# Nginx configuration for XAMXAM thesis website (Production)
# Place this in /etc/nginx/sites-available/xamxam
# Then symlink: ln -s /etc/nginx/sites-available/xamxam /etc/nginx/sites-enabled/

# Rate limiting zones
limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m;
limit_req_zone $binary_remote_addr zone=search:10m rate=30r/m;
# Admin: already protected by HTTP Basic Auth; rate limiting here only guards
# against brute-force on the auth layer, not normal browsing.
# Contenu.php triggers ~12 concurrent HTMX GETs on page load, so we need a
# generous burst. 300r/m = 5r/s sustained, burst=30 handles all fragments
# without dropping any, while still limiting brute-force attempts.
limit_req_zone $binary_remote_addr zone=admin:10m rate=300r/m;

# Main server block
server {
    listen 80 default_server;
    listen [::]:80 default_server;

    server_name xamxam.erg.be www.xamxam.erg.be;

    # Document root points to /public (only web-accessible files)
    # Deployed structure: /var/www/xamxam/
    #   /public      - Web root ← THIS DIRECTORY
    #     /admin     - Admin interface
    #     /assets    - CSS, fonts, icons
    #   /src         - PHP source classes (outside webroot)
    #   /storage     - SQLite databases (outside webroot)
    #   /templates   - PHP templates (outside webroot)
    #   /tests       - Test suites (outside webroot)
    #   /bootstrap.php - Application entry point
    #   /router.php    - Dev server URL rewriter
    root /var/www/xamxam/public;

    # Add index.php to the list
    index index.php index.html index.htm;

    # Security headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
    add_header Cross-Origin-Opener-Policy "same-origin" always;
    add_header Cross-Origin-Resource-Policy "same-origin" always;

    # Server tokens already disabled in nginx.conf
    # server_tokens off;

    # Max upload size (for thesis files — can include video)
    client_max_body_size 1024M;
    client_body_timeout 300s;

    # Logging
    access_log /var/log/nginx/xamxam_access.log;
    error_log /var/log/nginx/xamxam_error.log warn;

    # Block access to hidden files (except .well-known for Let's Encrypt)
    location ~ /\.(?!well-known).* {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny access to sensitive files and extensions
    location ~* \.(md|txt|sql|sh|json|gitignore|git|env|db-journal)$ {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny access to SQLite database files
    location ~* \.db$ {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny access to log files
    location ~* \.log$ {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny access to directories outside webroot (defense-in-depth)
    # These paths shouldn't be accessible anyway since they're outside /public
    # but we deny explicitly for additional security
    location ^~ /storage/ {
        deny all;
    }

    location ^~ /src/ {
        deny all;
    }

    location ^~ /templates/ {
        deny all;
    }

    location ^~ /config/ {
        deny all;
    }

    location ^~ /tests/ {
        deny all;
    }

    location ^~ /scripts/ {
        deny all;
    }

    location ^~ /docs/ {
        deny all;
    }

    # Admin panel - password protected
    location ^~ /admin/ {
        # HTTP Basic Authentication (first layer)
        auth_basic "Admin Access - XAMXAM";
        auth_basic_user_file /etc/nginx/.htpasswd-xamxam;

        # Rate limiting for admin
        # 300r/m rate + burst=30 allows all concurrent HTMX fragments (up to ~12
        # on contenus.php) while still capping brute-force at 5 req/s sustained.
        limit_req zone=admin burst=30 nodelay;

        # Content-Security-Policy - Admin policy
        # script-src needs 'unsafe-inline' for the OverType editor init block
        # and the live-reload poller (dev only). Admin is already auth-gated.
        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;

        # Disable directory listing
        autoindex off;

        # PHP handling for admin (AdminAuth provides second layer)
        location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;

            # Security parameters (must be <= client_max_body_size)
            fastcgi_param PHP_VALUE "upload_max_filesize=1024M \n post_max_size=1024M";

            # Timeouts
            fastcgi_read_timeout 300;
            fastcgi_send_timeout 300;
        }

        # Additional security headers for admin
        add_header X-Robots-Tag "noindex, nofollow" always;

        # Try to serve file, otherwise 404
        try_files $uri $uri/ =404;
    }

    # Share-link (partage) — handled by front controller
    location /partage/ {
        try_files $uri /index.php$is_args$args;
    }

    # /media — served by front controller (MediaController validates + streams)
    location = /media {
        try_files $uri /index.php$is_args$args;
    }

    # /live-reload — served by front controller
    location = /live-reload {
        try_files $uri /index.php$is_args$args;
    }

    # Maintenance page
    location = /maintenance {
        try_files $uri /index.php$is_args$args;
    }

    # Front controller — all PHP requests routed through index.php
    location = /index.php {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;

        # Security parameters (must be <= client_max_body_size)
        fastcgi_param PHP_VALUE "upload_max_filesize=1024M \n post_max_size=1024M";

        # Timeouts
        fastcgi_read_timeout 300;
        fastcgi_send_timeout 300;
    }

    # All other clean URLs — fall through to front controller
    location / {
        try_files $uri $uri/ /index.php$is_args$args;
    }

    # Block all other direct PHP access (security)
    location ~ \.php$ {
        deny all;
    }

    # Static files caching
    location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|otf)$ {
        expires 30d;
        add_header Cache-Control "public, immutable";
        access_log off;
    }

    # PDF files (thesis documents)
    location ~* \.pdf$ {
        expires 7d;
        add_header Cache-Control "public";
        add_header Content-Disposition "inline";
    }

    # Silence favicon.ico 404s
    location = /favicon.ico {
        return 204;
        access_log off;
        log_not_found off;
    }

    # Deny access to .htaccess files
    location ~ /\.ht {
        deny all;
    }
}