nginx: fix conf file errors

nginx/nginx.conf

@@ -2,68 +2,67 @@ server {
     listen 80;
     listen [::]:80;
 
+    # Set the server name to a catch all since this will be behind
+    # a reverse proxy or load balancer in most cases.
     server_name _;
-    root /var/www/html;
-    index index.php index.html index.htm;
 
-    # Basic security headers (can be extended per-site)
+    root /var/www/html;
+    index index.php;
+
+    # Security Headers
+    # These provide a strong baseline against common web vulnerabilities.
     add_header X-Frame-Options "SAMEORIGIN" always;
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-XSS-Protection "1; mode=block" always;
-    add_header Referrer-Policy "no-referrer-when-downgrade" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 
-    # Deny access to hidden files and directories
+    # Deny access to any files starting with a dot.
-    location ~ (^|/)[.] {
+    location ~ /\. {
         deny all;
-        access_log off;
-        log_not_found off;
     }
 
-    # Static files: long cache, immutable where appropriate
+    # Deny access to specific sensitive file types.
+    location ~* \.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])$ {
+        deny all;
+    }
+
+    # Cache static assets for a long time.
+    # The 'immutable' directive is great for versioned assets.
     location ~* \.(?:css|js|gif|jpe?g|png|ico|svg|woff2?|ttf|eot)$ {
         try_files $uri =404;
         access_log off;
         expires 30d;
-        add_header Cache-Control "public, max-age=2592000, immutable";
+        add_header Cache-Control "public, immutable";
     }
 
+    # Handle favicon and robots.txt without logging.
     location = /favicon.ico { access_log off; log_not_found off; }
-    location = /robots.txt  { access_log off; log_not_found off; allow all; }
+    location = /robots.txt  { access_log off; log_not_found off; }
 
-    # Main front controller; fall back to index.php
+    # Main WordPress front-controller.
+    # All non-file requests fall through to index.php.
     location / {
-        try_files $uri $uri/ /index.php$is_args$args;
+        try_files $uri $uri/ /index.php?$args;
     }
 
-    # PHP-FPM handling; pass to php-fpm:9000 (docker service name)
+    # Pass PHP scripts to the PHP-FPM container.
-    location ~ [^/]
+    location ~ \.php$ {
-    \.php(/|$) {
+        try_files $uri =404;
-        # Prevent direct access to PHP files in uploads or other writable dirs if necessary
-        try_files $document_root$fastcgi_script_name =404;
-
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
-        # Use TCP FPM backend service name. Matches the php-fpm image we built.
+
+        # Use the service name of your PHP-FPM container.
         fastcgi_pass php-fpm:9000;
         fastcgi_index index.php;
         include fastcgi_params;
+
+        # Set required CGI parameters.
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         fastcgi_param PATH_INFO $fastcgi_path_info;
         fastcgi_param HTTPS $https if_not_empty;
+
+        # Optimize buffers for potentially large WordPress headers.
+        fastcgi_buffers 16 16k;
+        fastcgi_buffer_size 32k;
         fastcgi_read_timeout 300;
     }
-
-    # Block access to .ht* files
-    location ~* /\.(?:ht|git) {
-        deny all;
-    }
-
-    # Optional: small buffer for large headers (WordPress with many cookies/plugins)
-    fastcgi_buffers 16 16k;
-    fastcgi_buffer_size 32k;
-
-    # Prevent clickjacking on all responses
-    add_header X-Frame-Options "SAMEORIGIN";
 }
-
-# Default server; allow override by mounting /etc/nginx/conf.d/default.conf