# ----------------------------
# Host config
# ----------------------------

server {

    listen %ip%:%httpport%;
    listen %ip%:%httpsport% ssl http2;

    server_name surikovlib.loc %aliases%;
    root '%hostdir%';
    limit_conn addr 64;
    autoindex off;
    index index.php index.html index.htm;

    ssl_certificate '%sprogdir%/userdata/config/cert_files/server.crt';
    ssl_certificate_key '%sprogdir%/userdata/config/cert_files/server.key';
    # ssl_trusted_certificate     '';

    # Force HTTPS
    # add_header Strict-Transport-Security 'max-age=2592000' always;
    # if ($scheme ~* ^(?!https).*$) {
    #    return 301 https://$host$request_uri;
    # }

    # Force www.site.com => site.com
    # if ($host ~* ^www\.(.+)$) {
    #    return 301 $scheme://$1$request_uri;
    # }
    # Disable access to backup/config/command/log files
    # if ($uri ~* ^.+\.(?:bak|co?nf|in[ci]|log|orig|sh|sql|tar|sql|t?gz|cmd|bat)$) {
    #    return 404;
    # }
    # Disable access to hidden files/folders
    if ($uri ~* /\.(?!well-known)) {
        return 404;
    }

    # Disable MIME sniffing
    add_header X-Content-Type-Options 'nosniff' always;

    location ~* ^.+\.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv|svgz?|ttf|ttc|otf|eot|woff2?)$ {
        expires 1d;
        access_log off;
    }

    location / {
        # Force index.php routing (if not found)
        try_files $uri $uri/ /index.php$is_args$args;

        # Force index.php routing (all requests)
        # rewrite ^/(.*)$ /index.php?/$1 last;

        location ~ \.php$ {
            try_files $fastcgi_script_name =404;

            # limit_conn   addr 16;
            # limit_req    zone=flood        burst=32 nodelay;

            # add_header   X-Frame-Options   'SAMEORIGIN' always;
            # add_header   Referrer-Policy   'no-referrer-when-downgrade' always;
            # CSP syntax: <host-source> <scheme-source>(http: https: data: mediastream: blob: filesystem:) 'self' 'unsafe-inline' 'unsafe-eval' 'none'
            # Content-Security-Policy-Report-Only (report-uri https://site.com/csp/)
            # add_header   Content-Security-Policy  "default-src 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests" always;
            fastcgi_pass backend;
            include '%sprogdir%/userdata/config/nginx_fastcgi_params.txt';
        }
    }

    # Service configuration (do not edit!)
    # ----------------------------
    location /openserver/ {
        root '%sprogdir%/modules/system/html';
        autoindex off;
        index index.php index.html index.htm;

        %allow%allow all;
        allow 127.0.0.0/8;
        allow ::1/128;
        allow %ips%;
        deny all;

        location ~* ^/openserver/.+\.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv|svgz?|ttf|ttc|otf|eot|woff2?)$ {
            expires 1d;
            access_log off;
        }

        location /openserver/server-status {
            stub_status on;
        }

        location ~ ^/openserver/.*\.php$ {
            try_files $fastcgi_script_name =404;
            fastcgi_index index.php;
            fastcgi_pass backend;
            include '%sprogdir%/userdata/config/nginx_fastcgi_params.txt';
        }
    }
    # End service configuration
    # ----------------------------
}

# ----------------------------
# End host config
# ----------------------------