# Streams nginx configuration
#
# originally by Olaf Conradi
# with later contributions by Thomas Willingham, Harald Eilertsen and elmussol,
# refactored by elmussol.
#
# preamble
#
# This config was constructed and tested to work on Debian Bookworm 12,
# PHP8.3 (from the Sury repo), and nginx 1.22.
#
# On Debian based distributions you can add this file to:
#
# /etc/nginx/sites-available
#
# then customize to your needs. To enable the configuration
# symlink it to /etc/nginx/sites-enabled and reload Nginx using:
#
# service nginx reload
#
# This configuration assumes:
#   Your domain is example.net
#   You have a separate subdomain streams.example.net
#   You want all Streams traffic to be https
#   You have an SSL certificate and key for your subdomain
#   (in this example using LetsEncrypt)
#   You have PHP FastCGI Process Manager (php8.3-fpm) running as a unix:socket
#   You have Streams installed in /var/www/streams/
##

# Send http to https.
server {
  listen 80;
  listen [::]:80;

  server_name streams.example.net;

  root /var/www/streams.example.net;
  index index.php;

  if ($host = streams.example.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
}

# SSL config.
server {
  listen [::]:443 ssl ipv6only=on; # managed by Certbot
  listen 443 ssl; # managed by Certbot

  server_name streams.example.net;

  root /var/www/streams.example.net;
  index index.php;

  ssl_certificate /etc/letsencrypt/live/streams.example.net/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/streams.example.net/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

  access_log /var/log/nginx/streams.log;

# Uncomment the following line to include a standard configuration file.
# Note that the most specific rule wins and your standard configuration
# will therefore *add* to this file, but not override it.
#
# include standard.conf

# Allow uploads up to 20MB in size.
  client_max_body_size 20m;
  client_body_buffer_size 128k;

  include mime.types;

# Rewrite to front controller as default rule.
  location / {
    if (!-e $request_filename) {
      rewrite ^(.*)$ /index.php?req=$1;
    }
  }

# Make sure webfinger and other well-known services aren't blocked
# by denying dot files and rewrite request to the front controller.
  location ^~ /.well-known/ {
    allow all;
    if (!-e $request_filename) {
      rewrite ^(.*)$ /index.php?req=$1;
    }
  }
# Tell where fastcgi lives.
  location ~ \.php$ {
      fastcgi_split_path_info ^(.+\.php)(/.+)$;
      fastcgi_pass unix:/run/php/php8.3-fpm.sock;
      include fastcgi_params;
      include snippets/fastcgi-php.conf;
  }

# Block these file types.
  location ~* \.(tpl|tgz|log|out)$ {
    deny all;
  }

# Block dot files.
  location ~ /\. {
    deny all;
  }

# Deny access to store.
  location ~ /store {
    deny all;
  }

# Deny access to util.
  location ~ /util {
    deny all;
  }
}