worker_processes auto;

events {
    worker_connections  1024;
}

http {
    server {
        listen       80;
        server_name  localhost;
        root         /var/www/html;
        # turn off nginx server version detection
        server_tokens off;

        # restrict client requests
        # NOTE: this config is not intended to be used with HTTP POST requests
        client_body_buffer_size 1k;
        client_header_buffer_size 1k;
        client_max_body_size 1k;
        large_client_header_buffers 2 1k;

        add_header X-Frame-Options "SAMEORIGIN";
        # CSP header
        add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
        # X-XSS protection for older browsers
        add_header X-XSS-Protection "1; mode=block";

        error_log /dev/stdout info;
        access_log /dev/stdout;
        index download.php;

        # reject unneeded HTTP request methods
        # this only accepts GET and HEAD
        if ($request_method !~ ^(GET|POST|HEAD)$ ) {
            return 405;
        }

        location / {
            return 301 /files;
        }

        location /files {
            rewrite ^/files(.*)$ /download.php?$1 last;
        }

        # pass PHP scripts to fastCGI
        location ~ ^/[a-zA-Z_]+\.(php) {
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass unix:/var/run/php-fpm.sock;
            fastcgi_index index.php;
            include fastcgi.conf;
        }

        location ~ ^/[a-zA-Z_]+\.(css)  {
            add_header Content-Type "text/css";
            try_files $uri $uri/;
        }

        location ~ ^/[a-zA-Z_]+\.(js)  {
            add_header Content-Type "text/javascript";
            try_files $uri $uri/;
        }
    }
}