# Production Deployment Guide

## Pre-Deployment Checklist

### 1. Environment Configuration

**Update .env for production:**

```env
APP_NAME="QR Generator - Internal System"
APP_ENV=production
APP_DEBUG=false
APP_URL=https://qr.company.com

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=qr_generator
DB_USERNAME=qr_user
DB_PASSWORD=STRONG_RANDOM_PASSWORD

SESSION_LIFETIME=480
SESSION_SECURE=true
SESSION_HTTP_ONLY=true
SESSION_SAME_SITE=strict

STORAGE_DRIVER=local

ALLOWED_IPS=
REQUIRE_VPN=false

AUDIT_LOG_ENABLED=true
ANALYTICS_ENABLED=true

COMPANY_NAME="Your Company Name"
COMPANY_LOGO_URL=/assets/logo.png
```

### 2. Security Hardening

**Change Default Credentials:**
```sql
-- Login to system and change admin password immediately
-- Or update directly in database:
UPDATE users 
SET password = '$2y$10$YOUR_NEW_HASHED_PASSWORD' 
WHERE email = 'admin@company.internal';
```

**Set Strong Database Password:**
```sql
ALTER USER 'qr_user'@'localhost' IDENTIFIED BY 'STRONG_RANDOM_PASSWORD';
FLUSH PRIVILEGES;
```

**Configure IP Restrictions (Optional):**
```env
# In .env, add allowed IPs (comma-separated)
ALLOWED_IPS=192.168.1.100,192.168.1.101,10.0.0.0/24
```

### 3. SSL/HTTPS Setup

**For Nginx:**

```nginx
server {
    listen 80;
    server_name qr.company.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name qr.company.com;
    
    ssl_certificate /etc/ssl/certs/qr.company.com.crt;
    ssl_certificate_key /etc/ssl/private/qr.company.com.key;
    
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    
    root /var/www/qr-generator/public;
    index index.php;
    
    # Security Headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }
    
    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        include fastcgi_params;
        
        # Security
        fastcgi_hide_header X-Powered-By;
    }
    
    location ~ /\.(?!well-known).* {
        deny all;
    }
    
    # Deny access to sensitive files
    location ~ /(\.env|composer\.json|composer\.lock|\.git) {
        deny all;
    }
    
    # Cache static assets
    location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg)$ {
        expires 30d;
        add_header Cache-Control "public, immutable";
    }
}
```

**For Apache:**

```apache
<VirtualHost *:80>
    ServerName qr.company.com
    Redirect permanent / https://qr.company.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName qr.company.com
    DocumentRoot /var/www/qr-generator/public
    
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/qr.company.com.crt
    SSLCertificateKeyFile /etc/ssl/private/qr.company.com.key
    
    <Directory /var/www/qr-generator/public>
        Options -Indexes +FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
    
    # Security Headers
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    
    ErrorLog ${APACHE_LOG_DIR}/qr-error.log
    CustomLog ${APACHE_LOG_DIR}/qr-access.log combined
</VirtualHost>
```

### 4. File Permissions

```bash
# Set ownership
sudo chown -R www-data:www-data /var/www/qr-generator

# Set directory permissions
sudo find /var/www/qr-generator -type d -exec chmod 755 {} \;

# Set file permissions
sudo find /var/www/qr-generator -type f -exec chmod 644 {} \;

# Storage needs write access
sudo chmod -R 775 /var/www/qr-generator/storage
sudo chown -R www-data:www-data /var/www/qr-generator/storage
```

### 5. Database Optimization

```sql
-- Add indexes for better performance
ALTER TABLE qr_scans ADD INDEX idx_scanned_at_qr (scanned_at, qr_code_id);
ALTER TABLE audit_logs ADD INDEX idx_created_user (created_at, user_id);

-- Optimize tables
OPTIMIZE TABLE qr_codes;
OPTIMIZE TABLE qr_scans;
OPTIMIZE TABLE audit_logs;
```

---

## Deployment Steps

### Option 1: Manual Deployment

```bash
# 1. Upload files to server
scp -r /local/path/qqr user@server:/var/www/qr-generator

# 2. SSH into server
ssh user@server

# 3. Install dependencies
cd /var/www/qr-generator
composer install --no-dev --optimize-autoloader

# 4. Set permissions
sudo chown -R www-data:www-data storage
sudo chmod -R 775 storage

# 5. Import database
mysql -u qr_user -p qr_generator < database/schema.sql

# 6. Configure environment
cp .env.example .env
nano .env

# 7. Restart web server
sudo systemctl restart nginx
# or
sudo systemctl restart apache2
```

### Option 2: Git Deployment

```bash
# On server
cd /var/www
sudo git clone https://your-repo.git qr-generator
cd qr-generator

# Install dependencies
composer install --no-dev --optimize-autoloader

# Setup environment
cp .env.example .env
nano .env

# Set permissions
sudo chown -R www-data:www-data storage
sudo chmod -R 775 storage

# Import database
mysql -u qr_user -p qr_generator < database/schema.sql

# Restart server
sudo systemctl restart nginx
```

---

## Post-Deployment

### 1. Verify Installation

```bash
# Check PHP version
php -v

# Check web server status
sudo systemctl status nginx
# or
sudo systemctl status apache2

# Check MySQL status
sudo systemctl status mysql

# Test database connection
mysql -u qr_user -p -e "USE qr_generator; SHOW TABLES;"
```

