# 5q12-indexer secure nginx config
server {
    listen 5012;
    server_name 5q12-indexer;
    
    # Document root
    root {WEB_PATH};
    index index.php;
    
    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    
    # Main indexer entry point - allow direct access
    location = / {
        try_files $uri /index.php$is_args$args;
    }
    
    location = /index.php {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
    
    # Allow CSS and font files from local_api/style directory only
    location ~ ^/\.indexer_files/local_api/style/.*\.(css|woff2)$ {
        # Set proper MIME types
        location ~* \.css$ {
            add_header Content-Type "text/css";
        }
        location ~* \.woff2$ {
            add_header Content-Type "font/woff2";
        }
        
        # Cache static assets
        expires 1d;
        add_header Cache-Control "public, immutable";
        
        # Security headers for static content
        add_header X-Content-Type-Options "nosniff" always;
        
        try_files $uri =404;
    }
    
    # Allow PNG files from icons directory only
    location ~ ^/\.indexer_files/icons/.*\.png$ {
        # Set proper MIME type for images
        add_header Content-Type "image/png";
        
        # Cache icons
        expires 7d;
        add_header Cache-Control "public, immutable";
        
        # Security headers for images
        add_header X-Content-Type-Options "nosniff" always;
        
        try_files $uri =404;
    }
    
    # Explicitly deny access to sensitive directories and files
    location ~ ^/\.indexer_files/(?!local_api/style/|icons/) {
        deny all;
        return 404;
    }
    
    # Deny access to the files directory - everything must go through index.php
    location ~ ^/files/ {
        deny all;
        return 404;
    }
    
    # Deny access to any PHP files except index.php
    location ~ \.php$ {
        deny all;
        return 404;
    }
    
    # Deny access to configuration and sensitive files
    location ~ /\.(ht|git|env|log|sqlite|json)$ {
        deny all;
        return 404;
    }
    
    # Deny access to backup and temporary files
    location ~ \.(bak|backup|old|tmp|temp|swp|swo|~)$ {
        deny all;
        return 404;
    }
    
    # Deny access to common sensitive filenames
    location ~ ^/(config|configuration|settings|private|admin|api|\.well-known) {
        deny all;
        return 404;
    }
    
    # Block common attack patterns
    location ~ /(wp-|wordpress|admin|phpmyadmin|mysql|database) {
        deny all;
        return 404;
    }
    
    # Default deny all other requests
    location / {
        try_files $uri /index.php$is_args$args;
    }
    
    # Protect against buffer overflow attacks
    client_max_body_size 10M;
    client_body_buffer_size 128k;
    client_header_buffer_size 1k;
    large_client_header_buffers 4 4k;
    
    # Rate limiting (optional - uncomment if needed)
    # limit_req_zone $binary_remote_addr zone=indexer:10m rate=10r/s;
    # limit_req zone=indexer burst=20 nodelay;
}