From 942a93a3ad14f1c13d9e6c6697850a5ba44244e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9ophile=20Gervreau-Mercier?=
 <theophile.gm@happyngreen.fr>
Date: Thu, 12 Feb 2026 12:20:31 +0100
Subject: [PATCH] refactor: update nginx config for new structure

- Updated posterg.conf with new directory structure
- Document root: /var/www/posterg/public
- Explicitly deny access to: /src, /templates, /config, /storage, /tests, /scripts, /docs
- Added structure diagram in comments
- Updated deploy scripts security checks
- Replaced outdated posterg.conf.reference

All non-public directories outside webroot for security.
Defense-in-depth: explicit deny rules even though paths outside /public.
---
 config/bootstrap.php             |   4 +-
 nginx/README.md                  |  10 +-
 nginx/deploy-production-new.sh   |   8 +-
 nginx/deploy-production.sh       |   4 +-
 nginx/posterg.conf               |  99 +++++++----
 nginx/posterg.conf.reference     | 288 +++++++++++--------------------
 nginx/posterg.conf.reference.old | 283 ++++++++++++++++++++++++++++++
 7 files changed, 469 insertions(+), 227 deletions(-)
 create mode 100644 nginx/posterg.conf.reference.old

diff --git a/config/bootstrap.php b/config/bootstrap.php
index 82de8a5..75a60bb 100644
--- a/config/bootstrap.php
+++ b/config/bootstrap.php
@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Simple configuration for website
  */
@@ -24,7 +25,8 @@ if (php_sapi_name() === 'cli-server') {
 }
 
 // Simple helper function for including templates
-function include_template($name) {
+function include_template($name)
+{
     $path = APP_ROOT . '/templates/' . $name;
     if (file_exists($path)) {
         include $path;
diff --git a/nginx/README.md b/nginx/README.md
index 33af608..d18cbed 100644
--- a/nginx/README.md
+++ b/nginx/README.md
@@ -44,9 +44,13 @@ No additional SSL setup is needed on this server.
 ### File Access Protection
 - Database files (`.db`) - **BLOCKED**
 - Sensitive files (`.md`, `.sql`, `.env`) - **BLOCKED**
-- Shared directory - **BLOCKED**
-- Tests directory - **BLOCKED**
-- Cache directory - **BLOCKED**
+- `/src` directory (PHP source) - **BLOCKED**
+- `/templates` directory (PHP templates) - **BLOCKED**
+- `/config` directory (configuration) - **BLOCKED**
+- `/storage` directory (databases) - **BLOCKED**
+- `/tests` directory - **BLOCKED**
+- `/scripts` directory - **BLOCKED**
+- `/docs` directory - **BLOCKED**
 - Hidden files (`.git`, etc.) - **BLOCKED**
 
 ### Rate Limiting
diff --git a/nginx/deploy-production-new.sh b/nginx/deploy-production-new.sh
index 314ec28..c856491 100755
--- a/nginx/deploy-production-new.sh
+++ b/nginx/deploy-production-new.sh
@@ -35,10 +35,10 @@ echo "✓ Set directory permissions to 755"
 find /var/www/posterg -type f -exec chmod 644 {} \;
 echo "✓ Set file permissions to 644"
 
-# Make database directory writable by group
-if [ -d "/var/www/posterg/database" ]; then
-    chmod 775 /var/www/posterg/database
-    echo "✓ Made database directory group-writable (775)"
+# Make storage directory writable by group
+if [ -d "/var/www/posterg/storage" ]; then
+    chmod 775 /var/www/posterg/storage
+    echo "✓ Made storage directory group-writable (775)"
 fi
 
 # Fix database file permissions
diff --git a/nginx/deploy-production.sh b/nginx/deploy-production.sh
index 8328718..6893824 100755
--- a/nginx/deploy-production.sh
+++ b/nginx/deploy-production.sh
@@ -176,5 +176,7 @@ echo ""
 echo "🔒 Security Checks:"
 echo "  • Database blocked:  curl -I http://localhost/storage/posterg.db"
 echo "  • MD files blocked:  curl -I http://localhost/README.md"
-echo "  • Shared blocked:    curl -I http://localhost/shared/Database.php"
+echo "  • Source blocked:    curl -I http://localhost/src/Database.php"
+echo "  • Templates blocked: curl -I http://localhost/templates/header.php"
+echo "  • Config blocked:    curl -I http://localhost/config/bootstrap.php"
 echo ""
diff --git a/nginx/posterg.conf b/nginx/posterg.conf
index 41ee22b..48f203a 100644
--- a/nginx/posterg.conf
+++ b/nginx/posterg.conf
@@ -1,6 +1,7 @@
 # Nginx configuration for Post-ERG thesis website (Production)
-# Based on existing default config with security enhancements
+# Updated for new directory structure
 # Place this in /etc/nginx/sites-available/posterg
+# Then symlink: ln -s /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/
 
