# Charity API - Nginx Configuration
# Agar aap Nginx use kar rahe hain to yeh configuration use karein

server {
    listen 80;
    listen [::]:80;
    server_name mcp.illumemedia.app;
    
    # Redirect HTTP to HTTPS
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name mcp.illumemedia.app;
    
    root /var/www/charity-api;
    index api.php;
    
    # SSL Configuration (Let's Encrypt)
    ssl_certificate /etc/letsencrypt/live/mcp.illumemedia.app/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mcp.illumemedia.app/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    
    # Security Headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    
    # CORS Headers - ChatGPT ke liye
    add_header Access-Control-Allow-Origin "*" always;
    add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
    add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With, Accept, Origin" always;
    add_header Access-Control-Max-Age "86400" always;
    
    # Handle preflight OPTIONS requests
    if ($request_method = 'OPTIONS') {
        add_header Access-Control-Allow-Origin "*";
        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
        add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With, Accept, Origin";
        add_header Access-Control-Max-Age "86400";
        add_header Content-Length 0;
        add_header Content-Type text/plain;
        return 204;
    }
    
    # Disable directory browsing
    autoindex off;
    
    # Main location block
    location / {
        try_files $uri $uri/ /api.php?$query_string;
    }
    
    # PHP files handling
    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;  # PHP version ke according change karein
        fastcgi_index api.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
        
        # Timeout settings
        fastcgi_read_timeout 60;
        fastcgi_connect_timeout 60;
        fastcgi_send_timeout 60;
        
        # Buffer settings
        fastcgi_buffer_size 128k;
        fastcgi_buffers 4 256k;
        fastcgi_busy_buffers_size 256k;
    }
    
    # Protect sensitive files
    location ~ /\.(ht|git|env) {
        deny all;
    }
    
    location ~ ^/(config\.php|README|DEPLOYMENT|QUICK_START|TEST_URLS) {
        deny all;
    }
    
    # Cache control for API responses (no cache)
    location ~ \.php$ {
        add_header Cache-Control "no-cache, no-store, must-revalidate";
        add_header Pragma "no-cache";
        add_header Expires "0";
    }
    
    # Gzip compression
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
    
    # Logging
    access_log /var/log/nginx/charity-api-access.log;
    error_log /var/log/nginx/charity-api-error.log;
}