From 3c46706db67b6861e0830bf1c8374e2262c5186c Mon Sep 17 00:00:00 2001
From: Elijah Duffy <enduffy2014@outlook.com>
Date: Sun, 7 Dec 2025 23:15:50 -0800
Subject: [PATCH] add nginx.conf file removed in
 82cdc6a2ad70ef0dd6fe09d4628b7cd33c289990

---
 nginx/nginx.conf | 69 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)
 create mode 100644 nginx/nginx.conf

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
new file mode 100644
index 0000000..06e4610
--- /dev/null
+++ b/nginx/nginx.conf
@@ -0,0 +1,69 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name _;
+    root /var/www/html;
+    index index.php index.html index.htm;
+
+    # Basic security headers (can be extended per-site)
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "no-referrer-when-downgrade" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+    # Deny access to hidden files and directories
+    location ~ (^|/)[.] {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    # Static files: long cache, immutable where appropriate
+    location ~* \.(?:css|js|gif|jpe?g|png|ico|svg|woff2?|ttf|eot)$ {
+        try_files $uri =404;
+        access_log off;
+        expires 30d;
+        add_header Cache-Control "public, max-age=2592000, immutable";
+    }
+
+    location = /favicon.ico { access_log off; log_not_found off; }
+    location = /robots.txt  { access_log off; log_not_found off; allow all; }
+
+    # Main front controller; fall back to index.php
+    location / {
+        try_files $uri $uri/ /index.php$is_args$args;
+    }
+
+    # PHP-FPM handling; pass to php-fpm:9000 (docker service name)
+    location ~ [^/]
+    \.php(/|$) {
+        # Prevent direct access to PHP files in uploads or other writable dirs if necessary
+        try_files $document_root$fastcgi_script_name =404;
+
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        # Use TCP FPM backend service name. Matches the php-fpm image we built.
+        fastcgi_pass php-fpm:9000;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+        fastcgi_param HTTPS $https if_not_empty;
+        fastcgi_read_timeout 300;
+    }
+
+    # Block access to .ht* files
+    location ~* /\.(?:ht|git) {
+        deny all;
+    }
+
+    # Optional: small buffer for large headers (WordPress with many cookies/plugins)
+    fastcgi_buffers 16 16k;
+    fastcgi_buffer_size 32k;
+
+    # Prevent clickjacking on all responses
+    add_header X-Frame-Options "SAMEORIGIN";
+}
+
+# Default server; allow override by mounting /etc/nginx/conf.d/default.conf