server {
    listen 80;
    server_name {{ domain }};
    
    # HTTP to HTTPS redirect (wird von Certbot hinzugefügt)
    
    location / {
        proxy_pass http://127.0.0.1:{{ app_port }};  # Weiterleitung zu PHP-Container
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        
        # PHP-spezifische Timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
        
        # File upload für PHP
        client_max_body_size {{ nginx_client_max_body_size }};
    }
    
    # Assets (CSS, JS, Bilder) direkt servieren falls gewünscht
    location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
        proxy_pass http://127.0.0.1:{{ app_port }};
        proxy_cache_valid 200 1d;
        expires 1d;
        add_header Cache-Control "public, immutable";
    }
    
    # PHP-Admin Tools (falls vorhanden) schützen
    location ~ /(admin|phpmyadmin|adminer) {
        proxy_pass http://127.0.0.1:{{ app_port }};
        
        # Basis Auth hier hinzufügen falls gewünscht
        # auth_basic "Admin Area";
        # auth_basic_user_file /etc/nginx/.htpasswd;
    }
    
    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    
    # Gzip compression
    gzip on;
    gzip_vary on;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
}