# Nginx configuration for Post-ERG thesis website (Production)
# Based on existing default config with security enhancements
# Place this in /etc/nginx/sites-available/posterg

# Rate limiting zones
limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m;
limit_req_zone $binary_remote_addr zone=search:10m rate=30r/m;
limit_req_zone $binary_remote_addr zone=admin:10m rate=10r/m;

# Main server block
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    
    server_name posterg.erg.be www.posterg.erg.be;

    root /var/www/posterg/public;
    
    # Add index.php to the list
    index index.php index.html index.htm;

    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    # X-XSS-Protection intentionally omitted — deprecated and counterproductive in modern browsers.
    # CSP (Content-Security-Policy) is the correct mitigation (see item #11).
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;

    # Server tokens already disabled in nginx.conf
    # server_tokens off;

    # Max upload size (for thesis files)
    client_max_body_size 100M;
    client_body_timeout 120s;

    # Logging
    access_log /var/log/nginx/posterg_access.log;
    error_log /var/log/nginx/posterg_error.log warn;

    # Block access to hidden files (except .well-known for Let's Encrypt)
    location ~ /\.(?!well-known).* {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny access to sensitive files
    location ~* \.(md|txt|sql|sh|json|gitignore)$ {
        deny all;
    }

    # Deny access to database directory
    location ^~ /database/ {
        deny all;
    }

    # Deny access to shared/ directory (PHP includes only)
    location ^~ /shared/ {
        deny all;
    }

    # Deny access to data directory  
    location ^~ /data/ {
        deny all;
    }

    # Admin panel - password protected
    location ^~ /admin/ {
        # HTTP Basic Authentication
        auth_basic "Admin Access - Post-ERG";
        auth_basic_user_file /etc/nginx/.htpasswd-posterg;

        # Rate limiting for admin
        limit_req zone=admin burst=5 nodelay;

        # Content-Security-Policy — ported from public/admin/.htaccess which nginx ignores (item #6).
        # Tighter policy for admin: no external sources, no object embedding.
        add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;

        # Disable directory listing (nginx default is off; explicit for defence-in-depth, item #6)
        autoindex off;

        # Allow access to public assets without authentication
        location ~ ^/admin/(css|js|images)/ {
            auth_basic off;
        }

        # PHP handling for admin
        location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
        }

        # Additional security headers for admin
        add_header X-Robots-Tag "noindex, nofollow" always;
        
        # Try to serve file, otherwise 404
        try_files $uri $uri/ =404;
    }

    # Search endpoint - rate limiting
    location = /search.php {
        limit_req zone=search burst=10 nodelay;
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
    }

    # PHP files handler
    location ~ \.php$ {
        # Rate limiting for general PHP requests
        limit_req zone=general burst=20 nodelay;

        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;

        # Security parameters
        fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M";
        
        # Timeouts
        fastcgi_read_timeout 120;
        fastcgi_send_timeout 120;
    }

    # Static files caching
    location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|otf)$ {
        expires 30d;
        add_header Cache-Control "public, immutable";
        access_log off;
    }

    # PDF files (thesis documents)
    location ~* \.pdf$ {
        expires 7d;
        add_header Cache-Control "public";
        add_header Content-Disposition "inline";
    }

    # Root location - try files or 404
    location / {
        try_files $uri $uri/ =404;
    }

    # Deny access to log files — public/admin/.htaccess had this rule but Apache
    # .htaccess directives are silently ignored by nginx (item #6).
    location ~* \.log$ {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny access to .htaccess files (if Apache's document root concurs with nginx's)
    location ~ /\.ht {
        deny all;
    }
}