Finish README. Separate docker configs from example configs.

README.md

@@ -2,7 +2,28 @@
 
 A lightweight, HTML-only status feed for self-hosted personal websites. Written in PHP. Heavily inspired by [status.cafe](https://status.cafe).
 
-![tkr homepage](https://subcultureofone.org/images/tkr/tkr-homepage.png)
+## Screenshots
+
+### Mobile
+
+<img src="https://subcultureofone.org/images/tkr/tkr-logged-out-mobile.png"
+     alt="tkr logged out view - mobile"
+     width="40%" height="40%">
+<img src="https://subcultureofone.org/images/tkr/tkr-logged-in-mobile.png"
+     alt="tkr logged in view - mobile"
+     width="40%" height="40%">
+
+### Desktop
+
+<img src="https://subcultureofone.org/images/tkr/tkr-logged-out-desktop.png"
+     alt="tkr logged in view - desktop"
+     width="60%" height="60%">
+
+<img src="https://subcultureofone.org/images/tkr/tkr-logged-in-desktop.png"
+     alt="tkr logged in view - desktop"
+     width="60%" height="60%">
+
+
 
 ## Features
 
@@ -11,6 +32,8 @@ A lightweight, HTML-only status feed for self-hosted personal websites. Written
 * CSS uploads for custom theming
 * Custom emoji to personalize moods (unicode only)
 
+I'm trying to make sure that the HTML is both semantically valid and accessible, but I have a lot to learn about both. If you see something I should fix, please let me know!
+
 ## Prerequisites
 
 * A web server with PHP support, such as:
@@ -27,18 +50,25 @@ A lightweight, HTML-only status feed for self-hosted personal websites. Written
 1. Copy the `tkr` directory to the location you want to serve it from
     * on debian-based systems, `/var/www/tkr` is recommended
 1. Make the `storage` directory writable by the web server account.
-    * For example, on nginx on debian-based distributions:
     ```sh
     chown www-data:www-data /path/to/tkr/storage
+    chmod 0770 /path/to/tkr/storage
     ```
-1. Add the necessary web server configuration
+1. Add the necessary web server configuration.
-    * Examples for common deployment scenarios, including documentation, are in the examples directory.
+    * Examples for common scenarios can be found in the [examples](./examples) directory.
+        * Apache VPS, subdomain (e.g. `https://tkr.your-domain.com`): [examples/apache/vps/root](./examples/apache/vps/root)
+        * Apache VPS, subfolder (e.g. `https://your-domain.com/tkr`): [examples/apache/vps/subfolder](./examples/apache/vps/subfolder)
+        * Nginx VPS, subdomain (e.g. `https://tkr.your-domain.com`): [examples/nginx/root](./examples/nginx/root)
+        * Nginx VPS, subfolder (e.g. `https://your-domain.com/tkr`): [examples/nginx/subfolder](./examples/nginx/subfolder)
+    * Any values that need to be configured for your environment are labeled with `CONFIG`.
+    * The SSL configurations are basic, but should work. For more robust SSL configurations, see https://ssl-config.mozilla.org
 
-## From git
+
+### From git
 
 If you'd prefer to install from git:
 
-1. Clone this directoryand copy the `/tkr` directory to your web server.
+1. Clone this directory and copy the `/tkr` directory to your web server.
     * Required subdirectories are:
         1. `config`
         1. `public`
@@ -46,7 +76,7 @@ If you'd prefer to install from git:
         1. `storage`
         1. `templates`
     * Exclude the other directories
-2. Follow the main installation from step 2.
+2. Follow the main installation from step 4.
 
