Fix: Polishing

Author: alokemajumder

.env.example

@@ -29,7 +29,7 @@ STORAGE_CONFIG=/app/config/storage.yml
 ADMIN_API_KEYS=your_admin_key_1,your_admin_key_2
 RENDIFF_API_KEYS=your_client_key_1,your_client_key_2,your_client_key_3
 ENABLE_API_KEYS=true
-CORS_ORIGINS=*
+CORS_ORIGINS=https://localhost,http://localhost
 
 # SSL/HTTPS Configuration (for production)
 DOMAIN_NAME=localhost
@@ -48,4 +48,4 @@ MAX_CONCURRENT_JOBS_PER_KEY=10
 MAX_JOB_DURATION=21600
 
 # External URLs
-EXTERNAL_URL=http://localhost:8080
+EXTERNAL_URL=https://localhost

.gitignore

@@ -48,3 +48,21 @@ CLEANUP_SUMMARY.md
 # Storage and uploads
 /storage/
 /uploads/
+
+# SSL certificates (keep generation script)
+traefik/certs/*.crt
+traefik/certs/*.key
+traefik/certs/*.csr
+traefik/certs/*.pem
+traefik/letsencrypt/
+traefik/acme/
+
+# Test results and monitoring
+test-results/
+monitoring/ssl-scan-results/
+monitoring/*.log
+
+# Backups
+backups/
+*.backup
+backup-*/

README.md

@@ -35,10 +35,12 @@ cd ffmpeg-api
 ./setup.sh --development    # Quick local development
 ./setup.sh --standard       # Production (PostgreSQL, Redis, monitoring)
 ./setup.sh --genai          # AI-enhanced (GPU support, AI models)
-./setup.sh --production     # Interactive production wizard
+./setup.sh --interactive    # Interactive setup wizard
 ```
 
-**That's it!** Your API will be running at `http://localhost:8080`
+**That's it!** Your API will be running at:
+- Development: `http://localhost:8000`
+- Production: `https://localhost` (HTTPS with self-signed certificate)
 
 ### 🏃‍♂️ Development (60 seconds)
 Perfect for testing and local development:
@@ -54,7 +56,7 @@ Enterprise-ready deployment:
 ```bash
 ./setup.sh --standard
 ```
-**Features:** PostgreSQL, Redis, monitoring, API keys, 2 CPU workers
+**Features:** PostgreSQL, Redis, monitoring, API keys, HTTPS by default, 2 CPU workers
 
 ### 🤖 AI-Enhanced Production
 GPU-accelerated AI features:
@@ -72,6 +74,7 @@ GPU-accelerated AI features:
 | **Database** | SQLite | PostgreSQL | PostgreSQL |
 | **Queue** | Redis | Redis | Redis |
 | **Authentication** | Disabled | API Keys | API Keys |
+| **HTTPS/SSL** | ❌ | ✅ (Self-signed + Let's Encrypt) | ✅ (Self-signed + Let's Encrypt) |
 | **Monitoring** | Basic | Full (Prometheus/Grafana) | Full |
 | **Workers** | 1 CPU | 2 CPU | 2 CPU + 1 GPU |
 | **AI Features** | ❌ | ❌ | ✅ |
@@ -121,19 +124,50 @@ GET  /docs                # Interactive API documentation
 # List current keys (masked)
 ./scripts/manage-api-keys.sh list
 
-# Test API access
-curl -H "X-API-Key: your-key" http://localhost:8080/api/v1/health
+# Test API access (development)
+curl -H "X-API-Key: your-key" http://localhost:8000/api/v1/health
+
+# Test API access (production - HTTPS)
+curl -k -H "X-API-Key: your-key" https://localhost/api/v1/health
 ```
 
 ### HTTPS/SSL Setup
+
+**🔒 HTTPS is enabled by default in ALL production deployments** with self-signed certificates.
+
+#### SSL Certificate Options:
+
+**Self-signed (Default)** - Works immediately:
+```bash
+./setup.sh --standard  # HTTPS ready with self-signed cert
+```
+
+**Let's Encrypt (Production)** - Free trusted certificates:
 ```bash
 # Configure your domain
 export DOMAIN_NAME=api.yourdomain.com
 export [email protected]
 
-# Setup with automatic SSL
-./setup.sh --production
-# Choose HTTPS option for Let's Encrypt certificates
+# Setup with Let's Encrypt
+./setup.sh --interactive  # Choose HTTPS option during setup
+```
+
+**Commercial SSL** - EV/OV certificates:
+```bash
+# Install commercial certificate
+./scripts/enhanced-ssl-manager.sh install-commercial cert.crt private.key
+```
+
+**Comprehensive SSL Management:**
+```bash
+# Show all SSL management options
+./scripts/enhanced-ssl-manager.sh --help
+
+# Monitor SSL certificates
+./scripts/enhanced-ssl-manager.sh monitor-start
+
+# Test SSL configuration
+./scripts/enhanced-ssl-manager.sh test-ssl yourdomain.com
 ```
 
