/examples/apache/vps/root/tkr.my-domain.com.conf
@ -1,14 +1,32 @@
 # Example Apache VirtualHost
-# for serving tkr as a subdomain root without SSL
+# for serving tkr as a subdomain root with SSL
-# e.g. http://tkr.my-domain.com/
+# e.g. https://tkr.my-domain.com/
 #
-# NOTE: Do not use in production.
+# Use SSL in production.
-#       This is provided for docker compose
+# This is a minimal SSL confiuration
-#       (The included docker-compose file will mount it in the container image)
+# For more robust SSL configuration, refer to https://ssl-config.mozilla.org/
 <VirtualHost *:80>
-    # Replace localhost with your subdomain, e.g. tkr.my-domain.com
+    # CONFIG: Replace localhost with your subdomain, e.g. tkr.my-domain.com
    ServerName localhost
    # CONFIG: Replace localhost with your subdomain, e.g. tkr.my-domain.com
    DocumentRoot /var/www/tkr/public
    # Redirect HTTP to HTTPS
    Redirect permanent / https://tkr.my-domain.com/
 </VirtualHost>
 <VirtualHost *:443>
    # CONFIG: Replace localhost with your subdomain, e.g. tkr.my-domain.com
    ServerName localhost
    # CONFIG: Replace localhost with your subdomain, e.g. tkr.my-domain.com
    DocumentRoot /var/www/tkr/public
    # SSL Configuration
    SSLEngine on
    # Assumes you're using letsencrypt for cert generation
    # Replace with the actual paths to your cert and key
    SSLCertificateFile /etc/letsencrypt/live/tkr.my-domain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/tkr.my-domain.com/privkey.pem
    # Security headers
    Header always set X-Frame-Options "SAMEORIGIN"
--- a/examples/apache/vps/subfolder/my-domain.com.conf
+++ b/examples/apache/vps/subfolder/my-domain.com.conf
@ -1,14 +1,32 @@
 # Example Apache VirtualHost
-# for serving tkr as a subdirectory path without SSL
+# for serving tkr as a subdirectory path with SSL
-# e.g. http://www.my-domain.com/tkr
+# e.g. https://www.my-domain.com/tkr
 #
-# NOTE: Do not use in production.
+# Use SSL in production.
-#       This is provided for docker compose
+# This is a minimal SSL confiuration
-#       (The included docker-compose file will mount it in the container image)
+# For more robust SSL configuration, refer to https://ssl-config.mozilla.org/
 <VirtualHost *:80>
-    # Replace localhost with your subdomain, e.g. tkr.my-domain.com
+    # CONFIG: Replace localhost with your subdomain, e.g. tkr.my-domain.com
    ServerName localhost
-    DocumentRoot /var/www/html
+    # CONFIG: Replace  with your subdomain, e.g. tkr.my-domain.com
    DocumentRoot /var/www/tkr
    # Redirect HTTP to HTTPS
    Redirect permanent / https://my-domain.com/
 </VirtualHost>
 <VirtualHost *:443>
    # CONFIG: Replace localhost with your subdomain, e.g. tkr.my-domain.com
    ServerName localhost
    # CONFIG: Replace  with your subdomain, e.g. tkr.my-domain.com
    DocumentRoot /var/www/tkr/
    # SSL Configuration
    SSLEngine on
    # Assumes you're using letsencrypt for cert generation
    # Replace with the actual paths to your cert and key
    SSLCertificateFile /etc/letsencrypt/live/my-domain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/my-domain.com/privkey.pem
    # Security headers
    Header always set X-Frame-Options "SAMEORIGIN"
--- a/examples/nginx/root/nginx.conf
+++ b/examples/nginx/root/nginx.conf
@ -1,19 +1,28 @@
 # Example nginx config
-# for serving tkr as a subdomain without SSL
+# for serving tkr as a subdomain with SSL
-# e.g. http://tkr.my-domain.com/
+# e.g. https://tkr.my-domain.com/
 #
-# NOTE: Do not use in production.
+# Use SSL in production.
-#       This is provided for docker compose
+# This is a minimal SSL confiuration
-#       (The included docker-compose file will mount it in the container image)
+# For more robust SSL configuration, refer to https://ssl-config.mozilla.org/
 server {
-    listen 80;
+    listen 443 ssl;
-    # replace localhost with your subdomain
+    listen [::]:443 ssl;
-    # e.g. tkr.my-domain.com
+
    # CONFIG: replace "localhost" with your subdomain (e.g. tkr.my-domain.com)
    server_name localhost;
    # CONFIG:
    # replace "/var/www/tkr" with the directory you extracted the .zip file to (if different)
    root /var/www/tkr/public;
    index index.php;
    # CONFIG:
    # Assumes you're using letsencrypt for cert generation
    # Replace with the actual paths to your cert and key
    ssl_certificate /etc/letsencrypt/live/tkr.my-domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tkr.my-domain.com/privkey.pem;
