# Nginx Configuration for Traefik Integration
# Traefik handles SSL termination - this listens on HTTP:80 only

upstream php-upstream {
    server 127.0.0.1:9000;
}

server {
    listen 80;
    listen [::]:80;
    server_name _;

    root /var/www/html/public;
    index index.php index.html;

    # Security headers (Traefik may add more)
    add_header X-Frame-Options "DENY" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "no-referrer-when-downgrade" always;

    # Gzip
    gzip on;
    gzip_vary on;
    gzip_types text/css application/javascript application/json image/svg+xml;
    gzip_comp_level 5;

    # Health check endpoint
    location /health {
        access_log off;
        return 200 "healthy\n";
        add_header Content-Type text/plain;
    }

    # Static assets with caching
    location ~* \.(jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        try_files $uri =404;
    }

    location ~* \.(css|js|map)$ {
        expires 1w;
        add_header Cache-Control "public, max-age=604800";
        try_files $uri =404;
    }

    # Service Worker
    location = /sw.js {
        alias /var/www/html/public/sw.js;
        add_header Cache-Control "no-cache, must-revalidate";
        add_header Service-Worker-Allowed "/";
    }

    location = /js/sw-push.js {
        alias /var/www/html/public/js/sw-push.js;
        add_header Cache-Control "no-cache, must-revalidate";
        add_header Service-Worker-Allowed "/";
        add_header Content-Type "application/javascript; charset=utf-8";
    }

    # Main application
    location / {
        try_files $uri $uri/ /index.php?$query_string;
        autoindex off;
    }

    # PHP-FPM
    location ~ \.php$ {
        try_files $uri =404;
        include fastcgi_params;
        fastcgi_pass php-upstream;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_param APP_ENV production;

        # Traefik terminates SSL, but tell app it's HTTPS
        fastcgi_param HTTPS $http_x_forwarded_proto;
        fastcgi_param HTTP_X_FORWARDED_PROTO $http_x_forwarded_proto;

        fastcgi_read_timeout 60s;
        fastcgi_connect_timeout 60s;
        fastcgi_send_timeout 60s;
        fastcgi_buffer_size 128k;
        fastcgi_buffers 4 256k;
        fastcgi_busy_buffers_size 256k;
        fastcgi_keep_conn on;
        fastcgi_hide_header X-Powered-By;
    }

    # Deny access to hidden files
    location ~ /\.(?!well-known).* {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Prevent PHP execution in uploads
    location ~* /(?:uploads|files)/.*\.php$ {
        deny all;
    }

    # Error pages
    error_page 404 /errors/404.html;
    error_page 403 /errors/403.html;
    error_page 500 502 503 504 /errors/50x.html;

    location /errors/ {
        internal;
    }

    server_tokens off;
}