 ## Initial configuration
 
@@ -71,7 +101,7 @@ The document root should be `/PATH/TO/tkr/public`. This will ensure that only th
 There is an `.htaccess` file in the `tkr/` root directory. It's designed for the following installation scenario:
 
 * shared hosting
-* `tkr/` is deployed installed to `tkr/` under your web root. (e.g. `public_html/tkr`).
+* `tkr/` is installed to `tkr/` under your web root. (e.g. `public_html/tkr`).
 * `tkr/public` is the document root
 * The other application directories are blocked both by `tkr/.htaccess` and by `.htaccess` files in the directories themselves. These are:
     * `tkr/config`
@@ -80,16 +110,12 @@ There is an `.htaccess` file in the `tkr/` root directory. It's designed for the
     * `tkr/storage`
     * `tkr/templates`
 
-There are example configurations for other common scenarios in the [examples](./examples) directory.
-
-* Apache VPS, subdomain (e.g. `https://tkr.your-domain.com`): [examples/apache/vps/root](./examples/apache/vps/subdomain)
-* Apache VPS, subfolder (e.g. `https://your-domain.com/tkr`): [examples/apache/vps/subfolder](./examples/apache/vps/subfolder)
-* Nginx VPS, subdomain (e.g. `https://tkr.your-domain.com`): [examples/nginx/root](./examples/nginx/subfolder)
-* Nginx VPS, subfolder (e.g. `https://your-domain.com/tkr`): [examples/nginx/subfolder](./examples/nginx/subfolder)
 
 ### Docker compose
 
-The example directories contain docker-compose.yml files for the different configurations. To run tkr locally on your machine, copy the docker-compose file you're interested in to `tkr/` and run `docker compose up`.
+The [docker](./docker) directory contains docker-compose.yml files and web server configs for some different server configurations. For simplicity, these do not use SSL.
+
+To run tkr locally on your machine, copy the docker-compose file you're interested in to `tkr/` and run `docker compose up`.
 
 ## Storage
 
@@ -109,7 +135,7 @@ For illustration, here's a sample from the file `/tkr/storage/ticks/2025/05/25`
 
 ### SQLite Database
 
-tkr stores profile information, custom emojis, and uploaded css metadata in a SQLite database located at `tkr/storage/db`.
+tkr stores profile information, custom emojis, and uploaded css metadata in a SQLite database located at `tkr/storage/db/tkr.sqlite`.
 
 You don't have to do any database setup. The database is automatically created and initialized on first run.
 

docker/apache/shared-hosting/.htaccess

@@ -0,0 +1,49 @@
+# Example Apache VirtualHost
+# for serving tkr as a subdirectory path
+# on shared hosting via .htaccess
+#
+# e.g. http://www.my-domain.com/tkr
+#
+# This should work without modification if you extract the app
+# to /tkr from your web document root
+
+# Enable mod_rewrite
+RewriteEngine On
+
+# Security headers
+Header always set X-Frame-Options "SAMEORIGIN"
+Header always set X-XSS-Protection "1; mode=block"
+Header always set X-Content-Type-Options "nosniff"
+
+# Directory index
+DirectoryIndex public/index.php
+
+# Security: Block direct access to .php files (except through rewrites)
+RewriteCond %{THE_REQUEST} \s/[^?\s]*\.php[\s?] [NC]
+RewriteRule ^.*$ - [R=404,L]
+
+# Security: Block access to sensitive directories
+RewriteRule ^(storage|src|templates|examples|config)(/.*)?$ - [F,L]
+
+# Security: Block access to hidden files
+RewriteRule ^\..*$ - [F,L]
+
+# Cache CSS files for 1 hour
+<FilesMatch "\.css$">
+    Header set Cache-Control "public, max-age=3600"
+</FilesMatch>
+
+# Serve the one static file that exists: css/tkr.css
+# (Pass requests to css/custom/ through to the PHP app)
+RewriteCond %{REQUEST_URI} !^/css/custom/
+RewriteRule ^css/tkr\.css$ public/css/tkr.css [L]
+
+# 404 all other static files (images, js, fonts, etc.)
+# so those requests don't hit the PHP app
+# (this is to reduce load on the PHP app from bots and scanners)
+RewriteRule \.(js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|pdf|zip|mp3|mp4|avi|mov)$ - [R=404,L]
+
+# Everything else goes to the front controller
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteCond %{REQUEST_FILENAME} !-d
+RewriteRule ^(.*)$ public/index.php [L]

