# 06 — Deployment & ops ## Host layout - Single host (this server, same as YouPortal) - Root: `/var/www/html/Searchmercials/` - Apache 2.4.x with per-domain vhosts - Co-resident with: `/var/www/html/youportal/` (YouPortal platform) — sees [05-integrations.md](05-integrations.md) ## Multi-domain via symlinks (`fixlinks.sh`) The project is designed as a **shared-codebase, many-domain** deployment. `fixlinks.sh` (119 lines) creates symlinks from per-domain directories into the main `httpdocs/`: ``` searchmercials_com/ avideo_com/ wwbn_tv/ searchads_tv/ searchtube_com/ pooptube_com/ ... │ ▼ (symlinks) /var/www/vhosts/administration/platform/searchmercials/httpdocs/{search, auth, classes_new, ...} ``` Each distribution domain serves the same backend code under its own vhost configuration. Per-domain divergence is limited to templates/branding in `httpsdocs/templates/`. `httpsdocs/` itself also symlinks to `httpdocs/search/`, `httpdocs/dandelion/`, `httpdocs/responsive/` so the HTTPS vhost shares backend logic with the HTTP vhost. ## SSL certificate provisioning - **`64.250.180.23`** (1266-byte shell script at project root): generates self-signed wildcard SSL certificates for new affiliate/distribution domains. - Invokes `openssl genrsa`, `openssl req`, `openssl x509` against `/etc/ssl-wildcard//` - Filename (an IPv4 address) suggests origin from a specific server; not a meaningful abstraction today **Modern replacement**: Let's Encrypt (certbot) + auto-renewal, or Cloudflare Origin CA certs like what YouPortal uses. ## `.htaccess` `httpdocs/.htaccess` (~10 lines) contains **only commented-out** error-log directives. No rewrite rules, no directory protection, no mod_expires/mod_headers policies. URLs map 1:1 to filesystem paths. If Apache is configured with `AllowOverride None`, even this minimal file is ignored. Verify with: ``` apache2ctl -S | grep searchmercials ``` and check the vhost for `AllowOverride All` inside the relevant `` block. ## YouPortal data sync Three files at project root hint at a scheduled integration: | File | Size | Role | |------|-----:|------| | `ypbackfill_feed_data` | 1 byte | Marker / executable stub (permissions: `-rwxr-xr-x`) | | `ypbackfill_feed_data.txt` | 1.9 KB | Human-readable instructions | | `ypbackfill_feed_data.curl` | 0 bytes | Empty placeholder | No crontab entry visible inside this repo. The actual scheduling likely lives in `/etc/cron.d/` or a YouPortal-side cron that reaches out to pull Searchmercials data. Direct DB access via SDBA's `youportal_aroundme_new` params is the most likely channel. ## Environment / configuration - **No `.env` file** — credentials are hardcoded in `httpdocs/auth/classes/sdba/dbconnect.php` - **No Composer** (`composer.json` absent) — dependencies are vendor drops committed to the repo - **No build step** — PHP served directly; JS/CSS are hand-maintained in place - **PHP opcache / FPM pool settings** live outside this repo (system-level `/etc/php/*/fpm/`) ## Logs - Apache `access.log` + `error.log` in `/var/log/apache2/` (system defaults) - **No application-level logging framework** detected. Errors surface via `ini_set('display_errors', 1)` in individual files, or flow to Apache's error log via `error_log()` calls ## Backup / disaster recovery - **No formal backup strategy** found inside the repo - Git history references **"production hot-patches"** (commit `7ea37ec`: "removed uncommited changes in prod (backup june 03, 2024)") — indicates that at least once, production drifted from git and required a snapshot/rollback - The many `_old/`, `_bak/`, `*.bak` files across the tree are **informal** backups by engineers, not a strategy ## Recommendations for ops modernization 1. **Centralize configuration**: move `dbconnect.php` arrays to a `.env` file consumed by phpdotenv or PHP 8's native env handling 2. **Add a deploy script** or Ansible/Terraform module so vhost + symlink setup is reproducible 3. **Replace wildcard cert script** with certbot or Cloudflare Origin CA automation 4. **Document the ypbackfill cadence** (look in `/etc/cron.d/` on the host) 5. **Prune `_old/`, `*.bak`, `*_bk_*`** — use git instead; dated filenames in production are an accident waiting to happen 6. **Apache hardening**: `AllowOverride` on a least-privilege basis; `ServerTokens Prod`; `Header unset X-Powered-By`