 # Rate limiting zones
 limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m;
@@ -14,6 +15,19 @@ server {
     
     server_name posterg.erg.be www.posterg.erg.be;
 
+    # Document root points to /public (only web-accessible files)
+    # Project structure: /var/www/posterg/
+    #   /config      - Configuration (outside webroot)
+    #   /docs        - Documentation (outside webroot)
+    #   /nginx       - Server configs (outside webroot)
+    #   /public      - Web root ← THIS DIRECTORY
+    #     /admin     - Admin interface
+    #     /assets    - CSS, fonts, icons
+    #   /scripts     - Deployment scripts (outside webroot)
+    #   /src         - PHP source classes (outside webroot)
+    #   /storage     - SQLite databases (outside webroot)
+    #   /templates   - PHP templates (outside webroot)
+    #   /tests       - Test suites (outside webroot)
     root /var/www/posterg/public;
     
     # Add index.php to the list
@@ -23,7 +37,7 @@ server {
     add_header X-Frame-Options "SAMEORIGIN" always;
     add_header X-Content-Type-Options "nosniff" always;
     # X-XSS-Protection intentionally omitted — deprecated and counterproductive in modern browsers.
-    # CSP (Content-Security-Policy) is the correct mitigation (see item #11).
+    # CSP (Content-Security-Policy) is the correct mitigation.
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
 
@@ -45,51 +59,84 @@ server {
         log_not_found off;
     }
 
-    # Deny access to sensitive files
-    location ~* \.(md|txt|sql|sh|json|gitignore)$ {
+    # Deny access to sensitive files and extensions
+    location ~* \.(md|txt|sql|sh|json|gitignore|git|env|db-journal)$ {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    # Deny access to SQLite database files
+    location ~* \.db$ {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    # Deny access to log files
+    location ~* \.log$ {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    # Deny access to directories outside webroot (defense-in-depth)
+    # These paths shouldn't be accessible anyway since they're outside /public
+    # but we deny explicitly for additional security
+    location ^~ /storage/ {
         deny all;
     }
 
-    # Deny access to database directory
-    location ^~ /database/ {
+    location ^~ /src/ {
         deny all;
     }
 
-    # Deny access to shared/ directory (PHP includes only)
-    location ^~ /shared/ {
+    location ^~ /templates/ {
         deny all;
     }
 
-    # Deny access to data directory  
-    location ^~ /data/ {
+    location ^~ /config/ {
+        deny all;
+    }
+
+    location ^~ /tests/ {
+        deny all;
+    }
+
+    location ^~ /scripts/ {
+        deny all;
+    }
+
+    location ^~ /docs/ {
         deny all;
     }
 
     # Admin panel - password protected
     location ^~ /admin/ {
-        # HTTP Basic Authentication
+        # HTTP Basic Authentication (first layer)
         auth_basic "Admin Access - Post-ERG";
         auth_basic_user_file /etc/nginx/.htpasswd-posterg;
 
         # Rate limiting for admin
         limit_req zone=admin burst=5 nodelay;
 
-        # Content-Security-Policy — ported from public/admin/.htaccess which nginx ignores (item #6).
-        # Tighter policy for admin: no external sources, no object embedding.
+        # Content-Security-Policy - Tighter policy for admin
         add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
 
-        # Disable directory listing (nginx default is off; explicit for defence-in-depth, item #6)
+        # Disable directory listing
         autoindex off;
 
-        # Allow access to public assets without authentication
-        location ~ ^/admin/(css|js|images)/ {
-            auth_basic off;
-        }
-
-        # PHP handling for admin
+        # PHP handling for admin (AdminAuth provides second layer)
         location ~ \.php$ {
             include snippets/fastcgi-php.conf;
             fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
+            
+            # Security parameters
+            fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M";
+            
+            # Timeouts
+            fastcgi_read_timeout 120;
+            fastcgi_send_timeout 120;
         }
 
         # Additional security headers for admin
@@ -106,7 +153,7 @@ server {
         fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
     }
 