docker/apache/shared-hosting/docker-compose.yml

@@ -10,7 +10,7 @@ services:
       - ./src:/var/www/html/tkr/src
       - ./storage:/var/www/html/tkr/storage
       - ./templates:/var/www/html/tkr/templates
-      - ./examples/apache/shared-hosting/.htaccess:/var/www/html/tkr/.htaccess
+      - ./docker/apache/shared-hosting/.htaccess:/var/www/html/tkr/.htaccess
     command: >
       bash -c "a2enmod rewrite headers expires &&
                apache2-foreground &&

docker/apache/vps/root/docker-compose.yml

@@ -10,7 +10,7 @@ services:
       - ./src:/var/www/tkr/src
       - ./storage:/var/www/tkr/storage
       - ./templates:/var/www/tkr/templates
-      - ./examples/apache/vps/root/tkr.my-domain.com.conf:/etc/apache2/sites-enabled/tkr.my-domain.com.conf
+      - ./docker/apache/vps/root/tkr.my-domain.com.conf:/etc/apache2/sites-enabled/tkr.my-domain.com.conf
     command: >
       bash -c "a2enmod rewrite headers expires &&
                apache2-foreground &&

docker/apache/vps/root/tkr.my-domain.com.conf

@@ -1,29 +1,13 @@
 # Example Apache VirtualHost
-# for serving tkr as a subdomain root with SSL
+# for serving tkr as a subdomain root without SSL
-# e.g. https://tkr.my-domain.com/
+# e.g. http://tkr.my-domain.com/
 #
-# Use SSL in production.
+# NOTE: Do not use in production.
-# This is a minimal SSL confiuration
+#       This is provided for docker compose
-# For more robust SSL configuration, refer to https://ssl-config.mozilla.org/
+#       (The included docker-compose file will mount it in the container image)
 <VirtualHost *:80>
-    # Replace localhost with your subdomain, e.g. tkr.my-domain.com
     ServerName localhost
     DocumentRoot /var/www/tkr/public
-    # Redirect HTTP to HTTPS
-    Redirect permanent / https://tkr.my-domain.com/
-</VirtualHost>
-
-<VirtualHost *:443>
-    ServerName localhost
-    DocumentRoot /var/www/tkr/public
-
-    # SSL Configuration
-    SSLEngine on
-
-    # Assumes you're using letsencrypt for cert generation
-    # Replace with the actual paths to your cert and key
-    SSLCertificateFile /etc/letsencrypt/live/tkr.my-domain.com/fullchain.pem
-    SSLCertificateKeyFile /etc/letsencrypt/live/tkr.my-domain.com/privkey.pem
 
     # Security headers
     Header always set X-Frame-Options "SAMEORIGIN"

docker/apache/vps/subfolder/docker-compose.yml

@@ -10,7 +10,7 @@ services:
       - ./src:/var/www/tkr/src
       - ./storage:/var/www/tkr/storage
       - ./templates:/var/www/tkr/templates
-      - ./examples/apache/vps/subfolder/my-domain.com.conf:/etc/apache2/sites-enabled/my-domain.com.conf
+      - ./docker/apache/vps/subfolder/my-domain.com.conf:/etc/apache2/sites-enabled/my-domain.com.conf
     command: >
       bash -c "a2enmod rewrite headers expires &&
                a2dissite 000-default &&

docker/apache/vps/subfolder/my-domain.com.conf

@@ -1,30 +1,13 @@
 # Example Apache VirtualHost
-# for serving tkr as a subdirectory path with SSL
+# for serving tkr as a subdirectory path without SSL
-# e.g. https://www.my-domain.com/tkr
+# e.g. http://www.my-domain.com/tkr
 #
-# Use SSL in production.
+# NOTE: Do not use in production.
-# This is a minimal SSL confiuration
+#       This is provided for docker compose
-# For more robust SSL configuration, refer to https://ssl-config.mozilla.org/
+#       (The included docker-compose file will mount it in the container image)
 <VirtualHost *:80>
-    # Replace localhost with your subdomain, e.g. tkr.my-domain.com
     ServerName localhost
     DocumentRoot /var/www/html
-    # Redirect HTTP to HTTPS
-    Redirect permanent / https://my-domain.com/
-</VirtualHost>
-
-<VirtualHost *:443>
-    # Replace localhost with your subdomain, e.g. tkr.my-domain.com
-    ServerName localhost
-    DocumentRoot /var/www/html
-
-    # SSL Configuration
-    SSLEngine on
-
-    # Assumes you're using letsencrypt for cert generation
-    # Replace with the actual paths to your cert and key
-    SSLCertificateFile /etc/letsencrypt/live/my-domain.com/fullchain.pem
-    SSLCertificateKeyFile /etc/letsencrypt/live/my-domain.com/privkey.pem
 
