# HTTP to HTTPS redirect
server {
    listen *:80;
    listen [::]:80;
    server_name ktrix;
    return 301 https://$server_name$request_uri;
}

server {
    listen *:443 ssl http2;
    listen [::]:443 ssl http2;
    #listen *:443 quic reuseport;
    #listen [::]:443 quic reuseport;

    #http2 on;

    server_name ktrix;

    ### SSL Configuration ###

    # SSL Certificates
    ssl_certificate /etc/ssl/certs/localhost.crt;
    ssl_certificate_key /etc/ssl/private/localhost.key;

    # SSL Protocols and Ciphers
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_dhparam /etc/ssl/certs/dhparam.pem; # openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
    
    # SSL Sessions
    ssl_session_timeout    60m;
    ssl_session_cache      shared:SSL:10m;
    ssl_session_tickets    off;

    ### Logging Configuration ###
    error_log /var/log/nginx/ktrix-error.log;
    access_log /var/log/nginx/ktrix-access.log;

    ### Upload Configuration ###
    client_max_body_size 1024M;

    ### Site Configuration ###
    root /var/www/ktrix/main/public;
    index index.html;

    # Serve index.html for root path only
    location = / {
        try_files /index.html =404;
    }

    # Handle asset files (css, js, images, etc.) - serve directly if they exist
    location ~* \.(css|js|svg|gif|png|jpg|jpeg|ico|woff|woff2|ttf|eot|map)$ {
        try_files $uri =404;
        expires 1y;
        add_header Cache-Control "public, immutable";
    }

    # All other URLs should be handled by index.php
    location / {
        try_files $uri @php;
    }

    # Named location for PHP handling
    location @php {
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $realpath_root/index.php;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        fastcgi_param SCRIPT_NAME /index.php;
        fastcgi_param REQUEST_URI $uri?$args;
        fastcgi_pass fpm;
    }

    # return 404 for all other php files not matching the front controller
    # this prevents access to other php files you don't want to be accessible.
    location ~ \.php$ {
        return 404;
    }

    # Optional: Gzip compression
    gzip on;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
}