 ### Monitoring & Health
@@ -208,8 +242,8 @@ docker-compose logs -f api
 | **[Setup Guide](docs/SETUP.md)** | Complete setup documentation for all deployment types |
 | **[API Reference](docs/API.md)** | Detailed API endpoint documentation |
 | **[Installation Guide](docs/INSTALLATION.md)** | Advanced installation and configuration |
-| **[Deployment Guide](DEPLOYMENT.md)** | Production deployment best practices |
-| **[Security Guide](SECURITY.md)** | Security configuration and best practices |
+| **[Production Setup](docs/SETUP.md#production-setup)** | Production deployment best practices |
+| **[HTTPS/SSL Setup](docs/SETUP.md#httpssl-configuration)** | Security configuration and best practices |
 
 ## 🎯 Use Cases
 
@@ -300,12 +334,12 @@ Supports deployment on:
 - **📚 Documentation**: Complete guides in `/docs`
 - **🐛 Issues**: [GitHub Issues](https://github.com/rendiffdev/ffmpeg-api/issues)
 - **💬 Discussions**: [GitHub Discussions](https://github.com/rendiffdev/ffmpeg-api/discussions)
-- **🔒 Security**: See [SECURITY.md](SECURITY.md)
+- **🔒 Security**: See [HTTPS/SSL Configuration](docs/SETUP.md#httpssl-configuration)
 - **📄 License**: [MIT License](LICENSE)
 
 ## 🤝 Contributing
 
-We welcome contributions! Please see our [Contributing Guide](CONTRIBUTING.md) for details.
+We welcome contributions! Please open an issue or submit a pull request on our [GitHub repository](https://github.com/rendiffdev/ffmpeg-api).
 
 ## 📄 License
 

api/config.py

@@ -65,7 +65,7 @@ class Settings(BaseSettings):
     ADMIN_API_KEYS: str = ""  # Comma-separated list of admin API keys
 
     # CORS
-    CORS_ORIGINS: List[str] = Field(default_factory=lambda: ["*"])
+    CORS_ORIGINS: List[str] = Field(default_factory=lambda: ["http://localhost", "https://localhost"])
 
     # Monitoring
     ENABLE_METRICS: bool = True

docker-compose.prod.yml

@@ -11,14 +11,13 @@ services:
       dockerfile: docker/api/Dockerfile
     container_name: rendiff-api
     restart: unless-stopped
-    ports:
-      - "${API_PORT:-8080}:8080"
+    # Ports handled by Traefik - no direct exposure needed
     environment:
       # Basic Configuration
       - API_HOST=0.0.0.0
-      - API_PORT=8080
+      - API_PORT=8000
       - API_WORKERS=${API_WORKERS:-4}
-      - EXTERNAL_URL=${EXTERNAL_URL:-http://localhost:8080}
+      - EXTERNAL_URL=${EXTERNAL_URL:-https://localhost}
 
       # Database
       - DATABASE_URL=${DATABASE_URL}
@@ -50,7 +49,7 @@ services:
       redis:
         condition: service_healthy
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8080/api/v1/health"]
+      test: ["CMD", "curl", "-f", "http://localhost:8000/api/v1/health"]
       interval: 30s
       timeout: 10s
       retries: 3
@@ -68,12 +67,12 @@ services:
     labels:
       # Enable Traefik for this service
       - "traefik.enable=true"
-      - "traefik.http.routers.api.rule=Host(`${DOMAIN_NAME:-localhost}`)"
+      - "traefik.http.routers.api.rule=Host(`${DOMAIN_NAME:-localhost}`) && PathPrefix(`/`)"
       - "traefik.http.routers.api.entrypoints=websecure"
-      - "traefik.http.routers.api.tls.certresolver=${CERT_RESOLVER:-letsencrypt}"
+      - "traefik.http.routers.api.tls=true"
       - "traefik.http.routers.api.service=api"
       - "traefik.http.routers.api.middlewares=api-middleware"
-      - "traefik.http.services.api.loadbalancer.server.port=8080"
+      - "traefik.http.services.api.loadbalancer.server.port=8000"
       - "traefik.http.services.api.loadbalancer.healthcheck.path=/api/v1/health"
       - "traefik.http.middlewares.api-middleware.chain.middlewares=security-headers,api-rate-limit,compression"
 
