worker_processes auto;
error_log /dev/stderr warn;
pid /run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    include            /etc/nginx/mime.types;
    default_type       application/octet-stream;
    sendfile           on;
    tcp_nopush         on;
    keepalive_timeout  65;
    server_tokens      off;
    client_max_body_size 16m;

    log_format json escape=json '{"time":"$time_iso8601","remote":"$remote_addr","method":"$request_method","uri":"$request_uri","status":$status,"bytes":$body_bytes_sent,"rt":$request_time,"ua":"$http_user_agent"}';
    access_log /dev/stdout json;

    gzip               on;
    gzip_vary          on;
    gzip_proxied       any;
    gzip_comp_level    5;
    gzip_min_length    1024;
    gzip_types         text/plain application/json application/javascript text/css application/xml text/xml;

    server {
        listen      __PORT__ default_server;
        listen      [::]:__PORT__ default_server;
        server_name _;
        root        /var/www/html/public;
        index       index.php;

        # Security headers (Laravel adds more via SecurityHeaders middleware)
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Frame-Options "DENY" always;
        add_header Referrer-Policy "strict-origin-when-cross-origin" always;

        location / {
            try_files $uri $uri/ /index.php?$query_string;
        }

        location ~ ^/index\.php(/|$) {
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO       $fastcgi_path_info;
            fastcgi_read_timeout 60;
            internal;
        }

        location ~ /\.(?!well-known).* {
            deny all;
        }
    }
}