     # Security headers
     Header always set X-Frame-Options "SAMEORIGIN"

docker/nginx/root/docker-compose.yml

@@ -6,7 +6,7 @@ services:
       - "80:80"
     volumes:
       - ./public:/var/www/tkr/public
-      - ./examples/nginx/root/nginx.conf:/etc/nginx/conf.d/default.conf
+      - ./docker/nginx/root/nginx.conf:/etc/nginx/conf.d/default.conf
     depends_on:
       - php
     restart: unless-stopped

docker/nginx/root/nginx.conf

@@ -1,23 +1,14 @@
 # Example nginx config
-# for serving tkr as a subdomain with SSL
+# for serving tkr as a subdomain without SSL
-# e.g. https://tkr.my-domain.com/
+# e.g. http://tkr.my-domain.com/
 #
-# Use SSL in production.
+# NOTE: Do not use in production.
-# This is a minimal SSL confiuration
+#       This is provided for docker compose
-# For more robust SSL configuration, refer to https://ssl-config.mozilla.org/
+#       (The included docker-compose file will mount it in the container image)
 server {
-    listen 443 ssl;
+    listen 80;
-    listen [::]:443 ssl;
-
-    # replace localhost with your subdomain
-    # e.g. tkr.my-domain.com
     server_name localhost;
 
-    # Assumes you're using letsencrypt for cert generation
-    # Replace with the actual paths to your cert and key
-    ssl_certificate /etc/letsencrypt/live/tkr.my-domain.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/tkr.my-domain.com/privkey.pem;
-
     root /var/www/tkr/public;
     index index.php;
 
@@ -44,7 +35,16 @@ server {
         # I've excluded /css/custom so that requests for uploaded css can be handled by the PHP app.
         # That lets me store uploaded content outside of the document root,
         # so it isn't served directly.
-        location ~* ^/(?!css/custom/).+\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+
+        # CSS files - 1 hour cache
+        location ~* ^/(?!css/custom/).+\.css$ {
+            expires 1h;
+            add_header Cache-Control "public";
+            try_files $uri =404;
+        }
+
+        # Other static assets - 1 year cache
+        location ~* ^/.+\.(js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
             expires 1y;
             add_header Cache-Control "public, immutable";
             try_files $uri =404;
@@ -98,10 +98,3 @@ server {
         return 404;
     }
 }
-
-server {
-    listen 80 default_server;
-    listen [::]:80 default_server;
-
-    return 301 https://$host$request_uri;
-}

docker/nginx/subfolder/docker-compose.yml

@@ -6,7 +6,7 @@ services:
       - "80:80"
     volumes:
       - ./public:/var/www/tkr/public
-      - ./examples/nginx/subfolder/nginx.conf:/etc/nginx/conf.d/default.conf
+      - ./docker/nginx/subfolder/nginx.conf:/etc/nginx/conf.d/default.conf
     depends_on:
       - php
     restart: unless-stopped

docker/nginx/subfolder/nginx.conf

@@ -1,16 +1,16 @@
 # Example nginx config
-# for serving tkr as a subdfolder with SSL
+# for serving tkr as a subdfolder without SSL
-# e.g. https://my-domain.com/tkr
+# e.g. http://my-domain.com/tkr
 #
-# Use SSL in production.
+# NOTE: Do not use in production.
-# This is a minimal SSL confiuration
+#       This is provided for docker compose
-# For more robust SSL configuration, refer to https://ssl-config.mozilla.org/
+#       (The included docker-compose file will mount it in the container image)
 server {
-    listen 443 ssl;
+    listen 80 default_server;
-    listen [::]:443 ssl;
+    listen [::]:80 default_server;
 