-    # PHP files handler
+    # PHP files handler (public pages)
     location ~ \.php$ {
         # Rate limiting for general PHP requests
         limit_req zone=general burst=20 nodelay;
@@ -141,15 +188,7 @@ server {
         try_files $uri $uri/ =404;
     }
 
-    # Deny access to log files — public/admin/.htaccess had this rule but Apache
-    # .htaccess directives are silently ignored by nginx (item #6).
-    location ~* \.log$ {
-        deny all;
-        access_log off;
-        log_not_found off;
-    }
-
-    # Deny access to .htaccess files (if Apache's document root concurs with nginx's)
+    # Deny access to .htaccess files
     location ~ /\.ht {
         deny all;
     }
diff --git a/nginx/posterg.conf.reference b/nginx/posterg.conf.reference
index 1a8a312..48f203a 100644
--- a/nginx/posterg.conf.reference
+++ b/nginx/posterg.conf.reference
@@ -1,4 +1,5 @@
-# Nginx configuration for Post-ERG thesis website
+# Nginx configuration for Post-ERG thesis website (Production)
+# Updated for new directory structure
 # Place this in /etc/nginx/sites-available/posterg
 # Then symlink: ln -s /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/
 
@@ -7,28 +8,41 @@ limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m;
 limit_req_zone $binary_remote_addr zone=search:10m rate=30r/m;
 limit_req_zone $binary_remote_addr zone=admin:10m rate=10r/m;
 
-# Server block - HTTP (redirect to HTTPS in production)
+# Main server block
 server {
-    listen 80;
-    listen [::]:80;
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    
     server_name posterg.erg.be www.posterg.erg.be;
 
-    # Redirect all HTTP to HTTPS (uncomment in production)
-    # return 301 https://$server_name$request_uri;
-
-    # For development/testing, allow HTTP
-    root /var/www/html;
-    index index.php index.html;
+    # Document root points to /public (only web-accessible files)
+    # Project structure: /var/www/posterg/
+    #   /config      - Configuration (outside webroot)
+    #   /docs        - Documentation (outside webroot)
+    #   /nginx       - Server configs (outside webroot)
+    #   /public      - Web root ← THIS DIRECTORY
+    #     /admin     - Admin interface
+    #     /assets    - CSS, fonts, icons
+    #   /scripts     - Deployment scripts (outside webroot)
+    #   /src         - PHP source classes (outside webroot)
+    #   /storage     - SQLite databases (outside webroot)
+    #   /templates   - PHP templates (outside webroot)
+    #   /tests       - Test suites (outside webroot)
+    root /var/www/posterg/public;
+    
+    # Add index.php to the list
+    index index.php index.html index.htm;
 
     # Security headers
     add_header X-Frame-Options "SAMEORIGIN" always;
     add_header X-Content-Type-Options "nosniff" always;
-    add_header X-XSS-Protection "1; mode=block" always;
+    # X-XSS-Protection intentionally omitted — deprecated and counterproductive in modern browsers.
+    # CSP (Content-Security-Policy) is the correct mitigation.
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
 
-    # Disable server tokens
-    server_tokens off;
+    # Server tokens already disabled in nginx.conf
+    # server_tokens off;
 
     # Max upload size (for thesis files)
     client_max_body_size 100M;
@@ -38,84 +52,118 @@ server {
     access_log /var/log/nginx/posterg_access.log;
     error_log /var/log/nginx/posterg_error.log warn;
 
-    # Block common attack patterns
-    location ~ /\. {
+    # Block access to hidden files (except .well-known for Let's Encrypt)
+    location ~ /\.(?!well-known).* {
         deny all;
         access_log off;
         log_not_found off;
     }
 
-    location ~ \.(git|env|db-journal)$ {
+    # Deny access to sensitive files and extensions
+    location ~* \.(md|txt|sql|sh|json|gitignore|git|env|db-journal)$ {
         deny all;
         access_log off;
         log_not_found off;
     }
 
-    # Deny access to sensitive files
-    location ~* \.(md|txt|sql|sh|json)$ {
-        deny all;
-    }
-
-    # Deny access to database files
+    # Deny access to SQLite database files
     location ~* \.db$ {
         deny all;
+        access_log off;
+        log_not_found off;
     }
 
-    # Deny access to shared/ directory (PHP includes only)
-    location /shared/ {
+    # Deny access to log files
+    location ~* \.log$ {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    # Deny access to directories outside webroot (defense-in-depth)
+    # These paths shouldn't be accessible anyway since they're outside /public
+    # but we deny explicitly for additional security
+    location ^~ /storage/ {
         deny all;
     }
 
