add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";

server {
    listen 80;
    server_name portal.egonetix.de;

    # Redirect all HTTP traffic to HTTPS
    return 301 https://$server_name$request_uri;
}

server {
    listen 10.0.0.29:443 ssl http2;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header Content-Security-Policy "default-src 'self'; connect-src 'self'; script-src 'self' https://cdn.jsdelivr.net 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com;" always;

    # Remove or update unsupported origin trial features.
    # For example, comment out or remove these if not using them:
    # add_header Permissions-Policy "private-state-token-issuance=(), join-ad-interest-group=(), browsing-topics=()";

    # Content Security Policy to allow scripts, inline event handlers, styles, and fonts from trusted sources.

    ssl on;
    ssl_certificate     /etc/letsencrypt/live/portal.egonetix.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/portal.egonetix.de/privkey.pem;
    ssl_dhparam         /etc/ssl/certs/dhparam.pem;

    server_name portal.egonetix.de;
    access_log /var/log/nginx/portal-access_log;
    error_log  /var/log/nginx/portal-error_log;

    root /var/www/html;
    index index.html index.php;  # Added index.php as potential index file

    # PHP Processing Configuration - Updated for PHP 8.1
    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        
        # Use PHP 8.1 socket (most common path on Ubuntu 22.04)
        fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
        
        # Alternative options if the above doesn't work:
        #fastcgi_pass unix:/run/php/php8.1-fpm.sock;
        #fastcgi_pass 127.0.0.1:9000;
        
        # Increase timeout and buffer size for troubleshooting
        fastcgi_connect_timeout 300;
        fastcgi_read_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_buffer_size 32k;
        fastcgi_buffers 16 16k;
        
        # Set the correct document root
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_intercept_errors on;
    }

    # Reverse proxy for API calls.
    # If your backend expects the API without the "/api" prefix, use the proxy_pass below.
    location /api/ {
        proxy_pass http://127.0.0.1:3000;
        # If your backend requires the /api prefix, change to:
        # proxy_pass http://127.0.0.1:3000/api/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}