add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";

server {
    listen 80;
    server_name portal.egonetix.de;

    # Redirect all HTTP traffic to HTTPS
    return 301 https://$server_name$request_uri;
}

server {
    listen 10.0.0.29:443 ssl http2;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header Content-Security-Policy "default-src 'self'; connect-src 'self' https://api-inference.huggingface.co https://api.openai.com; script-src 'self' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' data:;" always;

    # Remove or update unsupported origin trial features.
    # For example, comment out or remove these if not using them:
    # add_header Permissions-Policy "private-state-token-issuance=(), join-ad-interest-group=(), browsing-topics=()";

    # Content Security Policy to allow scripts, inline event handlers, styles, and fonts from trusted sources.

    ssl on;
    ssl_certificate     /etc/letsencrypt/live/portal.egonetix.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/portal.egonetix.de/privkey.pem;
    ssl_dhparam         /etc/ssl/certs/dhparam.pem;

    server_name portal.egonetix.de;
    access_log /var/log/nginx/portal-access_log;
    error_log  /var/log/nginx/portal-error_log;

    root /var/www/html;
    index index.html index.php;  # Added index.php as potential index file

    # PHP Processing Configuration - Updated for PHP 8.1
    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        
        # Use PHP 8.1 socket (most common path on Ubuntu 22.04)
        fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
        
        # Alternative options if the above doesn't work:
        #fastcgi_pass unix:/run/php/php8.1-fpm.sock;
        #fastcgi_pass 127.0.0.1:9000;
        
        # Increase timeout and buffer size for troubleshooting
        fastcgi_connect_timeout 300;
        fastcgi_read_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_buffer_size 32k;
        fastcgi_buffers 16 16k;
        
        # Set the correct document root
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_intercept_errors on;
    }

    # Reverse proxy for KidsAI Explorer API calls
    location /api/ {
        proxy_pass http://127.0.0.1:3002/api/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;
        
        # Add CORS headers for API requests
        add_header Access-Control-Allow-Origin $http_origin always;
        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE" always;
        add_header Access-Control-Allow-Headers "Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With" always;
        add_header Access-Control-Allow-Credentials true always;
        
        # Handle preflight requests
        if ($request_method = 'OPTIONS') {
            add_header Access-Control-Allow-Origin $http_origin;
            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE";
            add_header Access-Control-Allow-Headers "Accept, Authorization, Cache-Control, Content-Type, DNT, If-Modified-Since, Keep-Alive, Origin, User-Agent, X-Requested-With";
            add_header Access-Control-Allow-Credentials true;
            add_header Access-Control-Max-Age 1728000;
            add_header Content-Type 'text/plain charset=UTF-8';
            add_header Content-Length 0;
            return 204;
        }
    }
}