-    # Deny access to tests directory
-    location /tests/ {
+    location ^~ /src/ {
         deny all;
     }
 
-    # Deny access to cache directory
-    location /cache/ {
+    location ^~ /templates/ {
+        deny all;
+    }
+
+    location ^~ /config/ {
+        deny all;
+    }
+
+    location ^~ /tests/ {
+        deny all;
+    }
+
+    location ^~ /scripts/ {
+        deny all;
+    }
+
+    location ^~ /docs/ {
         deny all;
     }
 
     # Admin panel - password protected
-    location /formulaire/ {
-        alias /var/www/html/formulaire/;
-
-        # HTTP Basic Authentication
+    location ^~ /admin/ {
+        # HTTP Basic Authentication (first layer)
         auth_basic "Admin Access - Post-ERG";
         auth_basic_user_file /etc/nginx/.htpasswd-posterg;
 
         # Rate limiting for admin
         limit_req zone=admin burst=5 nodelay;
 
-        # PHP handling
+        # Content-Security-Policy - Tighter policy for admin
+        add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
+
+        # Disable directory listing
+        autoindex off;
+
+        # PHP handling for admin (AdminAuth provides second layer)
         location ~ \.php$ {
             include snippets/fastcgi-php.conf;
-            fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
+            fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
+            
+            # Security parameters
+            fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M";
+            
+            # Timeouts
+            fastcgi_read_timeout 120;
+            fastcgi_send_timeout 120;
         }
 
-        # Additional security for admin
+        # Additional security headers for admin
         add_header X-Robots-Tag "noindex, nofollow" always;
+        
+        # Try to serve file, otherwise 404
+        try_files $uri $uri/ =404;
     }
 
     # Search endpoint - rate limiting
-    location /search.php {
+    location = /search.php {
         limit_req zone=search burst=10 nodelay;
         include snippets/fastcgi-php.conf;
-        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+        fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
     }
 
-    # Public PHP files
+    # PHP files handler (public pages)
     location ~ \.php$ {
+        # Rate limiting for general PHP requests
         limit_req zone=general burst=20 nodelay;
 
         include snippets/fastcgi-php.conf;
-        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+        fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
 
         # Security parameters
         fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M";
-        fastcgi_param PHP_ADMIN_VALUE "open_basedir=/var/www/html:/tmp";
-
+        
         # Timeouts
         fastcgi_read_timeout 120;
         fastcgi_send_timeout 120;
@@ -128,156 +176,20 @@ server {
         access_log off;
     }
 
-    # Root location
+    # PDF files (thesis documents)
+    location ~* \.pdf$ {
+        expires 7d;
+        add_header Cache-Control "public";
+        add_header Content-Disposition "inline";
+    }
+
+    # Root location - try files or 404
     location / {
         try_files $uri $uri/ =404;
     }
 
