# External Access Configuration

## Quick Setup

### 1. Get Your Server IP
```bash
# Find your server's IP address
ip addr show | grep "inet " | grep -v 127.0.0.1
# Or
hostname -I
```

### 2. Configure Frontend API URL

**Option A: Environment Variable (Recommended)**
```bash
# Edit frontend/.env.local
nano frontend/.env.local

# Set your server IP:
NEXT_PUBLIC_API_URL=http://YOUR_SERVER_IP:8000
```

**Option B: Docker Compose**
```bash
# Edit docker-compose.yml
nano docker-compose.yml

# Update the frontend environment section with your IP
```

### 3. Update Firewall Rules

**UFW (Ubuntu/Debian):**
```bash
sudo ufw allow 3000/tcp  # Frontend
sudo ufw allow 8000/tcp  # Backend API
sudo ufw reload
```

**Firewalld (CentOS/RHEL):**
```bash
sudo firewall-cmd --permanent --add-port=3000/tcp
sudo firewall-cmd --permanent --add-port=8000/tcp
sudo firewall-cmd --reload
```

**iptables:**
```bash
sudo iptables -A INPUT -p tcp --dport 3000 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
sudo iptables-save
```

### 4. Start the Application
```bash
./start.sh
# or
./start.sh docker
```

### 5. Access from External Device
```
Frontend: http://YOUR_SERVER_IP:3000
Backend API: http://YOUR_SERVER_IP:8000/docs
```

## Production Setup (Nginx Reverse Proxy)

For production, use Nginx with SSL:

### Install Nginx
```bash
sudo apt install nginx certbot python3-certbot-nginx
```

### Configure Nginx
```bash
sudo nano /etc/nginx/sites-available/kniha-jizd
```

```nginx
server {
    listen 80;
    server_name your-domain.com;

    # Frontend
    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

    # Backend API
    location /api {
        proxy_pass http://localhost:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
```

### Enable Site & SSL
```bash
sudo ln -s /etc/nginx/sites-available/kniha-jizd /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl restart nginx

# Get SSL certificate
sudo certbot --nginx -d your-domain.com
```

### Update Frontend Config
```bash
# frontend/.env.local
NEXT_PUBLIC_API_URL=https://your-domain.com
```

## Security Recommendations

1. **Use HTTPS in production** - Never expose unencrypted credentials
2. **Restrict CORS** - Update `allow_origins` in `backend/api/main.py`
3. **Use environment variables** - Never commit credentials
4. **Enable rate limiting** - Prevent abuse
5. **Use VPN or SSH tunnel** - For development access

## Troubleshooting

### Can't connect from outside
```bash
# Check if ports are listening on all interfaces
sudo netss -tlnp | grep -E '3000|8000'

# Should show 0.0.0.0:3000 and 0.0.0.0:8000
```

### Connection refused
- Check firewall rules
- Verify Docker binds to 0.0.0.0
- Check cloud provider security groups (AWS/GCP/Azure)

### CORS errors
- Verify NEXT_PUBLIC_API_URL is set correctly
- Check backend CORS middleware allows your origin
- Clear browser cache

## Cloud Provider Notes

### AWS EC2
- Add inbound rules to Security Group for ports 3000, 8000

### Google Cloud
- Add firewall rules: `gcloud compute firewall-rules create`

### Azure
- Configure Network Security Group inbound rules

### DigitalOcean
- Configure Cloud Firewall or droplet firewall