@@ -258,7 +257,7 @@ services:
       - "traefik.enable=true"
       - "traefik.http.routers.prometheus.rule=Host(`prometheus.${DOMAIN_NAME:-localhost}`)"
       - "traefik.http.routers.prometheus.entrypoints=websecure"
-      - "traefik.http.routers.prometheus.tls.certresolver=${CERT_RESOLVER:-letsencrypt}"
+      - "traefik.http.routers.prometheus.tls=true"
       - "traefik.http.routers.prometheus.service=prometheus"
       - "traefik.http.routers.prometheus.middlewares=security-headers"
       - "traefik.http.services.prometheus.loadbalancer.server.port=9090"
@@ -302,7 +301,7 @@ services:
       - "traefik.enable=true"
       - "traefik.http.routers.grafana.rule=Host(`grafana.${DOMAIN_NAME:-localhost}`)"
       - "traefik.http.routers.grafana.entrypoints=websecure"
-      - "traefik.http.routers.grafana.tls.certresolver=${CERT_RESOLVER:-letsencrypt}"
+      - "traefik.http.routers.grafana.tls=true"
       - "traefik.http.routers.grafana.service=grafana"
       - "traefik.http.routers.grafana.middlewares=security-headers"
       - "traefik.http.services.grafana.loadbalancer.server.port=3000"
@@ -317,11 +316,12 @@ services:
     ports:
       - "${TRAEFIK_HTTP_PORT:-80}:80"
       - "${TRAEFIK_HTTPS_PORT:-443}:443"
-      - "${TRAEFIK_DASHBOARD_PORT:-8080}:8080"
+      - "${TRAEFIK_DASHBOARD_PORT:-8081}:8080"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./traefik/traefik.yml:/etc/traefik/traefik.yml:ro
       - ./traefik/dynamic.yml:/etc/traefik/dynamic.yml:ro
+      - ./traefik/certs:/etc/traefik/certs:ro
       - traefik_ssl_data:/letsencrypt
       - traefik_logs:/var/log/traefik
     environment:
@@ -344,16 +344,15 @@ services:
         reservations:
           memory: 128M
           cpus: '0.1'
-    profiles:
-      - traefik
+    # No profile - Traefik runs by default for HTTPS
     networks:
       - rendiff-network
     labels:
       # Enable Traefik for the dashboard
       - "traefik.enable=true"
       - "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.${DOMAIN_NAME:-localhost}`)"
       - "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
-      - "traefik.http.routers.traefik-dashboard.tls.certresolver=${CERT_RESOLVER:-letsencrypt}"
+      - "traefik.http.routers.traefik-dashboard.tls=true"
       - "traefik.http.routers.traefik-dashboard.service=api@internal"
 
 volumes:

docker-compose.yml

@@ -19,19 +19,51 @@ services:
     networks:
       - rendiff
 
-  # API Gateway
+  # Traefik Reverse Proxy with HTTPS (runs by default)
+  traefik:
+    image: traefik:v3.0
+    container_name: rendiff_traefik
+    command:
+      - --configFile=/etc/traefik/traefik.yml
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8081:8080"  # Dashboard on 8081 to avoid conflict
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./traefik/traefik.yml:/etc/traefik/traefik.yml:ro
+      - ./traefik/dynamic.yml:/etc/traefik/dynamic.yml:ro
+      - ./traefik/certs:/etc/traefik/certs:ro
+    depends_on:
+      - api
+    networks:
+      - rendiff
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.localhost`)"
+      - "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
+      - "traefik.http.routers.traefik-dashboard.tls=true"
+      - "traefik.http.routers.traefik-dashboard.service=api@internal"
+      
+  # API Gateway (now behind Traefik)
   krakend:
     image: devopsfaith/krakend:2.6
     container_name: rendiff_gateway
     volumes:
       - ./config/krakend.json:/etc/krakend/krakend.json:ro
-    ports:
-      - "8080:8080"
+    # No port exposure - accessed through Traefik
     depends_on:
       - api
     networks:
       - rendiff
     restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.krakend.rule=Host(`localhost`) && PathPrefix(`/`)"
+      - "traefik.http.routers.krakend.entrypoints=websecure"
+      - "traefik.http.routers.krakend.tls=true"
+      - "traefik.http.services.krakend.loadbalancer.server.port=8080"
 
   # Database Service
   postgres:

docker/traefik/Dockerfile

@@ -0,0 +1,21 @@
+FROM traefik:v3.0
+
+# Install OpenSSL for certificate generation
+RUN apk add --no-cache openssl
+
+# Create directories
+RUN mkdir -p /etc/traefik/certs
+
+# Copy certificate generation script
+COPY traefik/certs/generate-self-signed.sh /generate-cert.sh
+RUN chmod +x /generate-cert.sh
+
+# Generate self-signed certificate if not exists
+RUN if [ ! -f /etc/traefik/certs/cert.crt ]; then \
+    cd /etc/traefik/certs && \
+    /generate-cert.sh; \
+    fi
+
+# Entry point
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["traefik"]