-    # Replace localhost with your domain
+    # replace localhost with your subdomain
-    # e.g. my-domain.com
+    # e.g. tkr.my-domain.com
     server_name localhost;
 
     root /var/www/html;
@@ -42,7 +42,16 @@ server {
         # I've excluded /css/custom so that requests for uploaded css can be handled by the PHP app.
         # That lets me store uploaded content outside of the document root,
         # so it isn't served directly.
-        location ~* ^/tkr/(?!css/custom/).+\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+
+        # CSS files - 1 hour cache
+        location ~* ^/tkr/(?!css/custom/).+\.css$ {
+            expires 1h;
+            add_header Cache-Control "public";
+            try_files $uri =404;
+        }
+
+        # Other static assets - 1 year cache
+        location ~* ^/tkr/.+\.(js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
             expires 1y;
             add_header Cache-Control "public, immutable";
             try_files $uri =404;
@@ -89,11 +98,4 @@ server {
         deny all;
         return 404;
     }
-}
+}
-
-server {
-    listen 80 default_server;
-    listen [::]:80 default_server;
-
-    return 301 https://$host$request_uri;
-}

examples/apache/vps/root/tkr.my-domain.com.conf

@@ -1,14 +1,32 @@
 # Example Apache VirtualHost
-# for serving tkr as a subdomain root without SSL
+# for serving tkr as a subdomain root with SSL
-# e.g. http://tkr.my-domain.com/
+# e.g. https://tkr.my-domain.com/
 #
-# NOTE: Do not use in production.
+# Use SSL in production.
-#       This is provided for docker compose
+# This is a minimal SSL confiuration
-#       (The included docker-compose file will mount it in the container image)
+# For more robust SSL configuration, refer to https://ssl-config.mozilla.org/
 <VirtualHost *:80>
-    # Replace localhost with your subdomain, e.g. tkr.my-domain.com
+    # CONFIG: Replace localhost with your subdomain, e.g. tkr.my-domain.com
     ServerName localhost
+    # CONFIG: Replace localhost with your subdomain, e.g. tkr.my-domain.com
     DocumentRoot /var/www/tkr/public
+    # Redirect HTTP to HTTPS
+    Redirect permanent / https://tkr.my-domain.com/
+</VirtualHost>
+
+<VirtualHost *:443>
+    # CONFIG: Replace localhost with your subdomain, e.g. tkr.my-domain.com
+    ServerName localhost
+    # CONFIG: Replace localhost with your subdomain, e.g. tkr.my-domain.com
+    DocumentRoot /var/www/tkr/public
+
+    # SSL Configuration
+    SSLEngine on
+
+    # Assumes you're using letsencrypt for cert generation
+    # Replace with the actual paths to your cert and key
+    SSLCertificateFile /etc/letsencrypt/live/tkr.my-domain.com/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/tkr.my-domain.com/privkey.pem
 
     # Security headers
     Header always set X-Frame-Options "SAMEORIGIN"

examples/apache/vps/subfolder/my-domain.com.conf

@@ -1,14 +1,32 @@
 # Example Apache VirtualHost
-# for serving tkr as a subdirectory path without SSL
+# for serving tkr as a subdirectory path with SSL
-# e.g. http://www.my-domain.com/tkr
+# e.g. https://www.my-domain.com/tkr
 #
-# NOTE: Do not use in production.
+# Use SSL in production.
-#       This is provided for docker compose
+# This is a minimal SSL confiuration
-#       (The included docker-compose file will mount it in the container image)
+# For more robust SSL configuration, refer to https://ssl-config.mozilla.org/
 <VirtualHost *:80>
-    # Replace localhost with your subdomain, e.g. tkr.my-domain.com
+    # CONFIG: Replace localhost with your subdomain, e.g. tkr.my-domain.com
     ServerName localhost
-    DocumentRoot /var/www/html
+    # CONFIG: Replace  with your subdomain, e.g. tkr.my-domain.com
+    DocumentRoot /var/www/tkr
+    # Redirect HTTP to HTTPS
+    Redirect permanent / https://my-domain.com/
+</VirtualHost>
+
+<VirtualHost *:443>
+    # CONFIG: Replace localhost with your subdomain, e.g. tkr.my-domain.com
+    ServerName localhost
+    # CONFIG: Replace  with your subdomain, e.g. tkr.my-domain.com
+    DocumentRoot /var/www/tkr/
+
+    # SSL Configuration
+    SSLEngine on
+
+    # Assumes you're using letsencrypt for cert generation
+    # Replace with the actual paths to your cert and key
+    SSLCertificateFile /etc/letsencrypt/live/my-domain.com/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/my-domain.com/privkey.pem
 