    # Security headers
    # The first rule is to prevent including in a frame on a different domain.
    # Remove it if you want to do that.
@ -37,16 +46,7 @@ server {
        # I've excluded /css/custom so that requests for uploaded css can be handled by the PHP app.
        # That lets me store uploaded content outside of the document root,
        # so it isn't served directly.
-
+        location ~* ^/(?!css/custom/).+\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
        # CSS files - 1 hour cache
        location ~* ^/(?!css/custom/).+\.css$ {
            expires 1h;
            add_header Cache-Control "public";
            try_files $uri =404;
        }
        # Other static assets - 1 year cache
        location ~* ^/.+\.(js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
            expires 1y;
            add_header Cache-Control "public, immutable";
            try_files $uri =404;
@ -57,10 +57,14 @@ server {
        # But if someone tries to directly access index.php, that file will throw a 404
        # so bots and scanners can't tell this is a php app
        location = /index.php {
            # CONFIG:
            # If you're running php-fpm on the same server as nginx,
            # then change this to the local php-fpm socket
            # e.g. fastcgi_pass unix:/run/php/php8.2-fpm.sock;
            fastcgi_pass php:9000;
            # CONFIG:
            # replace "/var/www/tkr" with the directory you extracted the .zip file to (if different)
            fastcgi_param SCRIPT_FILENAME /var/www/tkr/public/index.php;
            include fastcgi_params;
@ -82,10 +86,14 @@ server {
    # Fallback for /tkr routing - all non-file requests (e.g. /login) go to index.php
    location @tkr_fallback {
        # CONFIG:
        # If you're running php-fpm on the same server as nginx,
        # then change this to the local php-fpm socket
        # e.g. fastcgi_pass unix:/run/php/php8.2-fpm.sock;
        fastcgi_pass php:9000;
        # CONFIG:
        # replace "/var/www/tkr" with the directory you extracted the .zip file to (if different)
        fastcgi_param SCRIPT_FILENAME /var/www/tkr/public/index.php;
        include fastcgi_params;
@ -100,3 +108,10 @@ server {
        return 404;
    }
 }
 server {
    listen 80 default_server;
    listen [::]:80 default_server;
    return 301 https://$host$request_uri;
 }
--- a/examples/nginx/subfolder/nginx.conf
+++ b/examples/nginx/subfolder/nginx.conf
@ -1,20 +1,22 @@
 # Example nginx config
-# for serving tkr as a subdfolder without SSL
+# for serving tkr as a subdfolder with SSL
-# e.g. http://my-domain.com/tkr
+# e.g. https://my-domain.com/tkr
 #
-# NOTE: Do not use in production.
+# Use SSL in production.
-#       This is provided for docker compose
+# This is a minimal SSL confiuration
-#       (The included docker-compose file will mount it in the container image)
+# For more robust SSL configuration, refer to https://ssl-config.mozilla.org/
 server {
-    listen 80 default_server;
+    listen 443 ssl;
-    listen [::]:80 default_server;
+    listen [::]:443 ssl;
-    # replace localhost with your subdomain
+    # CONFIG: Replace localhost with your domain e.g. my-domain.com
    # e.g. tkr.my-domain.com
    server_name localhost;
-    root /var/www/html;
+    # CONFIG:
-    index index.html;
+    # Assumes you're using letsencrypt for cert generation
    # Replace with the actual paths to your cert and key
    ssl_certificate /etc/letsencrypt/live/my-domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/my-domain.com/privkey.pem;
    # Security headers
    # The first rule is to prevent including in a frame on a different domain.
@ -32,6 +34,8 @@ server {
    # PHP routing - everything under /tkr goes through index.php
    location /tkr {
        # CONFIG:
        # replace "/var/www/tkr" with the directory you extracted the .zip file to (if different)
        alias /var/www/tkr/public;
        index index.php;
@ -42,16 +46,7 @@ server {
        # I've excluded /css/custom so that requests for uploaded css can be handled by the PHP app.
        # That lets me store uploaded content outside of the document root,
        # so it isn't served directly.
-
+        location ~* ^/tkr/(?!css/custom/).+\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
        # CSS files - 1 hour cache
        location ~* ^/tkr/(?!css/custom/).+\.css$ {
            expires 1h;
            add_header Cache-Control "public";
            try_files $uri =404;
        }
        # Other static assets - 1 year cache
        location ~* ^/tkr/.+\.(js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
            expires 1y;
            add_header Cache-Control "public, immutable";
            try_files $uri =404;
@ -62,7 +57,14 @@ server {
        # But if someone tries to directly access index.php, that file will throw a 404
        # so bots and scanners can't tell this is a php app
        location = /tkr/index.php {
            # CONFIG:
            # If you're running php-fpm on the same server as nginx,
            # then change this to the local php-fpm socket
            # e.g. fastcgi_pass unix:/run/php/php8.2-fpm.sock;
            fastcgi_pass php:9000;
            # CONFIG:
            # replace "/var/www/tkr" with the directory you extracted the .zip file to (if different)
            fastcgi_param SCRIPT_FILENAME /var/www/tkr/public/index.php;
            include fastcgi_params;
@ -84,7 +86,15 @@ server {
    # Fallback for /tkr routing - all non-file requests (e.g. /login) go to index.php
    location @tkr_fallback {
        # CONFIG:
        # If you're running php-fpm on the same server as nginx,
        # then change this to the local php-fpm socket
        # e.g. fastcgi_pass unix:/run/php/php8.2-fpm.sock;
        fastcgi_pass php:9000;
        # CONFIG:
        # replace "/var/www/tkr" with the directory you extracted the .zip file to (if different)
        fastcgi_param SCRIPT_FILENAME /var/www/tkr/public/index.php;
        fastcgi_param SCRIPT_FILENAME /var/www/tkr/public/index.php;
        include fastcgi_params;
@ -99,3 +109,10 @@ server {
        return 404;
    }
 }
 server {
    listen 80 default_server;
    listen [::]:80 default_server;
    return 301 https://$host$request_uri;
 }