# ============================================
# Epicnabbo.nl — Max Performance Nginx Config
# ============================================

# Upstream: Roadrunner (Octane)
upstream octane {
    server 127.0.0.1:8000;
    keepalive 64;
}

# Redirect HTTP → HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name epicnabbo.nl www.epicnabbo.nl;

    # Cloudflare flexible SSL passthrough
    # If using Cloudflare Full SSL, uncomment the 443 block below

    location /.well-known/acme-challenge/ {
        root /var/www/atomcms/public;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

# Main HTTPS server
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name epicnabbo.nl www.epicnabbo.nl;

    # SSL
    ssl_certificate /etc/ssl/certs/epicnabbo.nl.crt;
    ssl_certificate_key /etc/ssl/private/epicnabbo.nl.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Root
    root /var/www/atomcms/public;
    index index.php;

    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Hide Nginx version
    server_tokens off;

    # Client limits
    client_max_body_size 20m;
    client_body_timeout 30s;
    client_header_timeout 10s;
    keepalive_timeout 15s;
    send_timeout 10s;

    # Gzip compression
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_min_length 256;
    gzip_types
        text/plain
        text/css
        text/javascript
        application/json
        application/javascript
        application/x-javascript
        application/xml
        application/xml+rss
        application/atom+xml
        image/svg+xml
        font/opentype
        font/ttf
        font/woff
        font/woff2;

    # Brotli compression (if module installed)
    # brotli on;
    # brotli_comp_level 6;
    # brotli_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;

    # ============================================
    # STATIC ASSETS — Aggressive caching
    # ============================================

    # Versioned assets (immutable — cache 1 year)
    location ~* \.(css|js)\.(.+)\.(css|js)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        access_log off;
        try_files $uri =404;
    }

    # Images, fonts, icons — cache 1 year
    location ~* \.(jpg|jpeg|png|gif|ico|svg|webp|avif|woff|woff2|ttf|otf|eot)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        access_log off;
        try_files $uri =404;
    }

    # Gamedata / Habbo assets (symlinked)
    location /gamedata/ {
        expires 7d;
        add_header Cache-Control "public";
        access_log off;
        try_files $uri =404;
    }

    # Storage files (avatars, badges, photos)
    location /storage/ {
        expires 30d;
        add_header Cache-Control "public";
        access_log off;
        try_files $uri =404;
    }

    # ============================================
    # SECURITY — Block sensitive paths
    # ============================================

    # Block dotfiles (.env, .git, etc.)
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Block composer/vendor
    location ~ /vendor/ {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Block storage (except public)
    location ~ ^/storage/logs/ {
        deny all;
    }

    # Block database files
    location ~ \.(sql|sqlite|sqlite3)$ {
        deny all;
    }

    # ============================================
    # HEALTH CHECK
    # ============================================

    location /health {
        access_log off;
        return 200 "OK";
        add_header Content-Type text/plain;
    }

    # ============================================
    # FAVICON & ROBOTS
    # ============================================

    location = /favicon.ico {
        expires 1y;
        access_log off;
        log_not_found off;
        try_files $uri =404;
    }

    location = /robots.txt {
        expires 1d;
        access_log off;
        log_not_found off;
        try_files $uri =404;
    }

    # ============================================
    # MAIN — Proxy to Octane (Roadrunner)
    # ============================================

    location / {
        # Proxy to Octane
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;

        # Cloudflare real IP
        proxy_set_header CF-Connecting-IP $http_cf_connecting_ip;

        # Timeouts
        proxy_connect_timeout 10s;
        proxy_send_timeout 30s;
        proxy_read_timeout 30s;

        # Buffering
        proxy_buffering on;
        proxy_buffer_size 4k;
        proxy_buffers 8 4k;

        # Pass to Octane upstream
        proxy_pass http://octane;

        # No caching for dynamic content
        add_header Cache-Control "no-cache, no-store, must-revalidate";
        add_header Pragma "no-cache";
        add_header Expires "0";

        # Security headers (repeated for proxy responses)
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
    }

    # ============================================
    # WEBSOCKETS (for game rooms, radio, etc.)
    # ============================================

    location /ws {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_connect_timeout 7d;
        proxy_send_timeout 7d;
        proxy_read_timeout 7d;

        proxy_pass http://octane;
    }

    # ============================================
    # FALLBACK — PHP-FPM (if Octane is down)
    # ============================================
    # Uncomment this block and comment out the Octane
    # proxy above if you need to fall back to PHP-FPM.
    #
    # location ~ \.php$ {
    #     fastcgi_pass unix:/run/php/php8.5-fpm.sock;
    #     fastcgi_index index.php;
    #     fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
    #     include fastcgi_params;
    #
    #     fastcgi_buffer_size 128k;
    #     fastcgi_buffers 4 256k;
    #     fastcgi_busy_buffers_size 256k;
    #
    #     fastcgi_read_timeout 60s;
    # }
}