     # Security headers
     Header always set X-Frame-Options "SAMEORIGIN"

examples/nginx/root/nginx.conf

@@ -1,19 +1,28 @@
 # Example nginx config
-# for serving tkr as a subdomain without SSL
+# for serving tkr as a subdomain with SSL
-# e.g. http://tkr.my-domain.com/
+# e.g. https://tkr.my-domain.com/
 #
-# NOTE: Do not use in production.
+# Use SSL in production.
-#       This is provided for docker compose
+# This is a minimal SSL confiuration
-#       (The included docker-compose file will mount it in the container image)
+# For more robust SSL configuration, refer to https://ssl-config.mozilla.org/
 server {
-    listen 80;
+    listen 443 ssl;
-    # replace localhost with your subdomain
+    listen [::]:443 ssl;
-    # e.g. tkr.my-domain.com
+
+    # CONFIG: replace "localhost" with your subdomain (e.g. tkr.my-domain.com)
     server_name localhost;
 
+    # CONFIG:
+    # replace "/var/www/tkr" with the directory you extracted the .zip file to (if different)
     root /var/www/tkr/public;
     index index.php;
 
+    # CONFIG:
+    # Assumes you're using letsencrypt for cert generation
+    # Replace with the actual paths to your cert and key
+    ssl_certificate /etc/letsencrypt/live/tkr.my-domain.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/tkr.my-domain.com/privkey.pem;
+
     # Security headers
     # The first rule is to prevent including in a frame on a different domain.
     # Remove it if you want to do that.
@@ -37,16 +46,7 @@ server {
         # I've excluded /css/custom so that requests for uploaded css can be handled by the PHP app.
         # That lets me store uploaded content outside of the document root,
         # so it isn't served directly.
-
+        location ~* ^/(?!css/custom/).+\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
-        # CSS files - 1 hour cache
-        location ~* ^/(?!css/custom/).+\.css$ {
-            expires 1h;
-            add_header Cache-Control "public";
-            try_files $uri =404;
-        }
-
-        # Other static assets - 1 year cache
-        location ~* ^/.+\.(js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
             expires 1y;
             add_header Cache-Control "public, immutable";
             try_files $uri =404;
@@ -57,10 +57,14 @@ server {
         # But if someone tries to directly access index.php, that file will throw a 404
         # so bots and scanners can't tell this is a php app
         location = /index.php {
+            # CONFIG:
             # If you're running php-fpm on the same server as nginx,
             # then change this to the local php-fpm socket
             # e.g. fastcgi_pass unix:/run/php/php8.2-fpm.sock;
             fastcgi_pass php:9000;
+
+            # CONFIG:
+            # replace "/var/www/tkr" with the directory you extracted the .zip file to (if different)
             fastcgi_param SCRIPT_FILENAME /var/www/tkr/public/index.php;
             include fastcgi_params;
 
@@ -82,10 +86,14 @@ server {
 
     # Fallback for /tkr routing - all non-file requests (e.g. /login) go to index.php
     location @tkr_fallback {
+        # CONFIG:
         # If you're running php-fpm on the same server as nginx,
         # then change this to the local php-fpm socket
         # e.g. fastcgi_pass unix:/run/php/php8.2-fpm.sock;
         fastcgi_pass php:9000;
+
+        # CONFIG:
+        # replace "/var/www/tkr" with the directory you extracted the .zip file to (if different)
         fastcgi_param SCRIPT_FILENAME /var/www/tkr/public/index.php;
         include fastcgi_params;
 
