# Configuration Nginx pour wearenotafraid
# Ce fichier est une alternative ? .htaccess pour les serveurs Nginx

# Configuration de base du server
server {
    listen 80;
    server_name wearenotafraid.fidh.org www.wearenotafraid.fidh.org;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name wearenotafraid.fidh.org www.wearenotafraid.fidh.org;

    # SSL Configuration (? adapter avec vos certificats)
    ssl_certificate /path/to/your/certificate.crt;
    ssl_certificate_key /path/to/your/private.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    root /var/www/wearenotafraid;
    index index.php fr.html;

    # Charset
    charset utf-8;

    # Gzip compression
    gzip on;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;

    # Cache pour les assets statiques
    location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
    }

    # CORS pour les polices et images
    location ~* \.(eot|font.css|otf|ttc|ttf|woff|woff2|svgz?|webp|gif|ico|jpe?g|png)$ {
        add_header Access-Control-Allow-Origin "*";
    }

    # Bloquer l'acc?s aux fichiers cach?s et backup
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }

    location ~* \.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|sw[op]|~)$ {
        deny all;
    }

    # D?sactiver l'indexation des r?pertoires
    autoindex off;

    # R?gles de r??criture pour les langues
    location = / {
        return 303 /fr/;
    }

    rewrite ^/rss(/)?$ /frontRss.php last;

    # Front-office par langue
    rewrite ^/fr(/)?$ /fr.html last;
    rewrite ^/en(/)?$ /en.html last;
    rewrite ^/es(/)?$ /es.html last;

    # Gestion du PHP
    location ~ \.php$ {
        # Requ?t standard PHP
        include fastcgi_params;
        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;

        # Variables PHP
        fastcgi_param SESSION_USE_TRANS_SID 0;
        fastcgi_param PHP_VER 8;
    }

    # S?curit?
    add_header X-Content-Type-Options "nosniff";
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy "strict-origin-when-cross-origin";

    # Types MIME
    include mime.types;
    default_type application/octet-stream;

    # Types MIME sp?cifiques
    types {
        font/woff woff;
        font/woff2 woff2;
        font/opentype otf;
        application/font-sfnt ttf;
        image/svg+xml svg svgz;
    }
}