-    # Deny access to specific file types in data directories
-    location ~* /data/.*\.(php|sh|py)$ {
-        deny all;
-    }
-}
-
-# Server block - HTTPS (production)
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name posterg.erg.be www.posterg.erg.be;
-
-    root /var/www/html;
-    index index.php index.html;
-
-    # SSL certificates (Let's Encrypt)
-    # Run: certbot --nginx -d posterg.erg.be -d www.posterg.erg.be
-    ssl_certificate /etc/letsencrypt/live/posterg.erg.be/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/posterg.erg.be/privkey.pem;
-
-    # SSL configuration
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
-    ssl_prefer_server_ciphers off;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_timeout 10m;
-    ssl_stapling on;
-    ssl_stapling_verify on;
-
-    # Security headers (HTTPS)
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header X-Content-Type-Options "nosniff" always;
-    add_header X-XSS-Protection "1; mode=block" always;
-    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
-    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
-
-    # Disable server tokens
-    server_tokens off;
-
-    # Max upload size
-    client_max_body_size 100M;
-    client_body_timeout 120s;
-
-    # Logging
-    access_log /var/log/nginx/posterg_ssl_access.log;
-    error_log /var/log/nginx/posterg_ssl_error.log warn;
-
-    # Block common attack patterns
-    location ~ /\. {
-        deny all;
-        access_log off;
-        log_not_found off;
-    }
-
-    location ~ \.(git|env|db-journal)$ {
-        deny all;
-        access_log off;
-        log_not_found off;
-    }
-
-    # Deny access to sensitive files
-    location ~* \.(md|txt|sql|sh|json)$ {
-        deny all;
-    }
-
-    # Deny access to database files
-    location ~* \.db$ {
-        deny all;
-    }
-
-    # Deny access to shared/ directory
-    location /shared/ {
-        deny all;
-    }
-
-    # Deny access to tests directory
-    location /tests/ {
-        deny all;
-    }
-
-    # Deny access to cache directory
-    location /cache/ {
-        deny all;
-    }
-
-    # Admin panel - password protected
-    location /formulaire/ {
-        alias /var/www/html/formulaire/;
-
-        # HTTP Basic Authentication
-        auth_basic "Admin Access - Post-ERG";
-        auth_basic_user_file /etc/nginx/.htpasswd-posterg;
-
-        # Rate limiting
-        limit_req zone=admin burst=5 nodelay;
-
-        # PHP handling
-        location ~ \.php$ {
-            include snippets/fastcgi-php.conf;
-            fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
-            fastcgi_param SCRIPT_FILENAME $request_filename;
-        }
-
-        # Security headers
-        add_header X-Robots-Tag "noindex, nofollow" always;
-    }
-
-    # Search endpoint - rate limiting
-    location /search.php {
-        limit_req zone=search burst=10 nodelay;
-        include snippets/fastcgi-php.conf;
-        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
-    }
-
-    # Public PHP files
-    location ~ \.php$ {
-        limit_req zone=general burst=20 nodelay;
-
-        include snippets/fastcgi-php.conf;
-        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
-
-        # Security parameters
-        fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M";
-        fastcgi_param PHP_ADMIN_VALUE "open_basedir=/var/www/html:/tmp";
-
-        # Timeouts
-        fastcgi_read_timeout 120;
-        fastcgi_send_timeout 120;
-    }
-
-    # Static files caching
-    location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|otf)$ {
-        expires 30d;
-        add_header Cache-Control "public, immutable";
-        access_log off;
-    }
-
-    # Root location
-    location / {
-        try_files $uri $uri/ =404;
-    }
-
-    # Deny access to script files in data directories
-    location ~* /data/.*\.(php|sh|py)$ {
+    # Deny access to .htaccess files
+    location ~ /\.ht {
         deny all;
     }
 }
diff --git a/nginx/posterg.conf.reference.old b/nginx/posterg.conf.reference.old
new file mode 100644
index 0000000..1a8a312
--- /dev/null
+++ b/nginx/posterg.conf.reference.old
@@ -0,0 +1,283 @@
+# Nginx configuration for Post-ERG thesis website
+# Place this in /etc/nginx/sites-available/posterg
+# Then symlink: ln -s /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/
+
+# Rate limiting zones
+limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m;
+limit_req_zone $binary_remote_addr zone=search:10m rate=30r/m;
+limit_req_zone $binary_remote_addr zone=admin:10m rate=10r/m;
+
+# Server block - HTTP (redirect to HTTPS in production)
+server {
+    listen 80;
+    listen [::]:80;
+    server_name posterg.erg.be www.posterg.erg.be;
+
+    # Redirect all HTTP to HTTPS (uncomment in production)
+    # return 301 https://$server_name$request_uri;
+
+    # For development/testing, allow HTTP
+    root /var/www/html;
+    index index.php index.html;
+
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+
+    # Disable server tokens
+    server_tokens off;
+
+    # Max upload size (for thesis files)
+    client_max_body_size 100M;
+    client_body_timeout 120s;
+
+    # Logging
+    access_log /var/log/nginx/posterg_access.log;
+    error_log /var/log/nginx/posterg_error.log warn;
+
+    # Block common attack patterns
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    location ~ \.(git|env|db-journal)$ {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    # Deny access to sensitive files
+    location ~* \.(md|txt|sql|sh|json)$ {