@@ -100,3 +108,10 @@ server {
         return 404;
     }
 }
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    return 301 https://$host$request_uri;
+}

examples/nginx/subfolder/nginx.conf

@@ -1,20 +1,22 @@
 # Example nginx config
-# for serving tkr as a subdfolder without SSL
+# for serving tkr as a subdfolder with SSL
-# e.g. http://my-domain.com/tkr
+# e.g. https://my-domain.com/tkr
 #
-# NOTE: Do not use in production.
+# Use SSL in production.
-#       This is provided for docker compose
+# This is a minimal SSL confiuration
-#       (The included docker-compose file will mount it in the container image)
+# For more robust SSL configuration, refer to https://ssl-config.mozilla.org/
 server {
-    listen 80 default_server;
+    listen 443 ssl;
-    listen [::]:80 default_server;
+    listen [::]:443 ssl;
 
-    # replace localhost with your subdomain
+    # CONFIG: Replace localhost with your domain e.g. my-domain.com
-    # e.g. tkr.my-domain.com
     server_name localhost;
 
-    root /var/www/html;
+    # CONFIG:
-    index index.html;
+    # Assumes you're using letsencrypt for cert generation
+    # Replace with the actual paths to your cert and key
+    ssl_certificate /etc/letsencrypt/live/my-domain.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/my-domain.com/privkey.pem;
 
     # Security headers
     # The first rule is to prevent including in a frame on a different domain.
@@ -32,6 +34,8 @@ server {
 
     # PHP routing - everything under /tkr goes through index.php
     location /tkr {
+        # CONFIG:
+        # replace "/var/www/tkr" with the directory you extracted the .zip file to (if different)
         alias /var/www/tkr/public;
         index index.php;
 
@@ -42,16 +46,7 @@ server {
         # I've excluded /css/custom so that requests for uploaded css can be handled by the PHP app.
         # That lets me store uploaded content outside of the document root,
         # so it isn't served directly.
-
+        location ~* ^/tkr/(?!css/custom/).+\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
-        # CSS files - 1 hour cache
-        location ~* ^/tkr/(?!css/custom/).+\.css$ {
-            expires 1h;
-            add_header Cache-Control "public";
-            try_files $uri =404;
-        }
-
-        # Other static assets - 1 year cache
-        location ~* ^/tkr/.+\.(js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
             expires 1y;
             add_header Cache-Control "public, immutable";
             try_files $uri =404;
@@ -62,7 +57,14 @@ server {
         # But if someone tries to directly access index.php, that file will throw a 404
         # so bots and scanners can't tell this is a php app
         location = /tkr/index.php {
+            # CONFIG:
+            # If you're running php-fpm on the same server as nginx,
+            # then change this to the local php-fpm socket
+            # e.g. fastcgi_pass unix:/run/php/php8.2-fpm.sock;
             fastcgi_pass php:9000;
+
+            # CONFIG:
+            # replace "/var/www/tkr" with the directory you extracted the .zip file to (if different)
             fastcgi_param SCRIPT_FILENAME /var/www/tkr/public/index.php;
             include fastcgi_params;
 
@@ -84,7 +86,15 @@ server {
 
     # Fallback for /tkr routing - all non-file requests (e.g. /login) go to index.php
     location @tkr_fallback {
+        # CONFIG:
+        # If you're running php-fpm on the same server as nginx,
+        # then change this to the local php-fpm socket
+        # e.g. fastcgi_pass unix:/run/php/php8.2-fpm.sock;
         fastcgi_pass php:9000;
+
+        # CONFIG:
+        # replace "/var/www/tkr" with the directory you extracted the .zip file to (if different)
+        fastcgi_param SCRIPT_FILENAME /var/www/tkr/public/index.php;
         fastcgi_param SCRIPT_FILENAME /var/www/tkr/public/index.php;
         include fastcgi_params;
 
@@ -98,4 +108,11 @@ server {
         deny all;
         return 404;
     }
-}
+}
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    return 301 https://$host$request_uri;
+}