# Host UK Nginx Configuration
# Proxies PHP to the app (FPM) container, serves static files directly

server {
    listen 80;
    server_name _;

    root /app/public;
    index index.php;

    charset utf-8;

    # Security headers
    include /etc/nginx/snippets/security-headers.conf;

    # Health check endpoint (no logging)
    location = /health {
        access_log off;
        try_files $uri /index.php?$query_string;
    }

    # Static file caching
    location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|webp|avif)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        access_log off;
        try_files $uri =404;
    }

    # Laravel application
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # PHP-FPM upstream
    location ~ \.php$ {
        fastcgi_pass app:9000;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        include fastcgi_params;

        fastcgi_hide_header X-Powered-By;
        fastcgi_buffer_size 32k;
        fastcgi_buffers 16 16k;
        fastcgi_read_timeout 300;

        # Pass real client IP from LB proxy protocol
        fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
    }

    # Block dotfiles (except .well-known)
    location ~ /\.(?!well-known) {
        deny all;
    }

    # Block access to sensitive files
    location ~* \.(env|log|yaml|yml|toml|lock|bak|sql)$ {
        deny all;
    }
}