### 2. Test System Functionality

**Checklist:**
- [ ] Access login page via HTTPS
- [ ] Login with admin credentials
- [ ] Create test QR code
- [ ] Download QR code
- [ ] Scan QR code with phone
- [ ] Verify analytics tracking
- [ ] Test multi-link page
- [ ] Check audit logs
- [ ] Create test user
- [ ] Test different roles

### 3. Setup Monitoring

**Error Monitoring:**
```bash
# Monitor error logs
tail -f /var/www/qr-generator/storage/logs/error.log

# Monitor web server logs
tail -f /var/log/nginx/error.log
# or
tail -f /var/log/apache2/error.log
```

**Uptime Monitoring:**
- Use tools like UptimeRobot, Pingdom, or StatusCake
- Monitor: https://qr.company.com

**Disk Space Monitoring:**
```bash
# Check storage usage
du -sh /var/www/qr-generator/storage/qrcodes

# Setup alert when storage > 80%
```

### 4. Backup Strategy

**Database Backup (Daily):**
```bash
#!/bin/bash
# /etc/cron.daily/backup-qr-db

BACKUP_DIR="/backups/qr-generator"
DATE=$(date +%Y%m%d_%H%M%S)

mkdir -p $BACKUP_DIR

mysqldump -u qr_user -p'PASSWORD' qr_generator | gzip > $BACKUP_DIR/qr_db_$DATE.sql.gz

# Keep only last 30 days
find $BACKUP_DIR -name "qr_db_*.sql.gz" -mtime +30 -delete
```

**File Backup (Weekly):**
```bash
#!/bin/bash
# /etc/cron.weekly/backup-qr-files

BACKUP_DIR="/backups/qr-generator"
DATE=$(date +%Y%m%d)

tar -czf $BACKUP_DIR/qr_files_$DATE.tar.gz \
    /var/www/qr-generator/storage/qrcodes \
    /var/www/qr-generator/.env

# Keep only last 12 weeks
find $BACKUP_DIR -name "qr_files_*.tar.gz" -mtime +84 -delete
```

**Make scripts executable:**
```bash
sudo chmod +x /etc/cron.daily/backup-qr-db
sudo chmod +x /etc/cron.weekly/backup-qr-files
```

---

## Maintenance

### Regular Updates

**Update Dependencies:**
```bash
cd /var/www/qr-generator
composer update --no-dev
sudo systemctl restart nginx
```

**Database Maintenance:**
```sql
-- Run monthly
OPTIMIZE TABLE qr_codes;
OPTIMIZE TABLE qr_scans;
OPTIMIZE TABLE audit_logs;
ANALYZE TABLE qr_codes;
ANALYZE TABLE qr_scans;
```

**Clean Old Analytics (Optional):**
```sql
-- Delete scans older than 1 year
DELETE FROM qr_scans WHERE scanned_at < DATE_SUB(NOW(), INTERVAL 1 YEAR);

-- Delete old audit logs (keep 2 years)
DELETE FROM audit_logs WHERE created_at < DATE_SUB(NOW(), INTERVAL 2 YEAR);
```

### Performance Tuning

**PHP-FPM Optimization:**
```ini
; /etc/php/8.3/fpm/pool.d/www.conf

pm = dynamic
pm.max_children = 50
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500
```

**MySQL Optimization:**
```ini
; /etc/mysql/my.cnf

[mysqld]
innodb_buffer_pool_size = 1G
innodb_log_file_size = 256M
max_connections = 200
query_cache_size = 64M
```

---

## Scaling Considerations

### Load Balancing (Future)

If traffic increases, consider:

1. **Multiple Application Servers**
   - Use Nginx as load balancer
   - Share storage via NFS or S3
   - Centralized session storage (Redis)

2. **Database Replication**
   - Master-slave MySQL setup
   - Read replicas for analytics

3. **CDN for QR Codes**
   - Serve QR images via CloudFront/CloudFlare
   - Reduce server load

---

## Rollback Procedure

If deployment fails:

```bash
# 1. Restore database backup
gunzip < /backups/qr-generator/qr_db_YYYYMMDD.sql.gz | mysql -u qr_user -p qr_generator

# 2. Restore files
tar -xzf /backups/qr-generator/qr_files_YYYYMMDD.tar.gz -C /

# 3. Restart services
sudo systemctl restart nginx
sudo systemctl restart mysql

# 4. Verify system is working
curl -I https://qr.company.com
```

---

## Security Incident Response

**If compromised:**

1. **Immediate Actions**
   - Take system offline
   - Change all passwords
   - Review audit logs
   - Check for unauthorized users

2. **Investigation**
   - Review access logs
   - Check file modifications
   - Analyze database changes

3. **Recovery**
   - Restore from clean backup
   - Patch vulnerabilities
   - Update all credentials
   - Notify affected users

---

## Support Contacts

**Production Issues:**
- System Admin: admin@company.com
- On-Call: +1-XXX-XXX-XXXX

**Emergency Escalation:**
- IT Director: director@company.com
- Security Team: security@company.com

---

**Deployment Date:** _____________  
**Deployed By:** _____________  
**Verified By:** _____________
