From f054ad762aa5cb18cfe64fec166afe846c023415 Mon Sep 17 00:00:00 2001
From: Tom Shortall <tomshortall@gmail.com>
Date: Thu, 3 Oct 2019 14:58:30 +0100
Subject: [PATCH 1/6] add document for self-hosting

---
 docs/self-hosting.md | 88 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)
 create mode 100644 docs/self-hosting.md

diff --git a/docs/self-hosting.md b/docs/self-hosting.md
new file mode 100644
index 000000000..8aeac8f93
--- /dev/null
+++ b/docs/self-hosting.md
@@ -0,0 +1,88 @@
+---
+title: Documentation
+permalink: /
+description: A Jekyll plugin that provides users with a traditional CMS-style graphical interface to author content and administer Jekyll sites. The project is divided into two parts. A Ruby-based HTTP API that handles Jekyll and filesystem operations, and a Javascript-based front end, built on that API.
+---
+## Running in production
+
+If you are self-hosting a jekyll site and you want to use jekyll-admin as your front-end
+then you can run it behind a nginx reverse proxy.
+
+In this example 
+- we have a dedicated user `jekyll`. 
+- `GEM_HOME=/home/jekyll/gems`
+- jekyll site at `/home/jekyll/example`
+- generated content in `/home/jekyll/example/_site`
+
+nginx config:
+
+```nginx
+server {
+    listen 80;
+
+    server_name www.example.com;
+    root /hoem/jekyll/example/_site;
+
+    location ^~ /admin {
+        auth_basic "Administration";
+        auth_basic_user_file /etc/nginx/htpasswd;
+
+        proxy_pass http://127.0.0.1:4000/admin;
+
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $http_host;
+    }
+
+    location ^~ /_api {
+        auth_basic "Administration";
+        auth_basic_user_file /etc/nginx/htpasswd;
+
+        proxy_pass http://127.0.0.1:4000/_api;
+
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $http_host;
+    }
+```
+
+systemd unit file - tested on Ubuntu 18.04
+
+```systemd
+[Unit]
+Description=example.com
+Requires=network.target
+
+[Service]
+Type=simple
+User=jekyll
+Group=jekyll
+WorkingDirectory=/home/jekyll/example
+ExecStart=/home/jekyll/gems/bin/bundle exec /home/jekyll/gems/bin/jekyll serve -V --trace
+TimeoutSec=30
+RestartSec=15s
+Restart=always
+
+Environment=GEM_HOME=/home/jekyll/gems
+
+# security settings - recommended
+# NoNewPrivileges=yes
+# PrivateTmp=yes
+# PrivateDevices=yes
+# DevicePolicy=closed
+# ProtectSystem=strict
+# ReadWritePaths=/home/jekyll/example
+# #ReadOnlyPaths=
+# ProtectControlGroups=yes
+# ProtectKernelModules=yes
+# ProtectKernelTunables=yes
+# RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+# RestrictRealtime=yes
+# RestrictNamespaces=yes
+
+[Install]
+WantedBy=multi-user.target
+```
+

From 3a53a3fd2779beb065938af4b2430472ba918416 Mon Sep 17 00:00:00 2001
From: Tom Shortall <tomshortall@gmail.com>
Date: Thu, 3 Oct 2019 15:20:27 +0100
Subject: [PATCH 2/6] fixes

---
 docs/_includes/sidebar.html |  1 +
 docs/self-hosting.md        | 11 ++++++-----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/docs/_includes/sidebar.html b/docs/_includes/sidebar.html
index ae315b1d0..a3d580074 100644
--- a/docs/_includes/sidebar.html
+++ b/docs/_includes/sidebar.html
@@ -26,6 +26,7 @@
     <div class="splitter"></div>
     <li><a href="{{ "/architecture" | relative_url }}" {% if active[1] == 'architecture' %}class="active"{% endif %}>Architecture</a></li>
     <li><a href="{{ "/development" | relative_url }}" {% if active[1] == 'development' %}class="active"{% endif %}>Development</a></li>
+    <li><a href="{{ "/self-hosting " | relative_url }}" {% if active[1] == 'self-hosting' %}class="active"{% endif %}>Self Hosting</a></li>
   </ul>
 
 </div>
diff --git a/docs/self-hosting.md b/docs/self-hosting.md
index 8aeac8f93..28a275b56 100644
--- a/docs/self-hosting.md
+++ b/docs/self-hosting.md
@@ -1,9 +1,10 @@
 ---
-title: Documentation
-permalink: /
-description: A Jekyll plugin that provides users with a traditional CMS-style graphical interface to author content and administer Jekyll sites. The project is divided into two parts. A Ruby-based HTTP API that handles Jekyll and filesystem operations, and a Javascript-based front end, built on that API.
+title: Self Hosting
+permalink: /self-hosting
+description: Example configuration files for self-hosting jekyll-admin
 ---
-## Running in production
+
+## Self-hosting
 
 If you are self-hosting a jekyll site and you want to use jekyll-admin as your front-end
 then you can run it behind a nginx reverse proxy.
@@ -50,7 +51,7 @@ server {
 
 systemd unit file - tested on Ubuntu 18.04
 
-```systemd
+```
 [Unit]
 Description=example.com
 Requires=network.target

From 4102e8afb7357533b19845ddbf021894db86804a Mon Sep 17 00:00:00 2001
From: Tom Shortall <tomshortall@gmail.com>
Date: Thu, 3 Oct 2019 16:33:02 +0100
Subject: [PATCH 3/6] code review

