add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
# Docker produktiv
|
|
|
|
|
|
2026-03-04 15:56:58 +01:00
|
|
|
Letzte Aktualisierung: 2026-03-03
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
|
|
|
|
|
## Ziel
|
|
|
|
|
|
|
|
|
|
Diese Anleitung beschreibt den Betrieb mit Domain auf Basis von `/docker-compose.prod.yml`.
|
|
|
|
|
|
|
|
|
|
## Voraussetzungen
|
|
|
|
|
|
|
|
|
|
- DNS zeigt auf den Server (`A/AAAA`)
|
|
|
|
|
- Ports `80` und `443` sind offen
|
|
|
|
|
- TLS-Zertifikate vorhanden
|
|
|
|
|
|
|
|
|
|
## Produktionsdateien
|
|
|
|
|
|
|
|
|
|
- Compose: `/docker-compose.prod.yml`
|
|
|
|
|
- Nginx: `/docker/nginx/prod.conf`
|
|
|
|
|
- PHP: `/docker/php/php.prod.ini`
|
|
|
|
|
- ENV-Vorlage: `/.env.prod.example`
|
|
|
|
|
|
|
|
|
|
## 1) Umgebung vorbereiten
|
|
|
|
|
|
|
|
|
|
`.env` auf Produktionswerte setzen:
|
|
|
|
|
|
|
|
|
|
- `APP_URL=https://deine-domain.tld`
|
|
|
|
|
- `APP_ENV=prod`
|
|
|
|
|
- `APP_DEBUG=false`
|
|
|
|
|
- stabile `APP_CRYPTO_KEY`
|
|
|
|
|
- starke DB/SMTP-Passwörter
|
|
|
|
|
|
|
|
|
|
## 2) Nginx auf Domain/TLS setzen
|
|
|
|
|
|
|
|
|
|
In `/docker/nginx/prod.conf`:
|
|
|
|
|
|
|
|
|
|
- `server_name` auf echte Domain(s) anpassen
|
|
|
|
|
|
|
|
|
|
Zertifikate ablegen:
|
|
|
|
|
|
|
|
|
|
- `/docker/nginx/certs/fullchain.pem`
|
|
|
|
|
- `/docker/nginx/certs/privkey.pem`
|
|
|
|
|
|
2026-03-04 15:56:58 +01:00
|
|
|
### Security Header Baseline
|
|
|
|
|
|
|
|
|
|
Die produktive Nginx-Konfiguration setzt folgende Header serverseitig:
|
|
|
|
|
|
|
|
|
|
- `X-Content-Type-Options: nosniff`
|
|
|
|
|
- `X-Frame-Options: SAMEORIGIN`
|
|
|
|
|
- `Referrer-Policy: strict-origin-when-cross-origin`
|
|
|
|
|
- `Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()`
|
|
|
|
|
- `X-Permitted-Cross-Domain-Policies: none`
|
|
|
|
|
- `Strict-Transport-Security: max-age=31536000`
|
|
|
|
|
|
|
|
|
|
Hinweise:
|
|
|
|
|
|
|
|
|
|
- HSTS wird nur im HTTPS-Serverblock gesetzt.
|
|
|
|
|
- `includeSubDomains` und `preload` sind absichtlich nicht gesetzt.
|
|
|
|
|
|
add composer-unused, comprehensive docs, and project restructure
- Add icanhazstring/composer-unused as dev dependency for dependency hygiene checks
- Add German documentation (docs/) covering architecture, conventions, workflows, and developer checklists
- Add API layer (ApiAuth, ApiBootstrap, ApiResponse), audit, scheduler, custom fields, and SSO services
- Add Microsoft OIDC SSO, API token management, and user lifecycle features
- Add swagger-ui vendor integration and OpenAPI spec
- Add production Docker setup and bin/ scripts
- Update composer dependencies, config, templates, and frontend assets throughout
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-22 15:27:35 +01:00
|
|
|
## 3) Produktion starten
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
docker compose -f docker-compose.prod.yml up --build -d
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Konfiguration validieren:
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
docker compose -f docker-compose.prod.yml config
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## 4) Betrieb prüfen
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
docker compose -f docker-compose.prod.yml logs -f nginx php scheduler
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Prüfen:
|
|
|
|
|
|
|
|
|
|
- App über `https://...` erreichbar
|
|
|
|
|
- Login funktioniert
|
|
|
|
|
- Scheduler läuft minütlich (Logausgaben)
|
|
|
|
|
|
|
|
|
|
## 5) Bestandssysteme
|
|
|
|
|
|
|
|
|
|
Bei bestehender Datenbank:
|
|
|
|
|
|
|
|
|
|
- idempotentes SQL-Update manuell ausführen
|
|
|
|
|
(Auto-Init über `db/init/init.sql` greift nur beim ersten DB-Setup)
|
|
|
|
|
|
|
|
|
|
## Hinweise
|
|
|
|
|
|
|
|
|
|
- `phpmyadmin` ist in Prod absichtlich nicht enthalten.
|
|
|
|
|
- Wenn ein externer Reverse-Proxy TLS terminiert, kann `prod.conf` auf HTTP intern reduziert werden; `APP_URL` bleibt trotzdem `https://...`.
|