# Configuração Nginx para Codex SaaS
# Copie este arquivo para /etc/nginx/sites-available/codex
# E crie um symlink em /etc/nginx/sites-enabled/codex

server {
    listen 80;
    listen [::]:80;
    server_name seu-dominio.com www.seu-dominio.com;
    
    # Redirecionar HTTP para HTTPS
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name seu-dominio.com www.seu-dominio.com;
    
    # Certificado SSL
    ssl_certificate /etc/letsencrypt/live/seu-dominio.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/seu-dominio.com/privkey.pem;
    
    # Configurações SSL
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    
    # Logging
    access_log /var/log/nginx/codex_access.log;
    error_log /var/log/nginx/codex_error.log;
    
    # Raiz do documento
    root /var/www/codex/public;
    index index.php;
    
    # Remover www
    if ($host ~ ^www\.(.*)$) {
        return 301 https://$1$request_uri;
    }
    
    # Bloqueadas de arquivos sensíveis
    location ~ /\. {
        deny all;
    }
    
    location ~ \.env {
        deny all;
    }
    
    location ~ composer\.(json|lock) {
        deny all;
    }
    
    # Negar acesso a pastas internas
    location ~ ^/(app|config|database|storage)/ {
        deny all;
    }
    
    # Estatísticos e media
    location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|eot)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        access_log off;
    }
    
    # Rotas PHP
    location / {
        try_files $uri $uri/ /index.php?url=$uri&$args;
    }
    
    # Processamento PHP
    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
        
        # Headers de segurança
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    }
    
    # Limite de tamanho de upload
    client_max_body_size 100M;
    
    # Gzip
    gzip on;
    gzip_types text/plain text/css text/js application/json application/javascript text/xml application/xml application/xml+rss;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
}