server {
    listen 80;
    listen [::]:80;
    server_name adsneo.click www.adsneo.click;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name adsneo.click www.adsneo.click;

    # SSL - obtain certs via: certbot --nginx -d adsneo.click -d www.adsneo.click
    ssl_certificate     /etc/letsencrypt/live/adsneo.click/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/adsneo.click/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    root /var/www/adsneo/public;
    index index.php;

    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Block sensitive directories
    location ~* ^/(app|core|config|cron|storage)/ {
        deny all;
        return 403;
    }

    # Block dot files
    location ~ /\. {
        deny all;
    }

    # Main routing
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # PHP-FPM
    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_read_timeout 60;
    }

    # Static assets caching
    location ~* \.(css|js|png|jpg|jpeg|gif|webp|svg|ico|woff2?)$ {
        expires 30d;
        add_header Cache-Control "public, immutable";
    }

    # Upload directory
    location /uploads/ {
        alias /var/www/adsneo/public/uploads/;
        expires 7d;
    }

    # Logging
    access_log /var/log/nginx/adsneo_access.log;
    error_log  /var/log/nginx/adsneo_error.log;

    # File upload limits
    client_max_body_size 10M;
}