---
 docs/self-hosting.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/self-hosting.md b/docs/self-hosting.md
index 28a275b56..1f337091c 100644
--- a/docs/self-hosting.md
+++ b/docs/self-hosting.md
@@ -22,7 +22,7 @@ server {
     listen 80;
 
     server_name www.example.com;
-    root /hoem/jekyll/example/_site;
+    root /home/jekyll/example/_site;
 
     location ^~ /admin {
         auth_basic "Administration";
@@ -61,7 +61,7 @@ Type=simple
 User=jekyll
 Group=jekyll
 WorkingDirectory=/home/jekyll/example
-ExecStart=/home/jekyll/gems/bin/bundle exec /home/jekyll/gems/bin/jekyll serve -V --trace
+ExecStart=/home/jekyll/gems/bin/bundle exec /home/jekyll/gems/bin/jekyll serve --verbose --trace
 TimeoutSec=30
 RestartSec=15s
 Restart=always

From 856278047cc3627849129c3a8a440a508c72d604 Mon Sep 17 00:00:00 2001
From: Tom Shortall <tomshortall@gmail.com>
Date: Thu, 3 Oct 2019 18:47:40 +0100
Subject: [PATCH 4/6] figured out how to get it working with a regex

---
 docs/self-hosting.md | 17 +++--------------
 1 file changed, 3 insertions(+), 14 deletions(-)

diff --git a/docs/self-hosting.md b/docs/self-hosting.md
index 1f337091c..bae5a602d 100644
--- a/docs/self-hosting.md
+++ b/docs/self-hosting.md
@@ -24,29 +24,18 @@ server {
     server_name www.example.com;
     root /home/jekyll/example/_site;
 
-    location ^~ /admin {
+    location ~ ^/(admin|_api)(/.*)? {
         auth_basic "Administration";
         auth_basic_user_file /etc/nginx/htpasswd;
 
-        proxy_pass http://127.0.0.1:4000/admin;
-
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header Host $http_host;
-    }
-
-    location ^~ /_api {
-        auth_basic "Administration";
-        auth_basic_user_file /etc/nginx/htpasswd;
-
-        proxy_pass http://127.0.0.1:4000/_api;
+        proxy_pass http://127.0.0.1:4000/$1$2;
 
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header Host $http_host;
     }
+}
 ```
 
 systemd unit file - tested on Ubuntu 18.04

From ff00db090f0c77a938120138d07746a800eceffb Mon Sep 17 00:00:00 2001
From: Tom Shortall <tomshortall@gmail.com>
Date: Thu, 3 Oct 2019 23:22:38 +0100
Subject: [PATCH 5/6] clarify versions of OS and services

---
 docs/self-hosting.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/docs/self-hosting.md b/docs/self-hosting.md
index bae5a602d..3c82ecedf 100644
--- a/docs/self-hosting.md
+++ b/docs/self-hosting.md
@@ -15,6 +15,8 @@ In this example
 - jekyll site at `/home/jekyll/example`
 - generated content in `/home/jekyll/example/_site`
 
+This was tested on Ubuntu 19.04 using nginx 1.17.4 and systemd 237.
+
 nginx config:
 
 ```nginx
@@ -38,7 +40,7 @@ server {
 }
 ```
 
-systemd unit file - tested on Ubuntu 18.04
+systemd service file:
 
 ```
 [Unit]
@@ -75,4 +77,3 @@ Environment=GEM_HOME=/home/jekyll/gems
 [Install]
 WantedBy=multi-user.target
 ```
-

From b8ab593d76b458072d4ed101a8d2dd53771d4d5c Mon Sep 17 00:00:00 2001
From: Tom Shortall <tomshortall@gmail.com>
Date: Thu, 3 Oct 2019 23:35:52 +0100
Subject: [PATCH 6/6] improve doc

---
 docs/self-hosting.md | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/docs/self-hosting.md b/docs/self-hosting.md
index 3c82ecedf..2f8743cf7 100644
--- a/docs/self-hosting.md
+++ b/docs/self-hosting.md
@@ -6,14 +6,17 @@ description: Example configuration files for self-hosting jekyll-admin
 
 ## Self-hosting
 
-If you are self-hosting a jekyll site and you want to use jekyll-admin as your front-end
-then you can run it behind a nginx reverse proxy.
+If you are self-hosting a jekyll site and you want to use jekyll-admin as front-end
+which is accessible over the internet then you can run it behind a nginx reverse proxy.
 
 In this example 
 - we have a dedicated user `jekyll`. 
 - `GEM_HOME=/home/jekyll/gems`
-- jekyll site at `/home/jekyll/example`
+- jekyll install at `/home/jekyll/example`
 - generated content in `/home/jekyll/example/_site`
+- domain is www.example.com
+- jekyll-admin interface is available at http://www.example.com/admin
+- [HTTP basic authentication](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/) is used to protect the admin interface
 
 This was tested on Ubuntu 19.04 using nginx 1.17.4 and systemd 237.