limit_req_zone $binary_remote_addr zone=api_limit:10m rate=60r/m;
limit_req_zone $binary_remote_addr zone=auth_limit:10m rate=5r/m;

server {
    listen 80;
    server_name api.eclyss.app;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name api.eclyss.app;

    ssl_certificate     /etc/ssl/eclyss/fullchain.pem;
    ssl_certificate_key /etc/ssl/eclyss/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers         ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;

    add_header X-Content-Type-Options    "nosniff" always;
    add_header X-Frame-Options           "DENY" always;
    add_header X-XSS-Protection          "1; mode=block" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header Referrer-Policy           "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy   "default-src 'none'; frame-ancestors 'none'" always;
    add_header Permissions-Policy        "camera=(), microphone=(), geolocation=()" always;

    root /var/www/html/public;
    index index.php;

    client_max_body_size 250M;
    client_body_timeout  120s;

    gzip on;
    gzip_types application/json application/javascript text/css text/plain;
    gzip_min_length 1024;

    location /v1/auth {
        limit_req zone=auth_limit burst=10 nodelay;
        try_files $uri $uri/ /index.php?$query_string;
        fastcgi_pass   php:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        include        fastcgi_params;
        fastcgi_read_timeout 60s;
    }

    location /v1/ {
        limit_req zone=api_limit burst=30 nodelay;
        try_files $uri $uri/ /index.php?$query_string;
        fastcgi_pass   php:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        include        fastcgi_params;
        fastcgi_read_timeout 120s;
    }

    location /ws {
        proxy_pass         http://websocket:8080;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection "Upgrade";
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto https;
        proxy_read_timeout 86400s;
        proxy_send_timeout 86400s;
    }

    location /storage/ {
        deny all;
        return 404;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }

    location ~* \.(env|log|sh|sql|bak)$ {
        deny all;
    }
}