https.conf.template

listen ${NGINX_HTTPS_PORT} ssl default_server;
listen [::]:${NGINX_HTTPS_PORT} ssl default_server;
http2 on;

root $NGINX_WEBROOT;

ssl_certificate $SSL_CERTIFICATE_FILE;
ssl_certificate_key $SSL_PRIVATE_KEY_FILE;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_protocols TLSv1.2 TLSv1.3;

# Set allowed "index" files
index index.html index.htm index.php;

server_name _;

charset utf-8;

absolute_redirect off;

# Healthcheck: Set /healthcheck to be the static health check URL
location /healthcheck {
    access_log off;
    
    # set max 5 seconds for healthcheck
    fastcgi_read_timeout 5s;

    include        fastcgi_params;
    fastcgi_param  SCRIPT_NAME     /healthcheck;
    fastcgi_param  SCRIPT_FILENAME /healthcheck;
    fastcgi_pass   127.0.0.1:9000;
}

# Have NGINX try searching for PHP files as well
location / {
    try_files $uri $uri/ /index.php?$query_string;
}

# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running
# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3)
location ~* ^/storage/.*\.php$ {
    deny all;
}

# Redirect /index.php/... to /... to prevent SEO duplicate content
location ~ ^/index\.php(/.+)$ {
    return 301 $1$is_args$args;
}

# Pass "*.php" files to PHP-FPM
location ~ \.php$ {
    fastcgi_pass   127.0.0.1:9000;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    include        fastcgi_params;
    fastcgi_buffers $NGINX_FASTCGI_BUFFERS; 
    fastcgi_buffer_size $NGINX_FASTCGI_BUFFER_SIZE;
    fastcgi_read_timeout $PHP_MAX_EXECUTION_TIME;
}

# trusted proxy configuration
include /etc/nginx/trusted-proxy/${TRUSTED_PROXY}.conf;

# additional config
include /etc/nginx/server-opts.d/*.conf;