#
# Example nginx configuration for fluxbb
# The engine is installed at the root of the site
#
server {
    listen 80;                                             # 80 port only http:
    server_name fluxbb-visman.local *.fluxbb-visman.local; # you need to set your values
    root "/www/fluxbb-visman/";                            # you need to set your values
    autoindex off;
    index index.html index.htm index.php;
    charset utf-8;
    server_tokens off;

    add_header Content-Security-Policy "object-src 'none';frame-ancestors 'none';base-uri 'none';form-action 'self'" always;
    add_header Feature-Policy "accelerometer 'none';ambient-light-sensor 'none';autoplay 'none';battery 'none';camera 'none';document-domain 'self';fullscreen 'self';geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none';sync-xhr 'self';usb 'none'" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
#   add_header Strict-Transport-Security "max-age=31536000" always;  # for https only
    add_header X-Content-Type-Options "nosniff" always;
#    add_header X-Frame-Options "DENY" always;                       # fluxbb set this header, in nginx it is difficult to combine headers from two sources
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),document-domain=(self),fullscreen=(self),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),sync-xhr=(self),usb=()" always;

    location = /favicon.ico {
        try_files $uri =404;

        access_log off;
        log_not_found off;

        expires 1w;
    }

    location = /robots.txt {
        try_files $uri =404;

        access_log off;
        log_not_found off;
    }

    location / {
        try_files $uri =404;
    }

    #
    # Upload mod
    #
    location /img/members/ {
        try_files $uri /img/members/nofile.gif;
    }

    location ~ /\.ht {
        return 404;
    }

    #                                                  #
    # Only php scripts located in the root of the site #
    #                                                  #
    location ~ ^/(?:[^/\\\.]+\.php)?$ {
        # regex to split $uri to $fastcgi_script_name and $fastcgi_path
        fastcgi_split_path_info ^(.+\.php)(/.+)$;

        # Check that the PHP script exists before passing it
        try_files $fastcgi_script_name =404;

        # Bypass the fact that try_files resets $fastcgi_path_info
        # see: http://trac.nginx.org/nginx/ticket/321
        set $path_info $fastcgi_path_info;                 # always equal to an empty string due to location regex
        fastcgi_param PATH_INFO $path_info;

        fastcgi_index index.php;

        include fastcgi_params;

        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param HTTP_PROXY      "";

        fastcgi_hide_header X-Powered-By;

        fastcgi_pass php_upstream;                         # you need to set your values
        #fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

    location ~ \.php$  {
        return 404;
    }
}