# /etc/nginx/nginx.conf

user rocky;

worker_processes 1;

# The maximum number of simultaneous connections that can be opened
events { worker_connections 1024; }


http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;
    server_tokens off;
    keepalive_timeout  65;
    # ✅ Define the "main" log format
    log_format blocked '$time_local: Blocked request from $http_x_real_ip $request';
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';
                    
    server {
        listen 80;
        server_name localhost www.rcosta.uk rcosta.uk;

        root /var/www/html;
        index index.php index.html;

        location / {
            try_files $uri $uri/ /index.php?$query_string;
        }

        location ~ \.php$ {
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }

        # Sets the path, format, and configuration for a buffered log write.
        access_log /dev/stdout main;
        error_log /dev/stderr warn;    

        location ~ ^/(status|ping)$ {
          allow 127.0.0.1;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
          fastcgi_index index.php;
          include fastcgi_params;
          #fastcgi_pass 127.0.0.1:9000;
          fastcgi_pass  unix:/var/run/php82-fpm.sock;
        }



    ## Block common exploits
    location ~* (<|%3C).*script.*(>|%3E) { access_log /var/log/nginx/blocked.log blocked; deny all; }
    location ~* base64_(en|de)code\(.*\) { access_log /var/log/nginx/blocked.log blocked; deny all; }
    location ~* (%24&x) { access_log /var/log/nginx/blocked.log blocked; deny all; }
    location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { access_log /var/log/nginx/blocked.log blocked; deny all; }
    location ~* \.\.\/  { access_log /var/log/nginx/blocked.log blocked; deny all; }
    location ~* ~$ { access_log /var/log/nginx/blocked.log blocked; deny all; }
    location ~* proc/self/environ { access_log /var/log/nginx/blocked.log blocked; deny all; }
    location ~* /\.(htaccess|htpasswd|svn) { access_log /var/log/nginx/blocked.log blocked; deny all; }
    location ~* [a-zA-Z0-9_]=(\.\.//?)+ { access_log /var/log/nginx/blocked.log blocked; deny all; }
    location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { access_log /var/log/nginx/blocked.log blocked; deny all; }
    location ~* /(.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
    location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
    location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
    location ~ /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess) { return 403; }


   }


}