auto-save 2026-05-15 15:21 (+1, ~9)

docs/deploy-vps.md

@@ -32,11 +32,14 @@ cp deploy/.env.production.example deploy/.env.production
 
 Fill `deploy/.env.production` with the real production keys. Keep this file out of git.
 
-Create the production login file. Replace the username and password as needed:
+Create the production web login values in `deploy/.env.production`. Replace the password as needed and keep the session secret private:
 
 ```bash
-printf 'skg:%s\n' "$(openssl passwd -apr1 'change-this-password')" > deploy/.htpasswd
-chmod 644 deploy/.htpasswd
+WEB_AUTH_USERNAME=skg
+WEB_AUTH_PASSWORD=change-this-password
+WEB_AUTH_SESSION_SECRET=$(openssl rand -hex 32)
+WEB_AUTH_COOKIE_NAME=skg_marketing_session
+WEB_AUTH_COOKIE_SECURE=true
 ```
 
 Then start:
@@ -49,7 +52,8 @@ Verify:
 
 ```bash
 curl -I https://marketing.skg.com
-curl https://marketing.skg.com/api/health
+curl -I https://marketing.skg.com/login/
+curl -i https://marketing.skg.com/api/health
 docker compose -f docker-compose.prod.yml ps
 ```
 
@@ -64,7 +68,7 @@ docker compose -f docker-compose.prod.yml --env-file deploy/.env.production up -
 ## Runtime Notes
 
 - `web` is a static Next export served by Nginx.
-- `web` requires Nginx Basic Auth for the whole site and then proxies `/api/` to `skg-marketing-api:4291`; avoid the generic hostname `api` because the web container also joins the shared Coolify network.
+- `web` exposes `/login/` publicly. All workspace routes redirect to `/login/` until the FastAPI session cookie passes Nginx `auth_request`; `/api/` returns JSON 401 when unauthenticated and then proxies to `skg-marketing-api:4291` after login.
 - `api` is only on the internal project network and stores jobs under `/data/jobs`.
 - Server-side job files persist in `./data/jobs` on the VPS.
 - Large uploads are allowed up to `2g` at the Nginx proxy layer.