+        deny all;
+    }
+
+    # Deny access to database files
+    location ~* \.db$ {
+        deny all;
+    }
+
+    # Deny access to shared/ directory (PHP includes only)
+    location /shared/ {
+        deny all;
+    }
+
+    # Deny access to tests directory
+    location /tests/ {
+        deny all;
+    }
+
+    # Deny access to cache directory
+    location /cache/ {
+        deny all;
+    }
+
+    # Admin panel - password protected
+    location /formulaire/ {
+        alias /var/www/html/formulaire/;
+
+        # HTTP Basic Authentication
+        auth_basic "Admin Access - Post-ERG";
+        auth_basic_user_file /etc/nginx/.htpasswd-posterg;
+
+        # Rate limiting for admin
+        limit_req zone=admin burst=5 nodelay;
+
+        # PHP handling
+        location ~ \.php$ {
+            include snippets/fastcgi-php.conf;
+            fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+            fastcgi_param SCRIPT_FILENAME $request_filename;
+        }
+
+        # Additional security for admin
+        add_header X-Robots-Tag "noindex, nofollow" always;
+    }
+
+    # Search endpoint - rate limiting
+    location /search.php {
+        limit_req zone=search burst=10 nodelay;
+        include snippets/fastcgi-php.conf;
+        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+    }
+
+    # Public PHP files
+    location ~ \.php$ {
+        limit_req zone=general burst=20 nodelay;
+
+        include snippets/fastcgi-php.conf;
+        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+
+        # Security parameters
+        fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M";
+        fastcgi_param PHP_ADMIN_VALUE "open_basedir=/var/www/html:/tmp";
+
+        # Timeouts
+        fastcgi_read_timeout 120;
+        fastcgi_send_timeout 120;
+    }
+
+    # Static files caching
+    location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|otf)$ {
+        expires 30d;
+        add_header Cache-Control "public, immutable";
+        access_log off;
+    }
+
+    # Root location
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    # Deny access to specific file types in data directories
+    location ~* /data/.*\.(php|sh|py)$ {
+        deny all;
+    }
+}
+
+# Server block - HTTPS (production)
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name posterg.erg.be www.posterg.erg.be;
+
+    root /var/www/html;
+    index index.php index.html;
+
+    # SSL certificates (Let's Encrypt)
+    # Run: certbot --nginx -d posterg.erg.be -d www.posterg.erg.be
+    ssl_certificate /etc/letsencrypt/live/posterg.erg.be/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/posterg.erg.be/privkey.pem;
+
+    # SSL configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    # Security headers (HTTPS)
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+
+    # Disable server tokens
+    server_tokens off;
+
+    # Max upload size
+    client_max_body_size 100M;
+    client_body_timeout 120s;
+
+    # Logging
+    access_log /var/log/nginx/posterg_ssl_access.log;
+    error_log /var/log/nginx/posterg_ssl_error.log warn;
+
+    # Block common attack patterns
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    location ~ \.(git|env|db-journal)$ {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    # Deny access to sensitive files
+    location ~* \.(md|txt|sql|sh|json)$ {
+        deny all;
+    }
+
+    # Deny access to database files
+    location ~* \.db$ {
+        deny all;
+    }
+
+    # Deny access to shared/ directory
+    location /shared/ {
+        deny all;
+    }
+
+    # Deny access to tests directory
+    location /tests/ {
+        deny all;
+    }
+
+    # Deny access to cache directory
+    location /cache/ {
+        deny all;
+    }
+
+    # Admin panel - password protected
+    location /formulaire/ {
+        alias /var/www/html/formulaire/;
+
+        # HTTP Basic Authentication
+        auth_basic "Admin Access - Post-ERG";
+        auth_basic_user_file /etc/nginx/.htpasswd-posterg;
+
+        # Rate limiting
+        limit_req zone=admin burst=5 nodelay;
+
+        # PHP handling
+        location ~ \.php$ {
+            include snippets/fastcgi-php.conf;
+            fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+            fastcgi_param SCRIPT_FILENAME $request_filename;
+        }
+
+        # Security headers
+        add_header X-Robots-Tag "noindex, nofollow" always;
+    }
+
+    # Search endpoint - rate limiting
+    location /search.php {
+        limit_req zone=search burst=10 nodelay;
+        include snippets/fastcgi-php.conf;
+        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+    }
+
+    # Public PHP files
+    location ~ \.php$ {
+        limit_req zone=general burst=20 nodelay;
+
+        include snippets/fastcgi-php.conf;
+        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+
+        # Security parameters
+        fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M";
+        fastcgi_param PHP_ADMIN_VALUE "open_basedir=/var/www/html:/tmp";
+
+        # Timeouts
+        fastcgi_read_timeout 120;
+        fastcgi_send_timeout 120;
+    }
+
+    # Static files caching
+    location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|otf)$ {
+        expires 30d;
+        add_header Cache-Control "public, immutable";
+        access_log off;
+    }
+
+    # Root location
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    # Deny access to script files in data directories
+    location ~* /data/.*\.(php|sh|py)$ {
+        deny all;
+    }
+}